On-Site Data Destruction of Magnetic Data Following U.S. Standards

 This is an article written by By Donald Tillman, owner of Safe Data Destruction LLC.

Executive Summary
What are the best practices with getting rid of old computer data in a way that provides protection from legal hassles and data leaks? How can it be done with a focus on being environmentally sound? Many ideas and methods have been explored and used, yet there are only a few that will actually destroy all the data, let alone follow established standards such as DoD, NSA or NIST. We recommend that every company take their magnetic data destruction under careful consideration and follow through with established standards while using techniques that maximize the recyclability of the magnetic disks/tapes.
 
Objective
To help companies comply with Gramm-Leach-Bliley, HIPAA, PCI and Sarbanes-Oxley in regards to digital data destruction to avoid or minimize litigation while maintaining a focus on the environmental impact.

Present situation

1. Many companies are struggling to find the best methods of digital data destruction that will indemnify them and protect their clients.
2. Many data destruction companies are not using DoD, NSA or NIST standards and thus cannot provide indemnity nor the security that their clients need.
3. Some other ‘alternative’ methods have involved drilling, punching, bending, shredding etc. None of those methods follow DoD, NSA or NIST standards, the standards that give businesses and customers the highest security and indemnity.
4. Many data destruction companies are not ‘on-site’ meaning that your data ‘sits’ in a truck or in a warehouse for a while, waiting to be processed at a later date at another location, creating a situation where it can be difficult to account for the whereabouts of data that has yet to be destroyed.
5. Some methods of ‘data destruction’ can make the recyclability of magnetic disks difficult or simply impossible, wasting valuable metals and creating toxic waste.

Proposal

1. The goal of all data destruction is be as absolutely sure that customer data is destroyed (on-site) in a fashion that completely protects them, meaning that all the data is destroyed, not just maimed.
2. Protect corporate data from getting out or corporate data getting in the wrong hands. Many such items include financial, procedural and other sensitive/proprietary internal data that could harm the company or help a competitor.
3. Accomplish this in a way to protect customers and businesses data destruction must be completed on-site using DoD, NSA and NIST standards to further minimize risk with ‘sitting data assets.’
4. To also maintain a focus on using on-site methods that are environmentally sound and more environmentally green than shredding, crushing or incinerating hard disks. Shredding and crushing makes it much more difficult to recycle the metals and materials since the materials are ‘mixed’ rather than separated, thus requiring much more processing.

Attitude adjustments
Many data destruction companies use techniques that they claim are ‘good enough.’ Our position is that when someone says ‘good enough’ that typically means that there is room for error and unnecessary risk. When it comes to data destruction, nobody wants to have any room for error internally or externally. This requires businesses to be more selective and do more auditing/researching of the methods that are being used to destroy their digital data, making sure that the company that is destroying their data meets established standards (DoD, NSA, NIST) and can indemnify their clients and themselves.

Dangers
The dangers of not being careful about data destruction are huge. If a data breach happens and effects your customers, one lawsuit can close a company. The fines alone can close a company. It quickly becomes clear that the room for error is nearly non- existent. Once square inch of a ‘shredded’ hard disk can yield nearly 300 pages of text. That would clearly be a big liability and once more, since shredding/punching/ bending/drilling a hard disk does not meet DoD, NSA or NIST standards, indemnity would be non-existent. CVS recently paid $2.25 million for it’s HIPAA data breach.

Advantages
The advantages to using established standards with a on-site company are quite numerous.

1. The first is that liability is minimized or simply non-existent since live data is not moved to another location, but rather processed in front of the clients eyes on their work site.
2. By using the best established methods on-site, this places a company in a safe and secure place.
3. The comfort that comes from knowing that your company is clearly indemnified will immediately lift unnecessary stress and allows the company to focus on other important things like making money. Safe Data Destruction provides on-site DoD/NSA/NIST hard disk data destruction. Safe Data also provides responsible asset recovery (getting rid of the old assets.)

Best practices:

• Wiping – Using software that created an audit trail of serial numbers and the date and the time. In the US, DoD wiping methods are the standard. We typically use 3 or 7 layer wiping meaning that the data is written over 3 or 7 times. There is another standard that wipes up to 32 times. The bad news is that wiping takes a long time depending on the size of the hard disk and the number of over writes. Secure Erase is another method but not all motherboards allow it’s use and it is only for newer IDE/SATA hard drives: it does not support SCSI or Fibre Channel. The other nifty thing about wiping is that the hard disk can be completely recycled unless there are bad blocks, in that case the hard disk would have to be demagnetized or obliterated.
• Demagnetization – Quite simply, demagnetizing the platters or the whole drive. DoD, NSA, NIST, and PCI. We currently demagnetize each platter, one side at a time. This is extremely lethal to data. (To see what this looks like)
• Obliteration – This is our term but it does involve grinding the magnetic surface off of the hard disk platters. This is in conformance with DoD. Other alternatives include incineration. The problem with incineration is that you cannot recycle the ashes.. whereas you can recycle the hard disk parts that are left over from obliteration.

The best overall focus with data destruction is to minimize the environmental impact while maximizing data destruction. So while wiping or secure erase minimizes environmental impact, their security level may not be enough for banks or the health industry or for businesses who handle credit card information (Sarbanes-Oxley, HIPAA, PCI.) Typically we talk with the client to find what their comfort level is with their data. As an example, we have a HIPAA client who demands that all hard disks are obliterated and another client (bank) required that the hard disk platters be demagnetized. So, depending on your business and what kind of data you have on it one or more of the above methods would protect a company legally.