Author Elizabeth Wilmot

2014 Standards for Data Destruction

Data Killers is known throughout the nation for providing state-of-the-art, certified data destruction services for a variety of media like hard drives, mobile devices and even solid state drives. With data destruction protocols and requirements quickly evolving, we believe it is extremely important to stay abreast on information and news pertinent to the data destruction industry. We thought the following article on the 2014 standards for data destruction, originally reported on Business 2 Community’s website, was worth re-posting.

 

“A lot can change in eight years, especially when we’re talking about technology. Since the National Institute of Standards and Technology released NIST 800-88 in 2006, it has been the only official United States standard for data destruction, replacing the outdated DOD three-pass standard. But that was 2006, and data storage trends have evolved quite a bit since then. Most significantly, solid state drives (SSDs) and mobile devices like phones and tablets that make use of Flash SSDs have become ubiquitous in the workplace.

 

The most recent updates to the NIST 800-88 standard reflects the use of these devices and the need for a reliable process for destroying the data on them. If your company deals with sensitive information of any type, whether it’s medical records, financial data, employee or customer personal data, or intellectual property, you need to be aware of these changes.

 

In late 2013, the first revision of NIST 800-88 was published. Although it is still technically a draft, it is the accepted industry standard for hard drive and media sanitization. What follows is an overview of some of the major revisions to NIST 800-88. It includes important new best practices for sanitizing both mobile devices and SSDs.

 

Sections 2.3 and 2.4

 

These sections deal directly with the standards for sanitizing solid state drives. As the cost of SSDs has declined, and their capabilities have expanded, an increasing number of businesses are using them for data storage. Unfortunately, as discussed in one of our recent white papers, the specifications of these devices make conventional magnetic data destruction strategies ineffective.

 

These sections of NIST 800-88 address the inefficacy of overwrite technologies when applied to SSD devices, and the difficulty of destroying the drives completely due to the physical structure the nature of the electronic storage. The new standards do not outline specific destruction standards, but they do recommend that SSD users be aware of their increased vulnerability.

 

Sections 4.7 and 4.8

 

Reviewing the practices of your own team or IT asset disposition (ITAD) vendor is a crucial but often overlooked part of the data destruction process. The destruction process must be documented so you can prove that data was destroyed properly. The newly updated sections reaffirm the necessity of an audit, and outline standards for the auditing process. Section 4.8 recommends that any audit should include details about:
• The device
• The process of destruction
• The method of destruction
• The date of destruction
• The name of the supervising party
• A validation of all of the above information

 

Without this document in your records, there is no guarantee that your devices were sanitized according to the best possible practices. The takeaway is that any ITAD vendor you select must be able to provide a comprehensive audit.

 

Appendix Updates

 

When the original NIST 800-88 data destruction standards were first drafted, smartphones were in their infancy. But as too many businesses have discovered, the capabilities of these devices are also a liability. The new standards include recommendations for sanitizing phones from all of the major providers, and they provide an important road map for true data security in 2014 and beyond. The appendix outlines the accepted method for data destruction at each level – clear, purge, and destroy. Notes addressing the unique challenges inherent to each device type are also included. If your business relies on a specific type of mobile, or a combination of devices, we absolutely recommend consulting the appendix.
The changes outlined in NIST 800-88 are important for all business, because the way data is stored in 2014 is not the same as it was in 2006 (especially concerning the rise in SSDs).”

 

Since our 2005 inception, Data Killers has gone above and beyond to stay up to date and compliant with all data destruction regulations. Our physical destruction process is in full compliance with all physical destruction criteria as set forth by various laws and regulations, including but not limited to: NIST standards; DoD regulations; HIPAA; Sarbanes-Oxley Act; Gramm-Leach-Bliley Act; CPSC; FDA; FACTA Disposal Rule; Bank Secrecy Act; Patriot Act of 2002; Identity Theft and Assumption Deterrence Act; US Safe Harbor Provisions; FDA Security Regulations; PCI Data Security Standard; Various state laws. As technology changes with time, Data Killers makes certain that our data destruction services exceed the destruction regulations which is why we are the leading provider of compliant and certified data destruction services.