Tips for Proper Data Destruction in 2020

Jan 10, 2020 | Data Security

We live in an information age where the root of information can create an unprecedented amount of digital data. This deluge is not even close to seeing its end.

The International Data Corporation released a report showing that the digital universe is expanding at a rate of 40% every year. A large amount of the created data is generated and stored by companies through decommissioning data centers. IDC further states that companies’ consumers and employees create two-thirds of the data points.

Data can guide a business to optimum production and efficiency. It helps a firm fine-tune its daily operations, offer better services to its customers, and forecast business trends. But data also brings with it a great deal of responsibility. A company must consistently manage its data and destroy it properly to safeguard the privacy of its customers and employees.

Regulatory bodies have also tightened their compliance policies for corporations and decommissioning data centers, while legal fees and fines related to data breach non-compliance vary widely. Companies that are charged with data misuse as per the regulations should, therefore, be prepared to pay much more in courts. It is now, more than ever, critical to destroying data properly. CJD E-Cycling makes this easier than ever and will take care of everything for your organization.

Data Destruction
The act of destroying data is pretty straightforward. It is basically the process by which information is destroyed. Whether it is in digital form or paper, data destruction should be done per the industry-set compliance rules and best practice standards.

To securely destroy digital data, sensitive information is overwritten using random data, which renders the original data unreadable. Failure to securely erase data leads to heightened vulnerability to identity theft. A study carried out in 2015 shows that 48% of smartphones and 2nd-hand hard drives contained residual data with sensitive information, including photos and videos.

For larger organizations, the stakes are much higher. The privacy of at least 340,000 people was compromised when Affinity Health Plan, Inc. leased out computer hardware that was not properly sanitized. The company paid a whopping $1.2M in settlement for oversight with the Health and Human Services Department.

How to destroy data
Your organization must determine where all the data is stored and decide which data they would like to keep when decommissioning data centers. This can be achieved through establishing policies that require documents to be stored in a particular manner, such as on a specific server. Data is not destroyed if there is a copy of the documents in an employee’s flash drive.

When all the data has been stored correctly, and in the required format, you can use any of the following methods if relevant to your scenario while decommissioning data centers:

•Disposal

Disposal is dumping un-sanitized data. It should only include non-confidential information. Disposal is easy, for a physical hard drive, it only involves taking it to an electronics disposal site. Disposal does not involve any e-cycling of data storage equipment.

•Overwriting

Overwriting is one of the most common techniques of decommissioning data centers. It is also a great way to address data remnants (the residual data representations that remain after attempts to erase it). It involves overwriting the drive with new data. The storage media can then be used for other purposes, and hence e-cycling is possible.

According to experts, overwriting is a relatively low cost and easy option since it can be done by software and can be applied to the whole medium or selectively on the part of it.

One of the unique benefits of this technique is that when all data storage locations are addressed, a single pass is usually adequate for data destruction. Overwriting ensures that all data remnants are erased, therefore maintaining data security. It is also an environmentally friendly option, according to experts.

On the other hand, overwriting an entire high-capacity drive may take a long time to complete, especially when decommissioning data centers. The process might also not be able to clean out data from inaccessible folders such as host-protected locations. Furthermore, there is usually no security protection during an erasure process, and it could be vulnerable to intentional parameter changes.

•Degaussing

In the case that your company is destroying all the information from outdated hard disks or other magnetic storage devices, degaussing is an excellent option of decommissioning data centers. It involves magnetically erasing data by eradicating magnetic data fields on the disk media. It is a great option for firms that are decommissioning data centers.

Degaussing permanently renders the hard disks unusable, and hence it is essential to exclude the media with important data. With this method, e-cycling is not possible. It also works for cassettes, reels, diskettes, and cartridge tapes. The process might, however, leave small amounts of residual data in the hard drive and are therefore not always 100% effective. It is advisable to use strong degaussing magnets to ensure certain data is permanently destroyed.

On the flip side, strong degaussing products can be quite expensive. Furthermore, they can have magnetic fields that are strong enough to cause collateral damage to all vulnerable equipment in the surrounding area.

Degaussing is not the right method to use if you are planning on using your drives again. This is because manufacturers cannot fix drives or honor warranties as a result of degaussing incidents.

The effectiveness of degaussing primarily depends on the density of the drive. However, experts say that degaussing capabilities can diminish over time with the technology changes in hard drives and their small sizes. The effectiveness of the method also depends on the people carrying out the procedure. While all three techniques of data destruction are prone to human error, degaussing is particularly sensitive to the length of time and strength of the degaussers.

•Physical Destruction

There are several methods used by organizations in the physical decommissioning of data centers, such as melting, disk shredding, drilling drive cores, or any other physical damage that renders the media unusable.

Physical destruction offers the highest assurance that the data has been utterly destroyed. There is no possibility of someone reconstructing a melted disk.

On the other hand, physical destruction can be costly for firms with a lot of data to dispose of. There are high capital expenses in most physical destruction processes as they use machinery or hot furnaces.

According to experts, the physical destruction of data is not a financially sustainable strategy due to the expenses involved. Furthermore, the approach disregards most organizations’ sustainability programs. Even for companies decommissioning their data centers have to bear huge costs due to the number of devices they have.

A few companies such as Intel have, however, found a way to efficiently destroy their data physically since they found transporting drives for degaussing to be impractical and insecure.

Data Destruction Laws
Technology has dramatically evolved over recent years, and so has information. Governments must, in turn, adjust their regulations to the changing landscape. There are a number of federal and state laws that currently mandate that firms must adequately manage and destroy their data to protect employees and consumers.

•HIPAA

The Health Insurance Portability and Accountancy Act was introduced as the healthcare industry joined the digital era in both its administrative and clinical settings. The act protects the patient’s confidential records and directs their management.

Some of the destruction protocols in the HIPAA include:

Paper records should be burned, shredded, pulverized, or pulped until any information on them is rendered unobtainable and cannot in any way be reconstructed.

Opaque bags must be used to store a labeled prescription bottle until a disposal contractor properly destroys them.

Digital information must be destroyed using either overwriting software or degaussing techniques.

•The Computer Fraud and Abuse Act

The Computer Fraud Abuse Act was enacted in 1984 and has been amended six times now to adapt to data technology. The law basically prohibits anyone from accessing a computer without authorization. It was designed to punish hackers. The punishments can be quite severe, resulting in criminal convictions.

There are a handful of other acts, including the Sarbanes Oxley Act of 2002 and the Fair and Accurate Credit Transactions Act, that regulate the way data is disposed of or destroyed.

When to destroy data
Some of the reasons that drive organizations to erase their data may dictate when the process of decommissioning data centers should be complete.

Legal compliance
Professionals are required by the law to keep and destroy data in a particular manner. Such rules, depending on the industry and e-cycling, may require some data to be destroyed on specific timelines. Other industries are governed by best practices and other guidelines that protect customer data such as medical, insurance, and Cybersecurity.

Internal Policies
Your organization should have its own set of information retention and destruction protocols. These protocols should be based on already established organization regulations but should cement new policies with no previous guidelines. A data destruction protocol should be part of every organization’s business process and not just an afterthought. For instance, if there are no regulations about portable storage like USB flash drives, your organization risks compromising its employees’ and customers’ data.

Tips for Proper Data Destruction
Information is a double-edged sword; as valuable as it can be to your business by helping understand consumer trends, it can cost you dearly if mismanaged. The punishment could be hefty fines or even lawsuits, but perhaps the worst thing would be reputation damage.

Fortunately, there are easy and clear steps to keep your company data compliant.

•Establish a Data Decimation Policy

There is a need for formalized policies to manage the data destruction process. A firm must first clearly define which information it would like to keep. Not all the information is valued equally by the organization. Therefore it is essential for any firm to clearly identify the documents that should be included in the destruction process. When selecting the data that should be destroyed, a company should involve all the representatives of the company’s departments to ensure all the improvement opportunities and weak points are considered.

While it is advisable to create policies, enforcing them is just as important. You should periodically perform audits of the data destruction process and ensure that all the agreed requirements are being met.

•Digitize Records

Some companies are required by the law to keep hard copies of certain documents for a given period. These companies set e data retention schedules and have techniques for destroying paper documents securely.

However, in most firms, paperwork is unnecessary. It is easy for people to make a photocopy of the paper, and you would never tell until it is too late. No matter how meticulous a filing system is, the manager cannot tell when paperwork is missing or perform a fast audit.

Digitizing data has become a necessity for most firms in recent years. Data destruction software has also evolved to offer automatic data destruction processes. Managers can now easily manage the storage and destruction of sensitive data. The storage of data in the digital cloud also ensures that the e-cycling of storage media is possible.

•Take Advantage of Record Management Software

Record Management Software has been an excellent way for firms to protect e data through its whole lifecycle. By performing independent audits and automating processes, the software alerts the user when documents and e data have expired and need to be destroyed.

Retention of certain documents for longer than the law requires could result in fines. It is, therefore, crucial for companies to not only correctly destroy data but also to do so on time.

•Hire a Records Management Consultant

Regulations for data retention and destruction differ by state and by industry. To ensure that your firm stays compliant with the laws in your state, you should consider hiring the services of a records management consultant. The consultants can help you determine if your firm is storing and destroying data in compliance with the law to protect your company’s reputation.

•The cloud

There is a major concern among firms on how to integrate data destruction with the e-cloud. It is understandable, seeing as all companies are shifting their storage to the cloud. Without the physical storage, there is a lot of concern about data safety. In case you wish to get the services, review the cloud service provider’s policy on data destruction and integrity to ensure their services will comply.

•Train your employees

It is also an excellent idea to sensitize employees on the information and comprehensiveness policy. It is a powerful system to ensure that the employee and client data is not put in the risk of exposure. You can also teach your staff on the importance of following federal regulations as they are only trying to protect the economy from competition-sensitive information.

Whether your firm needs to have paperwork destroyed or e data, a destruction vendor could be a great option to keep your shelves clean. Before hiring a vendor, make sure that they meet all your company’s requirements and are qualified to offer protection to your employees and customers. If you are considering decommissioning data centers, it is also wise to consider hiring a data destruction vendor. For all of your e-cycling, data center decommissioning, and data center deconstructing needs, contact CJD E-Cycling.