When most people hear “data destruction,” their face registers a look of fear. The last thing in the world that most people want is for the data on their computer or mobile device to be destroyed. But the reality is whether you are the owner of a large, medium or small business, there will come a day when you need to remove or replace older media, and you need to make sure that any data stored on that media is erased and unrecoverable.
No company wants the next user of their old equipment to find their information. This is true of large corporations and small businesses. It’s vitally important that proprietary information stored on hard drives or in the memories of digital devices be erased and physically destroyed. The last thing in the world they want is for this data to end up in the wrong hands, a situation that could have serious legal or competitive consequences.
However, relatively few people know the correct way to destroy data so that it cannot be recovered by someone else.
What Is Data Destruction?
When you destroy data, the goal is to make it totally unreadable regardless of the form of electronic media on which it was originally stored. The process of data destruction also includes ensuring that this data cannot be recovered and used for unauthorized purposes.
Destroying data means it can no longer be read by an operating system or application. Merely deleting a file is insufficient. When you delete a file on an electronic device, you may not be able to see it any longer, but the information is still stored on the device’s hard drive or memory chip. Data destruction entails overwriting the current data with random data until the current data can no longer be retrieved, or actually destroying the electronic medium.
Why Data Destruction Matters
In a day and age when companies of all sizes depend upon electronic media for their most important business operations, all the data created by this equipment needs to be securely protected. But at the end of its lifecycle, it also needs to be securely destroyed. You may have important information that you are not interested in sharing with anyone. Your company has legal requirements for data destruction, particularly if you operate on a global scale where different countries and different regions can have different legal requirements concerning destroying data.
So the importance of destroying all data would seem to be obvious. Yet according to some studies, as many as 10 percent of all secondhand hard drives sold over the Internet still hold personal information. And it’s not just individuals who fail to destroy all data. In 2012, Britain’s National Health Service Trust was fined almost $500,000 for selling hardware online that contained the records of thousands of patients.
It’s important for any organization to consider several important factors before they choose how to destroy the old data.
- Time: Is this something the company regularly does or has it stockpiled old data storage equipment to do a large amount at once? Each of the different methods explored below operates on a different timescale. Knowing how much time you want to spend on data destruction can influence the choice of method.
- Cost: Can your company afford to get rid of old equipment? Or is it interested in reusing older electronic media for new purposes? Again, the answer to this question will determine the type of destruction method you want to use.
- Validation and certification: If you are destroying data because it’s a legal requirement or a regulatory issue within your industry, make sure the method you choose allows you to show that you have met any standards or requirements for data destruction.
Once you know the answers to these questions, your business can choose an appropriate way to destroy old data.
While there are many regulations regarding data breaches, such as the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, Gramm-Leach-Bliley Act (GLBA) and General Data Protection Regulation (GDPR), there are few standards for sanitizing media or destroying data.
At one point, the Department of Defense (DoD) used the DoD 5220.22-M manual, also known as the National Industrial Security Program Operating Manual (NISPOM), but this is no longer considered acceptable, especially as the document does not specify a particular sanitization method. One of the most well-known standards is the National Institute of Standards and Technology (NIST) guidelines, which provide good standards for data destruction — but no one is required to adhere to them. The Internal Revenue Service (IRS)Publication 1075 regulations apply to agencies accessing federal tax information, so the IRS as well as state and local governments that use IRS data to confirm eligibility for assistance programs must follow these standards. Many of these regulations defer to the strictest standards — those of the National Security Agency (NSA).
The NSA regulations also apply to the Central Intelligence Agency (CIA), Department of Defense (DOD) and any top secret data. These standards are the highest worldwide and have been adopted by many other organizations, including foreign governments.
DataSpan ensures data destruction is done to these high standards.
What Are The Different Forms of Data Destruction?
Fortunately, there are several different ways to destroy data. Unfortunately, none of these methods are perfect nor can any one particular method promise complete success. But knowing the available methods will help you choose the one that is right for you or your business.
- Overwriting data
- Physical destruction (drill/band/crush/hammer)
- Electronic shredding
- Solid state shredding
Here is a closer look at each of these forms of data destruction and the pros and cons connected with each method.
As we mentioned above, deleting a file from an electronic device may remove it from a file folder but does not actually destroy the data. The data remains on the hard drive or the memory chip of the device.
The same is true when you try to destroy data by reformatting the disc. This does not wipe the data away either. It simply replaces the existing file system with a new one. It’s as if you are tearing out the table of contents from an old cookbook when what you want to do is get rid of the cookbook itself. It is very easy for almost anyone to recover data from a disk that has only been reformatted as many tools exist on the Internet that allow an individual to do so.
Using methods of this kind is a rather lazy, unimaginative and not very productive way to attempt data destruction.
Data wiping involves overwriting data from an electronic medium so that this data can no longer be read. Data wiping is normally accomplished by physically connecting any media to a bulk wiping device. It can also be accomplished internally by starting a PC from a network or CD. As a process, it allows you to reuse any media wiped in this way without losing storage capacity.
Data wiping can take a very long time, sometimes an entire day for just one device. Data wiping may be useful for an individual, but it is impractical for a business owner who has several devices they need wiped.
3. Overwriting Data
In a sense, overwriting data is a form of data wiping. When data on an electronic device is overwritten, a pattern of ones and zeros is written over the existing data. The pattern does not need to be random — set patterns can also be used. In most cases overwriting once will accomplish the task. But if the medium is a high-security one, it may require multiple passes. This ensures that all data is completely destroyed and no bit shadows can be detected.
A bit shadow is a remnant of information that has been overwritten but can still be detected using an electron microscope. It’s like when someone writes a note on a pad. They can remove the top sheet of paper, but an impression of what they wrote may still be visible on the sheet directly underneath. Bit shadowing remains a concern for high-security operations, but low-risk businesses probably don’t need to concern themselves too much. Recovering data using an electron microscope takes a lot of time and costs a lot of money.
Overwriting is perhaps the most common way to destroy data. However, it can take a lot of time and only works when the medium being overwritten has not been damaged and can still have data written to it. It also does not offer any security protection during the overwriting process. Overwriting does not work on any hard drive that contains advanced storage management components. If you are overwriting a device due to legal requirements, you may require a license for every piece of media that is being overwritten. It is not foolproof.
Experts in the field recommend following the standards created by the (NIST) or the (IRS). If you follow the standards, you reduce the chances that someone will be able to recover overwritten data.
Erasure is another term for overwriting. Erasure should be complete and destroy all data stored on a hard drive, and deliver a certificate of destruction showing that the data on an electronic device has been successfully erased. Erasure is a great idea for businesses that have purchased equipment off-lease, such as desktops, enterprise data centers and laptops, or if you desire to reuse hard drives or redeploy them for storage of different materials.
Degaussing destroys computer data using a high-powered magnet which disrupts the magnetic field of an electronic medium. The disruption of the magnetic field destroys the data. Degaussing can effectively and quickly destroy the data in a device storing a large amount of information or sensitive data.
However, it has two major disadvantages.
When you degauss a piece of electronic equipment, you render its hard drive inoperable. Degaussing destroys the interconnect equipment of the hard drive. This is not the method to choose if you want to reuse an electronic digital device like a laptop, computer or mobile phone.
The other problem is that you have no way of knowing if all the data has been destroyed. By rendering the hard drive inoperable, you cannot check to see if all the data has been destroyed. The only method to verify data destruction, in this case, is to use an electron microscope. But unless you are destroying high-security information, checking this way is expensive and impractical.
Degaussing can also be affected by the density of a hard drive. As technology changes and hard drives improve and grow larger, degaussing is perhaps not as effective a method as it used to be.
6. Physical Destruction
Many individuals want to recycle their old equipment but are reluctant to do so because of the information the equipment may contain. Frequently, these people pull out the hard drive and a hammer and smash it to bits.
Interestingly enough, physical destruction is also an efficient way for organizations and businesses of all sizes to destroy data. One of physical destruction’s best features is that it will give an organization the highest probability that data has been physically destroyed.
However, it can be costly, and since it involves the destruction of electronic media, there is a high capital cost as well. It can also cause a problem if an organization has a green and sustainable program for recycling old electronic media.
Degaussing is a form of physical destruction. Incineration is as well, although isn’t common because it requires destruction to occur away from human habitats and creates a chain of custody risk.
Another form of physical destruction, shredding may be the most secure and cost-effective way to destroy electronic data in any media that contain hard drives or solid state drives and have reached their end-of-life. It’s also very effective for optical drives, smartphones, tablets, motherboards, thumb drives and credit card swipe devices, to name a few.
Shredding is a great way to destroy data if you have a large data enterprise center or a large stockpile of old hard drives and media that you want to destroy. It’s very secure, fast and efficient. Shredding reduces electronic devices to pieces no larger than 2 millimeters. If you work in a high-security environment with high-security data, shredding should be your number one choice as it guarantees that all data is obliterated.
How Do You Choose a Data Destruction Company?
When choosing a data destruction company, there are several essential elements that you should keep in mind.
1. Certificates of Sanitization
Make sure the data destruction company provides certificates of sanitization for all media’s data that has been destroyed. One of these certificates, which verifies that the data has been destroyed according to NIST guidelines, is known as a COS. It should include important information like the serial number of the equipment, type of media being destroyed, the source of the media and how the equipment was sanitized. These certificates help ensure that there are no physical data breaches.
Make sure the data destruction company supplies documentation. It’s important to have a document that shows a clear audit trail that includes proof of erased data. This is especially important if your company does any business in Europe, where businesses can face substantial fines if they don’t dispose of data according to legislation.
Find out the standards that the company uses for data destruction. They should be familiar with both the NSA and the NIST guidelines. Ask about the data destruction process and how their employees are trained to make sure they maintain the standards. This is particularly important if you and your company are required to maintain industry standards for data destruction.
If your audit or compliance department requests NSA-level destruction, DataSpan can help your company figure out what the standard means and help you achieve compliance.
4. Insurance and Security
Research the companies that you are thinking of hiring to do your data destruction. Once you have it narrowed down to two or three possible providers, ask them for references. Also, check to make sure the companies are insured. If not, that’s a warning sign that they may not be prepared to assume responsibility if there is an accident or mishap with your data. Finally, find out if their employees go through background checks and if they have received any security training.
Ask them for an explanation of their methods. If a provider is unwilling to explain their methods for data destruction, walk away immediately.
Do they begin with a process to discover all the data that needs to be destroyed? Find out if their asset tracking and data erasure platforms connect with each other. This helps reduce the chances of any errors.
If you’re worried about your sensitive data falling into the wrong hands, your best bet is to have it destroyed on-site and in the actual storage device if possible. This provides the fewest risks of any data breach. But that is not always possible. If you need to ship your equipment to another location, it is very important that you retain a record that shows the chain of custody and obtain an explanation of their method of data destruction before you ship any equipment to a data destruction provider’s facility.
Talk to DataSpan About Our Turnkey Data Destruction and Eradication Services
Are you concerned about data security and how your data media devices may be exposed now and in the future? At DataSpan, we have customizable turnkey solutions to securely store or destroy many forms of electronic media. You can lease or buy one of our secure storage containers in which to store your devices until you have enough that makes a service call cost-effective.
DataSpan can provide you with secure solutions anywhere in the United States or around the globe, on-site or off-site. We use the National Security Agency (NSA) and other government certified standards that meet all your legal requirements and practical needs.
We have the expertise and the network of certified partners that allows us to offer you the best and most effective way to meet your company’s internal objectives. When you work with us, we will ensure that our service meets all legal or environmental requirements throughout the entire course of the project.
If you would like to know more about us and the services that we offer, call us at 1-800-660-3586. Or visit our contact us page where you can leave us information about the best way to contact you, and one of our representatives will get back to you as soon as possible.