Blancco, an international data security company, published an article in October 2019 discussing some end-of-life data destruction methods and comparing hard drive destruction to data erasure.
In this article cited by the InfoSecurity Magazine website, Blancco recommends weighing the level of impact that certain end-of-life data can have in the event of a data breach, combined with how quickly data can age. They then suggest basing the remediation approach on that assessment. However, InfoSecurity indicates that this assessment should not be used in the case where sensitive confidential or personally identifiable information (PII) is handled.
In these cases, good practice is to treat all end-of-life data as if it has never expired and has a potentially high level of damage if breached, both of which may be impossible to predict.
InfoSecurity points out that data breaches are not time-barred, meaning that an end-of-life drive can cause a breach years after it has been discarded.
Here are the practices to avoid
The option for some companies is to reuse some drives, as this is the cheapest and simplest alternative. However, the InfoSecurity website points out that this practice creates a risk that companies will allow leftover data, encrypted or unencrypted, to fall into the wrong hands.
Companies should prepare their end-of-life data destruction procedures to ensure that future data breaches are prevented. This will not only save them time and money in the long run, but will prevent any damage to their customer base and reputation.
The Blancco article also states that using a third-party vendor to sanitize and destroy end-of-life data and devices is also an option. However, it is also important that the third party you are thinking of introducing to the process be vetted on their background. Companies face a much higher risk of data breach every step of the way when they opt for this route.
While there are some reputable data sanitization vendors, it can be all too easy for ITAD vendors to misuse, mishandle and misplace drives during transport and the actual acts of destruction and disposal. It has even been reported that some vendors sell end-of-life devices and their sensitive information to third parties online. It is even more advisable to keep the chain of custody in-house and destroy devices in-house with an internal process.
A typical misconception of data destruction is that erasing or overwriting a drive and degaussing are synonymous. Unfortunately, this type of thinking can quickly become dangerous depending on the information to be destroyed.
While methods such as cryptography and data erasure would allow you to reuse the drive, as Blancco suggests, you run the high risk of leaving behind sensitive data that can become a gold mine for hackers and thieves.
We recommend following these best practices
According to InfoSecurity Magazine, although degaussing is not possible to destroy data at the end of life of solid state drives (SSDs), it is advisable to follow NSA guidelines and degauss all magnetic media, including hard disk drives (HDDs), prior to destruction. These are not required as part of the destruction process, but shredding is recommended.
When degaussing HDDs, companies choose the most secure data sanitization method according to NSA guidelines, as this is the only way companies can be sure that their data has been properly destroyed. When magnetic media is degaussed, the machines use powerful magnetic fields to sanitize the magnetic tapes and the drive, erasing all sensitive information from the device. This act renders the drive completely inoperable, which should always be the goal.
Once the device has been demagnetized, the next step is its physical destruction. The combination of these processes is undoubtedly the most secure method to ensure that your end-of-life data remains on the drive. No hacker would be able to obtain information from the disk, simply because there is nothing left on the disk to hack.
Regardless of the catalyst for end-of-life drive destruction, it is always best practice to perform destruction and degaussing in-house. It is also important to remember that a data breach is a data breach, regardless of the level of impact. Blancco writes that “not all degaussing machines are adequate to the task of degaussing all hard drives.”
At eSmart Recycling, we understand our customers need to focus on what they do best, and that’s why they rely on us to get the job done, right. We provide a transparent full chain of custody as we manage the process of recycling, reuse, recovery, and retirement of electronic material at the highest compliance standards.
Every load processed through our facility will be accompanied by a certificate of data destruction. All confidential customer materials and media will be processed for sanitization or destruction within 30 days from the date of the receipt, per National Association for Information Destruction (NAID) standards.