The United States Agency for International Development has announced that it will no longer collect devices, such as phones and laptops, from former workers, opting instead to wipe the devices remotely and consider them disposed of. This policy change comes after months of confusion and frustration for former employees, many of whom had not received instructions for returning their government-issued equipment. According to an email obtained by The Verge, the decision aims to simplify processes and reduce the burden on former employees. Many of these devices contained sensitive information, raising security concerns as workers were still able to access work accounts post-termination. The new approach places the responsibility of securely discarding these devices, now essentially deemed trash, on the former employees themselves, highlighting potential issues with electronic waste management and information security.
Why do we care?
This is a security story too. Reports that former employees continued to access accounts post-termination highlight a fundamental failure in identity and access management (IAM). This isn’t just a government problem; many private companies, especially those with hybrid or decentralized teams, struggle with inconsistent offboarding protocols that leave systems exposed.
We care because this decision from USAID is not just a one-off policy—it’s a red flag for how thinly stretched IT operations and security processes can unravel at the endpoints. In a world of persistent remote work, growing insider threats, and regulatory scrutiny, secure device decommissioning isn’t a logistical afterthought—it’s a core part of cybersecurity hygiene. Private sector leaders should view this as a cautionary tale, not a model.