Developing a Comprehensive Program for Data Destruction
When considering how to destroy data on retired storage media for your company and clients, there are several vital details that must be considered. Beyond the actual data destruction method, a wider lens is recommended to develop a holistic data destruction program.
First Things First. Best Practices – Widening the Lens
1. Company Data Privacy Policy
Your data destruction program should be consistent with your company’s data privacy policy. Although not all company policies are prescriptive in how data is managed on retired devices, it is critical that you have a written departmental process in place for data destruction and that the process is enforced.
2. Process – Handling Retired Storage Media
Systematic data destruction helps protect sensitive information and prevent it from falling into the wrong hands.
Data Destruction Methods
The most common data destruction methods are erasure, shredding, degaussing and crushing.
Audit Trail
Proper tracking and handling of the disposal of storage media is an important, and often overlooked, step to ensure systematic handling and keeping track of all decommissioned storage devices.
This is the most overlooked step when considering how to destroy data and can be critical to ensure a data safe outcome. A well-defined, documented process ensures no drive is skipped when destroying data and that your electronic audit trail is complete and accurate. Should your organization undergo an internal or external audit, your department can demonstrate that data was destroyed compliant with industry regulations and your internal data privacy policy in a consistent, repeatable, predictable and data safe manner.
Industry Standards for Data Destruction
NIST 800-88 r1 is the most common industry guideline referenced in today’s marketplace. Introduced in December 2014, clear, purge and destroy guidelines are defined for different types of storage media. IEEE 2883-2022 is a much newer standard. It was released in 2022 and because of its short history, has limited adoption in today’s marketplace at this point in time. Which one you choose to use will depend on your company’s specific requirements.
Documentation
As part of a complete data destruction program, you will want documentation of when, where and how data was destroyed. Many vendors will be able to produce detailed certificates of data destruction (CODD) providing proof that data has been destroyed.
3. Data Destruction Method Details
This chart shows different options for destroying data. It is important to use the right destruction method depending on the type of storage device being destroyed. There are several methods available to destroy data on storage devices, each with its own set of pros and cons.
Data can be destroyed on magnetic hard drives (HDDs), most commonly using data erasure, degaussing, crushing or shredding.
Degaussing is a process of erasing data from a hard drive or tapes by exposing it to a magnetic field. Degaussing is only effective on magnetic media, such as HDDs and tapes. It does not erase data stored on solid state drives (SSDs) and should not be used for SSDs.
Tapes are not suitable for reuse outside of your own organization. No solution is economically or technically viable. When tapes are removed from your live environment, they are destroyed via shredding or degaussing.
A Closer Look at Each Data Destruction Method
Erasure
Data erasure eliminates data by overwriting. Data is stored or interpreted on a drive as patterns in binary code, using 1s and 0s. Data erasure overwrites all data on the hard drive with a new random series of 1s and 0s, replacing the original data, making it irretrievable. Data wiping can be done on-site at your company’s office or data center, or off-site at an ITAD processing facility. The biggest disadvantage to data wiping on-site is the time needed to overwrite existing data. ITAD companies are set up to erase data at scale, overcoming the time constraint faced on-site.
Data erasure is a commercially viable solution for HDDs larger than 2 TB and SSDs larger than 500 GB. Data can be overwritten at a rate of about 200 GB per hour for a single pass erasure. Older standards recommended five- to seven-pass wipes, although that is no longer required for modern storage media.
IMPORTANT NOTE: Data erasure is the only NIST 800-88 r1 approved standard that allows secure reuse of the device.
Degaussing
As described above, degaussing applies a magnetic charge to erase data on magnetic storage media. Degaussing does not eliminate data on solid-state nor optical storage devices. This data destruction method can be done on-site or off-site at an ITAD processing facility. It is convenient and quick (about 30 seconds per drive) but destroys the reuse potential of the drive. When you have only magnetic media and when storage media is old and has little resale value, degaussing is a good option. It is common to ship the erased media to an electronics recycling company where the drives will be shredded. The shredded metal is refined into metal commodity streams and used as feedstock in producing new metal products.
TIP – If drives are to be degaussed or crushed, the mounting rails must be removed. If drives will be shredded, there is no need to remove the mounting rails. The type of equipment used to erase drives will dictate whether mounting rails need to be removed or not.
Physical Destruction
The most common physical destruction methods are crushing and shredding.
Crushing drives uses a metal press to disfigure or break the data bearing components within a hard drive. To effectively crush a solid-state drive, because the chips are smaller than magnetic platters, an adapter is added to the crusher to facilitate the chips being broken into smaller pieces, ensuring secure data destruction.
Crushing storage media is a quick process, taking less than a minute for the machine to complete a destruction cycle. However, there is a small possibility that the breaking of the data bearing components could result in pieces large enough that data could still be recovered.
Shredding is used to destroy magnetic, solid-state, and optical storage media. Shredding is the most effective method for destroying all types of storage media, but it is important to follow the guidelines for the recommended shred size for each type of storage media.
Shredding can be done both on-site and off-site. At an ITAD processing facility, larger shredders are installed to destroy hard drives efficiently and effectively at scale.
IMPORTANT NOTE: There is no industry standard for crushing.
One More Thing – Sustainability and Reuse
It is estimated that in today’s data center, 90% of hard drives are shredded, eliminating any opportunity for reuse [BBC]. In a circular economy, hard drives could have multiple lives in the future. The reuse of hard drives offers the biggest economic and environmental benefit of any end-of-life option. Reusing a hard drive avoids four times as many carbon dioxide emissions as slicing it up and feeding the pieces through even the most advanced recycling process.
Final Thoughts
Proper data destruction is essential to prevent sensitive information from falling into the wrong hands. With planning and a defined process, you can also achieve sustainability and financial gains by reusing drives, while ensuring your data has been irretrievably destroyed. It is important to use the right destruction method depending on the type of storage device being destroyed and to follow the industry standards for data destruction. Proper tracking of the removal of storage media is also important to ensure compliant disposal and to keep track of all decommissioned storage devices.
This article was originally published in the August, 2023 edition of Reverse Logistics Magazine.
Upcoming Project?
SLS operates globally and can support your data destruction needs worldwide.