Responsible Hard-Drive Destruction12 Sep, 2011 imageSource
As we know, a used computer’s hard drive contains bank-account info & Social Security numbers, vital personal and business information, old email messages and more. Yet what I hear on how to destroy old drives makes me shiver, such as “Drill a hole in them than toss!” or “I’d toast them with a blowtorch!” These are actual suggestions on the Web. So what is a reliable and safe way to handle hard drive destruction you ask?
First, you need to have a proven destruction technology that is safe, easy to use, and must give you peace of mind - the assurance that no one is going to recapture a bit of data off your discarded drives. Data-recovery technology continues to advance by leaps and bounds. And there are many techniques that are not top secret but still allow the recovery of information from seriously damaged drives - you’d be surprised. Just ask your state and local police or the U.S. National Security Agency/Central Security Service (NSA/CSS).
By the way, the U.S. government is so concerned with the loss or theft of data, or just with the end of a computer’s life, that the NSA has developed guidelines that require hard drives to be degaussed (demagnetized) and incinerated or otherwise physically damaged prior to disposal. Aside from governments securing state secrets, every person and enterprise has old hard drives that should eventually be destroyed. And don’t think that just because you aren’t a government agency or contractor you don’t need to be vigilant about hard-drive disposal.
There are real risks of information (financial and tax records, Internet purchases, etc.) falling into nefarious hands, not to mention there is information your competitors would love to see, such as price lists, sales figures, customer data, engineering data, memos drafted in preparation for bidding, e-mails from a president to his galpal, etc. Aside from damage to one’s reputation, there is the possibility of a lawsuit from an employee, customer, patient, or other individual who claims he or she was harmed by the release of his/her private information. The list goes on and on.
Although hospitals and other healthcare and health-insurance providers, banks and other financial institutions, and government/military entities are subject to higher standards of confidentiality, every business has employee records and proprietary information. We all have to replace computers from time to time - more frequently as newer technology makes them obsolete.
A Job Worth Doing
Just one hard drive can contain hundreds of thousands of files. When a digital file is “deleted” from a computer, the information actually remains on the drive, as do “deleted” e-mail messages and records of all online activity. The equipment overwriting may not be enough to prevent confidential/proprietary/sensitive data from being recovered by a determined individual using the right techniques and equipment.
For any facility, I strongly recommend instituting a comprehensive information-security program - written procedures that must be followed. Such procedures should include detailed record keeping and labeling that states, for example, the serial number of each drive, the computer from which it was removed, and the date it was removed. The program should also include careful documentation of destruction dates and methods and a plan for in-house monitoring/verification. You never know when these records will come in handy. Proper training is a must. These procedures should only be carried out by trusted employees or a security service, and supervised by management.
Businesses that don’t yet have a comprehensive information-security program can take a cue from federal regulations that require some facilities to have one in place, such as the rules implementing the Fair and Accurate Credit Transaction Act (FACTA). In order to minimize fraud and identity theft, FACTA’s far-ranging standards require lenders, insurers, and many other businesses - anyone who “maintains or otherwise possesses consumer information for a business purpose” - to properly destroy consumer information.
Likewise, hospitals and other healthcare entities must comply with privacy and security standards promulgated under the Health Insurance Portability and Accountability Act (HIPAA). Similar requirements may be found in the Sarbanes-Oxley (Public Company Accounting Reform and Investor Protection) Act and the Gramm-Leach-Bliley (Financial Services Modernization) Act. Further, the credit card industry is required by the Payment Card Industry Data Security Standard (PCI DSS), international protocols issued by a credit-card-industry council, to take proper security measures with customer and corporate proprietary information.
Choices for Safe Data Removal
1. Overwriting the drive. “Disk-wiping” software is used to replace stored data with a pattern of meaningless characters. I felt obligated to mention this method, but I do so with reservations. There are many versions of such software on the market, so it is important that the chosen version be compatible with the drive to be overwritten. U.S. Department of Defense guidelines recommend this step for operable drives bound for disposal, prior to degaussing and/or destruction. But one overwriting “pass” is not enough, and this method must be carried out by someone who is patient and careful and understands the process, as it is time-consuming and based on the age and size of the drive.
2. Degaussing. There are two major methods of degaussing: 1) one method permanently erases data from hard drives when they are passed through the magnetic fields of powerful, fixed, rare-earth magnets; 2) the second method uses a powerful electromechanical pulse that instantaneously generates a powerful magnetic field to permanently erase data from disks in an enclosed chamber. One should note that because there are variations in the formats and magnetic densities of hard-drives and in the methods by which they store information (latitudinal or perpendicular), the degaussing device must have a high enough coercivity rating (magnetic power) to overcome the drive’s magnetic field and completely erase its stored information. If it doesn’t, the whole process is a waste of time. The NSA/CSS evaluates degaussers and has published a list of approved devices for the erasure of sensitive or classified magnetic storage devices.
3. Crushing. This method destroys drives by subjecting them to extreme pressure from a conical steel punch or similar device. Good for a low volume of drives, these relatively inexpensive units are available in manual and powered models. Unlike after degaussing, the information residing on a deformed hard drive is still intact, but it is much more difficult to retrieve.
4. Shredding. Hard-drive shredders literally rip drives to shreds. The shredding process is much the same as in an ordinary paper shredder, but these machines are more robust and capable of destroying multiple types and sizes of drives. These shredders are also good for destroying cell phones, PDAs, electronic organizers, and other data-storage devices. Several models are available, the largest of which can destroy up to 2,500 drives per hour.
5. Disintegration. “Mechanical incineration” by a heavy-duty disintegrator (rotary knife mill) cuts items into smaller and smaller pieces until they are unrecognizable and un-reconstructable. For hard drives and other metal, this is typically done after shredding. Disintegration is similar to shredding, although the end particles are much smaller and more damaged. Disintegrators are also available in several models able to handle various sizes and volumes of hard drives. The upkeep for a disintegrator is significantly greater than that for a shredder, and is therefore an important consideration when choosing between the two.
The Outsourcing Option
Many companies simply cannot afford to purchase equipment for the relatively few items they need to destroy. Outsourcing can be affordable and safe when done properly, but if you choose this option, be sure to do your homework. Evaluate a service provider and its security protocols before contracting.
1. If the service will pick up hard drives, how is it transported to the destruction facility? Do they offer locked, track-able transport cases with tamper-proof security tags?
2. Does the service require a long-term contract or a monthly minimum?
3. Upon arrival at the facility, will your items be inventoried by serial number (or barcodes correlated with serial numbers) and stored in a locked, monitored area?
4. Are job applicants thoroughly screened? Is the facility monitored by security cameras?
5. What destruction methods will be used? Degaussers, Shredders, Disintegrators?
6. Has the facility’s equipment been evaluated by the NSA/CSS?
7. What proof will you have that items were destroyed? Can you watch or see a video?
8. Will the destruction of your items be logged and certified in writing?
9. What happens to destroyed waste? Is it recycled in accordance with regulations?
10. Is the facility bonded and insured, and to what limits?
If you don’t like the answer to any of these questions, look for another service. And please note that a certificate of destruction does not free you from your legal responsibility. If a destruction contractor certifies that your confidential data was destroyed, yet the data surfaces somehow, you are still liable for damages suffered by the injured parties.
Methodical Choices Protect You
Sometimes the best overall destruction/disposal solution is a combination. Regardless of the methods you choose for disposing of outmoded computers, be mindful of the fact that they contain valuable and toxic materials. Some components can be reused, and most can be recycled. Explore options that go beyond legally mandated procedures to minimize the chance of environmental contamination. Security is your main goal, but security and recycling do not have to be at odds with each other. Data security is an ongoing process, but by learning about threats and understanding destruction options, you will be in a much better position to protect yourself and your business.
Andrew Kelleher is president of Security Engineered Machinery (SEM), the largest direct supplier of high-security information destruction equipment to the United States federal government and its various security agencies. For more information, contact Mr. Kelleher at SEM, PO Box 1045, Westborough, MA 01581, 508-366-1488, FAX: 508-366-6814, email@example.com, www.semshred.com.