Data security means keeping data out of the wrong hands. This is especially important when storage media is no longer usable and needs to be decommissioned. The data must be truly destroyed, for both security and compliance. 

The trouble is ‘deleting’ data doesn’t really delete data. It’s still possible to extract data from a device that has been deleted, re-formatted and even damaged physically. The highest form of data destruction makes it unreadable on the device, then destroys the device. But, how do you make data truly unreadable? 

What is Data Destruction? 

The amount of data enterprises manage and secure is growing fast. The problem also grows because of procrastination born of cheap storage and overworked staff. This is bad security and bad compliance. 

Forget deleting and reformatting. Deleting merely frees up the space taken by the deleted files for use by other data. The ‘deleted’ files can be easily recovered until those spaces are overwritten. Reformatting simply deletes the entire drive or partition. Overwriting, or wiping, replaces old data with new, arbitrary data. And, it’s better than deleting. But, it might miss some data. 

The best method for making data unreadable is degaussing, which exposes magnetic storage devices (hard drives, magnetic tape, floppy disks, etc.) to a high-intensity magnetic field of alternating amplitude. Degaussing not only erases data, but also destroys the device. 

Degaussing creates two problems. First, it’s not effective for solid state drives (SSDs). Second, degaussing is unverifiable. Because the drive is ruined, the deletion of data cannot be confirmed.  Additionally, wiping could be incomplete, and degaussing can’t be verified.

Good data deletion calls for destruction. 

Let’s Get Physical

The best general practice for end-of-life data destruction calls for degaussing magnetic media, wiping solid state media and physically destroying each with the appropriate shredder. 

Many companies use the same process for destroying hard drives and SSDs. This is a mistake. Degaussing doesn’t work on SSDs. Do not rely on hard disk shredders, which can leave SSD chips readable. National Security Agency (NSA) internal policy demands SSD bits to be reduced to 2 mm or less.

Time For a New Data Destruction Policy

Every organization needs a clear decommissioning policy. The policy should be carried out by someone experienced in end-of-life decommissioning of digital assets and should not be foisted on already over-tasked IT generalists.

If any of this work is outsourced to an information technology asset disposition (ITAD) service, it’s important to thoroughly vet whomever is involved in the chain of custody. In-house or outsourced, your decommissioning policy should prescribe the following: 

  • Detailed IT asset inventory
  • Thorough logging of the entire decommissioning process
  • A comprehensive backup of stored data
  • A process of disconnection of the device — subnets, firewalls, networks and power
  • Degaussing of all magnetic media
  • Wiping of all solid state media
  • Physical destruction of all media
  • Recorded proof of the destruction
  • Requirements for cloud providers and their data destruction policies
  • Responsible recycling of destroyed storage media materials

Crush… but Verify

Know the regulations relevant to you, such as Europe’s General Data Protection Regulation (GDPR), California’s California Consumer Protection Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the NSA’s rules. These policies around the handling of classified data and other regulations mandate true data destruction policies and practices for consumer, financial or government data. And, the fines are hefty. 

The deep end of the data destruction pool is data sanitization, which combines absolute and irrevocable destruction of data and tamper-proof verification. Highly regulated industries require sanitization and this work has to be carried out by experienced specialists. 

But whatever your process and whoever does it, the end result should include certificates of sanitization, documentation of a clear audit trail and satisfaction of regulatory compliance in writing.

In a nutshell, fully destroy data on decommissioned media for security, and verify it all for compliance. 

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…