Author Elizabeth Wilmot

Managing Compliant Data Destruction Programs

Data Killers is always on the lookout for information and news relevant to the data destruction industry.  As a nationwide provider of certified data destruction, we thought the following article about managing compliant data destruction programs, originally reported on Information Age, was worth re-posting.

”All data, whether it’s on hard disks, tape back-ups, mobile devices or stored in the cloud needs to be managed securely and compliantly – not just in storage and transit, but also at the end of its life cycle.

Data destruction is important for everyone, from a home business user disposing of an old laptop at the local recycling centre, a consumer selling a smartphone on eBay, or a business transferring data as part of an upgrade program.  Just because data is deleted doesn’t mean it has disappeared from your drive and could still be restored by someone with the determination to find it.

While a consumer faces the risk of having personal information stolen, under Data Protection regulation companies have a legal obligation to destroy any sensitive information they’re no longer using.

And when the Data Protection Act is swapped for the more stringent EU General Data Protection Regulation in 2016, fines for acts of non-compliance will skyrocket – the new rules stipulate penalties of up to five per cent of a company’s annual turnover.

Yet in a recent study undertaken by Kroll Ontrack in partnership with data erasure experts Blancco with IT managers across Europe, we found that a quarter (25%) admitted to not having a process in place to deal with data destruction.

Not taking proactive action to permanently erase data can lead to catastrophe.  Businesses as well as privacy-conscious consumers need to keep track of data assets that have come to the end of their lifecycle, and then destroy them at their origin. This might not sound like too complex a job – even someone with rudimentary knowledge of technology might be familiar, in theory if not in practice, with concepts like a disk format or factory reset.

Unfortunately, secure data destruction isn’t actually that simple. None of the above methods guarantee that the information stored on those devices won’t be recoverable.  In fact, it might take little more than a few minutes with a free software package to retrieve it.

The purpose of formatting a disk is to strip out its existing file system and generate a new one, not to securely and permanently erase sensitive information. The operating system might not be able to read it as normal, but it still exists. The common assumption is that the reformatting process wipes the medium clean, but that’s not actually true: most of the time, it leaves almost all of the data intact.

Although the process might seem different, carrying out a factory reset on a smartphone or other device with flash memory is identical to a conventional disk format – the contents of the chip stay right where they are, invisible to the operating system but recoverable nonetheless.

As the use of mobile devices grows more prevalent in the world of business, it’s evident that companies need to extend their secure data destruction practices beyond traditional hard drives and tape archives.

Even literally destroying hardware is no guarantee that the data contained therein will be unrecoverable. An intact hard drive is easy to transplant from one machine to another, for example, while even a shattered one can be reassembled and transcribed with enough effort.

With flash memory, things are a little different – the data is permanently erased if the memory chip is destroyed, but in any other scenario, it can still be recovered. Even if the controller chip is destroyed, the memory itself can be moved into another unit.

So even though it may seem to be a last-ditch, fail-safe method, even taking a hammer to a hard drive won’t necessarily render sensitive information irretrievable.  It means that for corporates in particular, there’s a need for even more secure techniques to ensure the destruction of end-of-life data.

Two of the most important of these techniques are outlined below:

Degausser

A modern degausser is basically a giant box that generates a powerful magnetic field, throwing a medium’s existing magnetic domains into disorder and rendering them unreadable.

Physical destruction

Finally, physically destroying the media is an option, though as discussed above, this isn’t always as fail-safe a method as it seems. As Kroll Ontrack shows in this video, a hard drive can sustain significant damage before data is rendered irretrievable. In fact, even if the spinning platters inside are shattered, it’s theoretically possible that someone might put the parts back together and recover the contents.

Simply snapping a hard drive in half isn’t a suitable technique for permanently erasing end-of-life data. If a company goes down the physical destruction route, it should ensure that the media is shattered into as many pieces as possible – most professionals would recommend using a specialist hard drive shredder.”

As an industry leading provider, Data Killers offers nationwide physical destruction via our high impact shredders which not only cuts and shreds the media, but by forcing it through the cutters and screens, it also compresses and compacts the media rendering it completely unrecoverable.  Our shredder has three screen sizes (10 mm, 20 mm and 40 mm) to control the particle output size.  In addition to physical destruction, we also offer NSA approved degaussing services for all types of media including classified media.  With Data Killers, the project is done right the first time and all data is left unrecoverable.  Data Killers is the go to company for managing compliant data destruction programs for a variety of customers throughout the United States.