Every business, healthcare organization and governmental agency has certain responsibilities regarding the privacy of personal information. Securely destroying that information on digital media is critical for compliance when disposing of computer equipment.
This is a growing concern for the government, and as a result, those who violate or ignore data privacy laws are finding themselves subject to increasing levels of investigation, enforcement, and penalties.
.
The HIPAA Security Rule establishes national standards to protect individuals’ EPHI that is maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of EPHI.
NIST 800-88 provides guidance to assist organizations in making practical sanitization decisions based on the confidentiality of their information. Media sanitization refers to a process, such as hard drive shredding, that renders digital media infeasible for a given level of effort.
What is data Destruction
It has been stated that the concept of data destruction has been defined by a variety of technical publications and industry leaders; however, the term is often used interchangeably with the term data sanitization, making it difficult to identify which definition is the most appropriate.
Once the concept of physical destruction and data erasure are added to the mix, it becomes a matter of clarifying the terms that are being used.
There is something called data destruction, according to Ewaste Cleanup, that is the process of permanently erasing data that is stored on media such as tapes, hard drives, and other forms of electronic equipment, in order to ensure that it can no longer be read or used in an unauthorized manner.
As a result, in order to make sure that all data has been completely deleted and in order to achieve compliance with most data protection standards, there are a number of steps you can take. This is where data sanitization and data erasure (a type of data sanitization) come into play.
Destruction of data differs from destruction of physical media
Additionally, it is important to note that destroying data (data destruction) is distinct from destroying the media on which data is stored (physical destruction).
In physical destruction, a device is rendered completely inoperable by shredding it into tiny pieces by large mechanical shredders.
Degaussers can also be used to reorganize the magnetic fields on hard disk drives (HDDs). Other methods are also available.
The physical destruction of a device may cause a significant amount of data to be lost. However, this does not guarantee that all data has been lost.
It is particularly important to remember this when it comes to newer, flash-based technologies like solid-state drives (SSDs), which store data so densely that it can remain intact even when fragmented (see “SSD Erasure: What Enterprises Need to Know” for more information).
Furthermore, it applies to hard disk drives (HDDs). When performing HDD degaussing, it is necessary to follow proper procedures and use a degausser with a magnetic force strong enough to destroy the HDD (the National Security Administration lists approved degaussers for this purpose). Furthermore, if degaussing is applied to non-magnetic drives (SSDs), no data is affected at all.
In light of these vulnerabilities, physical destruction alone is not sufficient to ensure that data is irretrievably lost. The verification piece of any data destruction procedure cannot be neglected.
The National Security Agency (NSA/CSS), Department of Defense and the Defense Security Service dictates specifically how contractors destroy digital media. All other data destruction organizations issue guidelines.
The Payment Card Industry Data Security Standard (PCI-DSS) intent was to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.
GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include: consent, collection and notification of consumer data.
I would like to point out that this is not the definition of data destruction
It is important to distinguish between the term data destruction and the term data sanitization
Accordingly, it can be said that there has not been any evidence to support the claim that the method used to destroy the targeted data-whether a single file or a whole drive-is fully effective in removing the data.
Accordingly, it can be said that there has not been any evidence to support the claim that the method used to destroy the targeted data-whether a single file or a whole drive-is fully effective in removing the data.
The following are two examples that demonstrate the importance of this:
Most data destruction methods do not remove the actual file when attempting to remove individual files. There is still data on the machine, however it is not readily accessible to the operating system or applications that created it. It is unclear whether the overwriting process has been successful in other cases where “file shredding” overwrites a file.
Even when attempting to remove all data on a device (for example, in the case of reusing, reselling, or donating that device), a full reformat can leave behind information that can usually be recovered with keyboard methods or with the assistance of forensic tools.
It is dependent on the media and methods used to destroy data what amount of data remains, and how easily it can be accessed. Your data is vulnerable in both cases if your data is unverified. It is essential to determine the level of risk you are willing to take based on the value or confidentiality of your data, as well as the level of data protection required by your industry.
Taking Data Destruction a Step Further to Ensure It Is Gone Forever
It is essential that organizations go beyond data destruction and instead focus on data sanitization to ensure that all data is completely removed from their IT assets.
As part of data sanitization, the data destruction process is verified using recognized verification methods and a certified, tamper-proof report is produced. In highly sensitive data, sanitization is critical to mitigate the risk of unauthorized data access because it renders the data irrecoverable. For highly sensitive data, sanitization has been proven to render the targeted data irrecoverable.
.It is possible to achieve data sanitization in three ways: physical destruction (with verification), cryptographic erasure, or data erasure. The one(s) you choose should be based on the device you are sanitizing, industry mandates, compliance with data protection regulations, and the level of risk you accept. The three methods are frequently used in combination or individually by many organizations.
Taking the next step
Ask: Always ask your recycler how and where your data its to be handle and make sure to keep a paper trace.
