Getting Rid of Your Hard Drive? Degauss, Shred, Wipe or Destroy?
A recent study, analyzing used hard drives and mobile devices being sold online through places such as Amazon and eBay discovered that 75% of the drives contained residual data from their previous owners.
This poses the question, “How far should a company go in its efforts to destroy all information contained on a hard drive or digital device before recycling?”
The answer depends on various factors including the confidentiality of the information contained on the drive or device, individual company standards, and the level of security mandated by government regulations or industry standards.
The National Institute of Standards and Technology has developed guidelines for Computer Security and Media Sanitization (NIST 800-88). These guidelines define the most secure way to destroy data contained on computer hard drives and backups. Organizations regulated by data privacy laws such as HIPAA, HITECH and GLBA should be aware of these hard drive destruction guidelines when disposing of servers, hard drives and computers.
Here are three methods of sanitation described by NIST and the pros and cons:
The oldest level of security in destroying digital data is called degaussing. This is the process of reducing or eliminating magnetic data stored on tape or disk media such as computer or laptop hard drives. When exposed to the powerful magnetic field of a degasser, the magnetic storage data is neutralized, effectively making the information unreadable. This involves using a machine that produces a strong enough electromagnetic field to destroy all magnetically recorded data.
This method of data destruction was more effective in the past as a strong electromagnetic field was not needed to destroy data. However, modern hard drives use thicker shielding and require a much stronger electromagnetic field to ensure complete erasure.
Different types of magnetic media require different magnetic field strengths and there is a risk that an incomplete degauss might occur if the field is not strong enough.
Pros of degaussing:
Capable of destroying all data on a hard drive
Can be used to destroy data on a variety of magnetic media
Relatively fast process
Cons of degaussing:
Today’s hard drives use thicker shielding which require a stronger electromagnetic field to ensure proper data destruction
No guarantee that a particular machine is strong enough to destroy all hard drive data
Hard drives need to be physically removed from the computer
Hard drives cannot be reused
Other components of the drive are also damaged making it difficult to verify complete deletion
Does not provide reporting of the destruction process which is necessary for regulatory compliance
Reduces the remarketing value of the hardware
Can only be used on magnetic data
Erasure – Data Wiping
Wiping is the correct method for removing low-level information from digital media. This process consists of using hardware or software products to write data over the current information. The overwriting, or ‘wiping’ software, will write 0’s and 1’s over the existing data on the hard drive. Overwriting or wiping is not really erasing. Computer hard drives cannot be erased.
Wiping or formatting a hard drives affect only the file allocation table and do not actually destroy any data. In other words, the data is not destroyed, only the address tables pointing to the files are erased and the space is made available for storage. Until the “deleted” data is overwritten with other data, it still exists and may pose a significant risk to the organization.
Pros of wiping or formatting:
Data wiping is a fast process
Effective enough to protect computers or other electronics when recycling
Inexpensive means of data security
Cons of wiping or formatting:
Data is not erased and can be easily recovered unless space is rewritten
Organizations are at risk of identity theft, legal and financial battles, lawsuits, etc., if data is not properly wiped and overwritten
There is no reporting provided to prove that the data has been completely destroyed because it still exists.
Shredding – Data Destruction
The most reliable way to ensure a hard drive or other electronic data containing device can never be read is to destroy it completely. Shredding, crushing or incinerating the device will render the data irrecoverable and the device useless.
Shredding of hard drives is usually done by large industrial shredders. This is considered an effective way of destroying data and preventing recovery however, it can be time-consuming and expensive if done in-house.
Drilling holes in a hard drive can be another method of destruction. However, for this method to be effective, enough holes have to be drilled to prevent access to the data. It is important to remember that hard drive destruction doesn’t actually destroy data but renders the drive useless. Therefore, remember to backup any data or files that may be needed in the future as this is the point of no return.
Pros of destruction:
An effective way of destroying data if carried out correctly
Various media types can be destroyed at once
Cons of destruction:
Physical destruction does not provide reporting of the destruction process which is needed to prove regulatory compliance; however, if done by a data management company such as Southeastern Data, a certificate of destruction can be obtained.
Hard drives and other storage media cannot be reused.
Reduces the remarketing value of a PC
If not carried out correctly data can still be recovered from fragments of storage media.
Data Security Decision
The decision regarding which of these methods is right for your company will depend on how important it is to ensure the absolute confidentiality of the data stored on each device.
Southeastern Data specializes in on-site mobile hard drive shredding and can shred up to 600 hard drives per day making shredding a cost-effective, time saving, and secure alternative.
When the time comes for your organization to donate or recycle unwanted computers or other IT assets, removal of confidential or customer data is of highest importance. If these machines are not accurately sanitized of all data, your organization could be held liable should that data fall into the wrong hands.