Avoiding a Data Breach: Best Practices for Data Destruction
What happens to these retired assets and the confidential data that is left behind?
In a perfect world all of the data is properly destroyed and the assets are either retired or resold. Companies are now transitioning to cloud based services and newer technology as a way to lower their costs in the long run, and the work required to manage these newer systems and software is much less. The main risk with this transition, that cannot be ignored, is the handling and disposal of sensitive data and the media it is stored on.
A data breach is an incident in which sensitive data, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property (Search Security, 2010). A breach can have several devastating consequences such as major financial penalties (usually in the millions or tens of millions), damaging your reputation with customers, clients, vendors and the general public, and put your companies industry regulations compliance status at risk (legal ramifications). To avoid a data breach, the best offense is a good defense. Tracking and safely storing the retired media that has confidential data on it is the first step to this process. Having an inventoried list of all of the items and keeping them locked in a bin or cabinet is the best practice.
Once the retired media is inventoried and contained there is still the need to have that media properly destroyed before it leaves your facility. There are a few ways to accomplish this, close attention to your industries standards and regulations is key at this stage.
It is very important that you find a vendor that can help answer these questions and also provide the necessary tools to build and maintain compliance. Below are the 3 most commons data destruction methods:
1. Destruction*- This is a physical alteration of the drive. The most common method for this type of data destruction is shredding/crushing. Media will be crushed with NSA or DoD certified equipment and the remaining material should be disposed of according to environmental regulations.
2. Degaussing*- Degaussing is a method that uses a strong magnetic field to erase all data on media that use lesser magnetic fields to operate and store data (hard drives, data tapes, floppies, data reels, etc.). There is not physical evidence of destruction but drives will be rendered useless. It is very important that the vendors equipment is also NSA/DoD inspected and certified. Other items like CD’s and USB’s should be shredded and/or crushed.
3. Sanitization*– In this process data that is present on the hard drive is overwritten with other data repeatedly until the original data is gone entirely. As with the other processes this should be done with NSA certified software and follow the DoD standard 3 pass wipe (meaning that the data is overwritten 3 times over, instead of once). This processes is usually chosen for customers that have the intent of returning their hardware to the manufacturer or reselling the hardware.
* It is best that all of these services be performed onsite, in most cases it is required.
When a company takes steps towards moving to the cloud, consolidating their data center, or decommissioning old equipment there are always retired IT assets left behind.
Which process is best for my company?
There are many factors to take into considerations here, the most important to consider is your industries regulations (HIPAA, PCI, Gramm-Leach-Bliley, etc.). Being up to speed and knowledgeable on these will greatly help you out in the decision making process. Also, research the companies your are looking at using. Make sure they have a clean track record (no previous breaches), check their certifications (ISO 14001, ISO 27001) and see if they mention their compliance on local, state and federal regulations.