Data has a finite life cycle — regardless of your company size, there will come a day when you need to remove or replace older media. Part of that process involves making proprietary information and intellectual property unreadable on any device, so it does not fall into the wrong hands.
Data destruction renders data completely irretrievable, and there are many ways to achieve this goal. In this guide, we’ll explain everything you need to know about data destruction and how to choose the best method for your company.
What Is Data Destruction?
Under most circumstances, the term “data destruction” would cause concern. Prematurely losing information could have catastrophic consequences for business and everyday life. However, a planned data destruction process safeguards your company and customers.
While deleting a file on an electronic device makes it invisible to the user, the information still exists on the device’s memory chip or hard drive. Data destruction entails making the data irretrievable, either by overwriting the current data with random data or destroying the electronic medium itself.
Why Data Destruction Matters
In an era when companies of all sizes depend upon electronic media for their mission-critical business operations, all the data created by this equipment needs secure protection. But at the end of its life cycle, you must safely dispose of it. Your company may have legal requirements for data destruction, particularly if you operate globally.
The importance of destroying all the data and preventing others from accessing it might seem indisputable. But in a recent data recovery study of 100 hard drives, the majority contained residual data. Clearly, most people lack the resources to properly wipe their devices before disposing of them.
And it’s not just individuals who fail to destroy all data. In 2022, Morgan Stanley Wealth Management paid $35 million after the Securities and Exchange Commission charged them with failure to properly dispose of millions of customers’ personal identifying information.
Consider these factors when choosing the best way to destroy old data.
- Time: Does your company routinely destroy data, or do you have a large backlog waiting for you to dispose of all at once? Each method has a different time scale, which is crucial when picking the correct destruction method for your application.
- Cost: Can your company afford to get rid of old equipment? Or will you reuse older electronic media for new purposes? Again, the answer to this question will determine the data destruction type(s) you should use.
- Validation and certification: If you are destroying data because of a legal requirement or a regulatory issue within your industry, make sure the method you choose allows you to prove you’ve met the standards.
Data Destruction Regulations
While there are many regulations regarding data breaches, such as the Fair and Accurate Credit Transactions Act of 2003, the Personal Information Protection and Electronic Documents Act in Canada, the Gramm-Leach-Bliley Act and the General Data Protection Regulation in the EU, there are few standards for sanitizing media or destroying data.
At one point, the Department of Defense used the DoD 5220.22-M manual, also known as the National Industrial Security Program Operating Manual, but this is no longer acceptable, especially as the document does not specify a particular sanitization method. One of the best-known standards is the National Institute of Standards and Technology guidelines, which provide good data destruction standards — but do not specify any requirements for adhering to them. The Internal Revenue Service Publication 1075 regulations apply to agencies accessing federal tax information, so the IRS and state/local governments that use IRS data to confirm eligibility for assistance programs must follow these standards. Many of these regulations defer to the strictest standards — those of the National Security Agency.
The NSA regulations also apply to the Central Intelligence Agency, Department of Defense and any top-secret data. These standards are the highest worldwide, and many other organizations have adopted them, including foreign governments.
At DataSpan, we destroy data to these high standards.
What Are the Different Data Destruction Types?
While there are many ways to destroy data, none of these methods are perfect, nor can any specific technique promise complete success. However, understanding the different techniques will help you choose the best one for your business.
Here is a breakdown of every type of data destruction and the pros and cons connected with each one.
As we mentioned above, deleting a file from an electronic device may remove it from a file folder, but the data remains on the hard drive or memory chip.
The same is true when you try to destroy data by reformatting the disk. Rather than wiping the data away, reformatting replaces the existing file system with a new one. It’s as if you are tearing out the table of contents from an old book instead of getting rid of the book itself. Almost anyone can recover data from a reformatted disk with easily accessible online tools.
Essentially, deletion or reformatting will do little to destroy your data beyond making it invisible to you as the user.
Data wiping involves overwriting data from an electronic medium, preventing others from reading it. The usual way to accomplish this task is to physically connect any medium to a bulk wiping device. As a process, it allows you to reuse any media wiped in this way without losing storage capacity.
Data wiping can be time-consuming — sometimes, removing the data from only one device will take an entire day. While this method may be useful for individuals, it’s impractical for businesses that need multiple devices wiped.
3. Overwriting Data
In a sense, overwriting data is a form of data wiping. Overwriting data on an electronic device involves writing a random or set pattern of ones and zeroes over the existing data. In most cases, overwriting once will accomplish the task. A high-security medium may require multiple passes to thoroughly destroy all data, with no detectable bit shadows.
A bit shadow is a remnant of overwritten information that is still detectable using an electron microscope. It’s like when someone writes a note on a pad. They can remove the top sheet of paper, but an impression of what they wrote may still be visible on the sheet directly underneath. Bit shadowing remains a concern for high-security operations, but low-risk businesses probably don’t need to concern themselves too much. Recovering data using an electron microscope is costly and time-consuming.
Overwriting is perhaps the most common way to destroy data. However, it can take a lot of time and only works when the medium you want to overwrite is intact and can still have data written to it. It also does not offer any security protection during the overwriting process. Overwriting does not work on any hard drive that contains advanced storage management components. If you are overwriting a device due to legal requirements, you may require a separate license for every medium. It is not foolproof.
Experts in the field recommend following NIST or IRS standards to reduce the chances that someone will manage to recover overwritten data.
Erasure is another term for overwriting. Erasure should destroy all data stored on a hard drive, and deliver a certificate of destruction proving successful completion.
Businesses that have purchased equipment off-lease, such as desktops, enterprise data centers and laptops, will benefit most from using erasure. It’s also a good method for anyone wishing to reuse hard drives or redeploy them for storing different materials.
Degaussing destroys computer data by eliminating an electronic medium’s magnetism using a high-powered magnet. While degaussing is a quick and effective method for destroying a large amount of information or sensitive data, it has two significant disadvantages.
First, when you degauss a piece of electronic equipment, you render its hard drive inoperable. Degaussing destroys the hard drive’s interconnect equipment, making it impossible to reuse the device containing the drive.
Additionally, you cannot verify complete data destruction if the hard drive is inoperable. In this case, the only way to confirm data destruction is to use an electron microscope — though this method is expensive and impractical in most instances.
A hard drive’s density can also impact how well degaussing works. As technology changes and hard drives improve and grow larger, degaussing has become a less effective method.
6. Physical Destruction
Many people want to recycle their old equipment but are reluctant to do so because of the information it may contain. Frequently, these people pull out the hard drive and smash it to bits with a hammer.
Physical destruction is also an efficient way for organizations and businesses of all sizes to destroy data because it has a high likelihood of success.
The primary drawbacks to physically destroying data include its significant cost and environmental impact. Destroying devices is expensive, and can cause conflict for organizations with green programs for recycling old electronic media.
Degaussing is a form of physical destruction. So is incineration, though it’s less common because it requires destruction to occur away from human habitats and creates a chain of custody risk.
Shredding is another form of physical destruction that uses an industrial machine to destroy drives. Experts consider it to be the most secure and cost-effective way to destroy data in any electronic medium that has reached the end of its usable life, including:
- Hard drives
- Solid-state drives
- Optical drives
- Thumb drives
- Credit card swipe devices
Shredding reduces electronic devices to pieces no larger than 2 millimeters. Note that because solid-state drives are usually smaller than standard hard drives, they sometimes require specialized shredding equipment. When evaluating data destruction providers, be sure to ask what tools they use.
Because it is such a quick and secure destruction method, shredding is excellent for companies with large enterprise data centers or stockpiles of old hard drives or other media. If you work in a high-security environment, shredding should be your top choice, as it guarantees complete data obliteration.
How Do You Choose a Data Destruction Company?
When choosing a data destruction company, remember several essential elements.
1. Certificates of Sanitization
Ensure the data destruction company provides certificates of sanitization for all media. These certificates verify data destruction according to NIST guidelines. They should include information like equipment serial numbers, types of media destroyed, the source of each medium and sanitization methods. These certificates safeguard against physical data breaches.
Data destruction companies should provide a clear audit trail with proof of erased data. This documentation is especially vital if your company does any business in the European Union, where businesses can face substantial fines if they don’t dispose of data according to legislation.
Which standards does the company follow when destroying data? They should be familiar with NSA and NIST guidelines. Ask about their processes and how they train employees to keep up with industry regulations, especially if you and your company must uphold specific codes of conduct for data destruction.
If your audit or compliance department requests NSA-level destruction, DataSpan can help your company figure out what the standard means so you can achieve compliance.
4. Insurance and Security
Research the companies you are thinking of hiring to do your data destruction. Once you have narrowed down your list to two or three possible providers, ask them for references and check to make sure the companies have the appropriate insurance coverage. If not, that’s a warning sign they may not be ready to assume responsibility if there is an accident or mishap with your data. Finally, find out if their employees go through background checks and if they have received any security training.
Ask the company for an explanation of their data destruction methods. If a provider is unwilling to explain their techniques, walk away immediately.
Do they begin with a process to discover all the data that needs destruction? To reduce the chances of errors, find out if their asset tracking and data erasure platforms connect with each other.
If you’re worried about your sensitive data falling into the wrong hands, your best bet is to have it destroyed on-site and in the actual storage device if possible. This approach provides the fewest data breach risks, but it is not always feasible. Before shipping any equipment to a data destruction provider’s facility, it is paramount to retain a record that shows the chain of custody.
Choose Turnkey Data Destruction and Eradication Services From DataSpan
Are you concerned about data security and exposing your company’s sensitive information to outsiders? At DataSpan, we have customizable turnkey solutions to securely store or destroy many forms of electronic media. You can lease or buy one of our secure containers to store your devices until you have enough to make a service call cost-effective.
DataSpan can provide secure solutions anywhere in the United States or around the globe, on-site or off-site. We use NSA and other government-certified standards that meet all your legal requirements and practical needs.
Our expertise and network of certified partners allow us to offer you the best and most effective way to meet your company’s internal objectives. When you work with us, we will ensure our service meets all legal or environmental monitoring requirements throughout the project.
To learn more about us and what we offer, call us at 800-660-3586. Or, reach out online and leave us information about the best way to contact you, and one of our representatives will get back to you as soon as possible.