SEE ALL NEWS

The Top 3 Ways to Ensure Secure Data Destruction

Imagine if your company had a binder (or several binders) containing the entirety of its financial and sensitive records. That’s not something you would just throw in the trash because the information needs to be thoroughly destroyed.  

The same is true for the sensitive electronic data that lingers on end-of-life IT equipment. Destroying this information takes more than just hitting the delete button. Data is tenacious and can remain hidden long after you thought it was gone for good. Steps must be taken, such as overwriting to hard drive destruction, to ensure that data disappears.

Why Data Destruction Matters

We live in a time when our every online action is tracked. It is our responsibility to make sure that information like bank details, health records, online shopping history, etc., remains private and secure. This is as true for companies as it is for individuals.

The National Association for Information Destruction (NAID) is an international trade association that sets and enforces best practices for data destruction. NAID certification is for organizations that follow strict data sanitization policies, such as NIST and DOD.

  • NIST (National Institute of Standards and Technology) is one of the most widely accepted data destruction standards. NIST categorizes sanitization into three levels based on data sensitivity:
    • Clear, which is suitable for non-sensitive data where forensic recovery is not a concern. An example is reformatting a hard drive. 
    • Purge, which uses cryptographic erasure or multiple overwrites to prevent even advanced forensic tools from recovering data.
    • Destroy, which physically damages a device to ensure data is irretrievable.
  • DOD (Department of Defense Standard for Data Wiping) was one of the first widely adopted data wiping standards. It specifies a multi-pass overwriting process to make data recovery virtually impossible.
    • 3-Pass Method, overwrites data three times (first with random characters, then with complimentary data, and finally with random characters again plus a verification to ensure the original data is gone).
    • 7-Pass Method, adds more overwrite cycles for higher security.

Also, many companies need to comply with local and federal regulations. Several industries have very specific data destruction privacy and security regulations, such as:

  • Healthcare: HIPAA (Health Insurance Portability and Accountability Act) regulations have strict protocols for safeguarding protected health information, which includes securely disposing of sensitive details like diagnoses, treatments, and personal information (Social Security numbers, driver’s license data, etc.).
  • Banking and Finance: To protect customer information and prevent fraud, financial institutions are also bound by stringent data destruction rules, such as:
    • FACTA (Fair and Accurate Credit Transaction Act), which requires businesses and individuals to dispose of consumer information in a way that prevents unauthorized access.
    • PCI DSS (Payment Card Industry Data Security Standard), a set of security rules and guidelines that help businesses protect credit cardholder data. 
    • GLBA (Gramm-Leach-Bliley Act), which requires financial institutions to protect sensitive customer data.
    • SOX (Sarbanes-Oxley Act) and the Bank Secrecy Act set record-keeping and disposal standards for financial reporting and anti-money laundering efforts.
  • Defense and Security: Unsurprisingly, defense organizations have long maintained strict data destruction protocols to protect classified information. 
  • Legal: Law firms handle sensitive information, including client records, contracts, intellectual property, and evidence files. So, secure data destruction is essential to prevent breaches and maintain attorney-client privilege.
  • Telecommunications and Tech: Companies that handle massive volumes of personal user data and sensitive proprietary information must comply with several data destruction procedures.

The Top Three Secure Data Destruction Methods

As noted above, improperly destroying the data on end-of-life IT assets can lead to fines and other costs due to data protection and privacy policies. In addition, it can also damage a company’s reputation if the theft of intellectual property or personal information occurs. Fortunately, there are options for fully secure data destruction.

Overwriting

Overwriting is a technique where new information, typically sequences of ones and zeros, is written directly on top of existing data. This can be done using random patterns or predetermined ones. The latter makes it possible to verify that data has been properly wiped by detecting the specific pattern. 

For example, mender overwrites existing data on a device with a new image during a firmware update. This process can achieve a clean update and not affect the data on other partitions of the drive, if necessary.

Overwriting is a widely used secure data destruction method. However, it does present some challenges:

  • Erasing large-capacity drives can be time-consuming.
  • Ensuring the wipe was successful can require a robust verification process (which Mender provides).
  • Overwriting works only on functional storage media and is impossible if the equipment is inoperable or physically damaged.

Degaussing

Degaussing uses a powerful magnetic field to physically disrupt delicate components of devices like hard drives, magnetic tapes, and floppy disks. The process provides a fast and comprehensive way to erase an entire storage medium in one go.

While degaussing can be a highly effective data destruction method, it does have some downsides. For example, degaussing only works on magnetic storage media. It does not affect non-magnetic devices like solid-state drives (SSDs) or optical discs (CDs/DVDs). Also, since degaussing makes the equipment completely unusable, it eliminates any resale potential and makes it impossible to confirm that all data has been destroyed. Finally, the efficiency of degaussing can depend on the data density of the drive. The process may not fully wipe high-density drives.

Physical Destruction

If IT equipment doesn’t need to be reused or resold, physically destroying it can make data unreadable and unusable. Destruction methods include shredding, drilling, crushing, and melting. Only pulverizing the drive into fine particles makes data recovery virtually impossible. 

Since some destruction methods can leave portions of a drive intact, it is usually recommended that physical destruction is preceded by another data destruction method, such as overwriting. Also, the process of destroying IT equipment requires careful recordkeeping and auditing to ensure that every piece is properly managed.

Secure Your Data with mender

At mender, we fully understand the importance of data destruction. If you need to ensure that the data on your end-of-life IT equipment is securely destroyed (and in an environmentally responsible manner), please reach out to mender and learn more about how our recycling and sustainability solutions can fit your needs.

Latest news

E-waste: Before You Toss, Consider These Insights!

What to do with Old computers: recycle, dispose or upcycle?

Transforming Retired IT Equipment into Social Impact