It’s no secret that our computer hard drives contain a lot of things we’d rather keep secret. Because the information security field is my home turf, I’m troubled by some of the loose talk I hear about how to destroy used drives. There is a whole lot of bad advice online, especially. Here, paraphrased, are some comments I found recently with a simple Web search:
“I just take my old hard drives out to the parking lot and bash them with a big hammer.”
“I’d toast them with a blowtorch if I were you.”
“Cook them in the oven at very high heat, then plunge them into a bucket of ice water.”
“An acid bath is the way to go.”
“Shoot a hole through each one with a pistol – the larger the caliber, the better.”
If you have time to waste, gloves on your hands, and safety goggles on your eyes, some of these methods might even work. But businesses that have to deal with liability, workplace safety, and the disposal of multiple hard drives will have a problem with these methods. Besides, even if carried out as recommended, most of these measures are far less than 100% effective.
Hard drive destruction is best accomplished with proven equipment that is safe, easy to use, and, most importantly, effective. The equipment should give you peace of mind — the assurance that no one is going to recapture a bit of data off your discarded drives. This is not as paranoid a view as it used to be. Data-recovery technology continues to advance by leaps and bounds, and there are many techniques for recovering information from seriously damaged drives — you’d be surprised. The U.S. National Security Agency (NSA) has developed guidelines that require hard drives used by federal-government agencies or their contractors to be degaussed (demagnetized) and incinerated or otherwise physically damaged prior to disposal.
But don’t think that just because you aren’t a government agency you don’t need to be vigilant about the disposal process. There are real risks of information (tax records, bank-account and credit-card numbers, etc.) falling into nefarious hands, not to mention there is information your competitors would love to see, such as price lists, sales figures, customer data, engineering data, memos drafted in preparation for bidding, e-mails from the president to his mistress, etc. Aside from damage to one’s reputation, there is the possibility of a lawsuit from an employee, customer, patient, or other individual who claims he or she was harmed by the release of his/her private information.
Although every enterprise has old drives that should eventually be destroyed, different facilities have different security needs, and that is why there are different kinds of safe and effective hard-drive-destruction equipment on the market. There are more options than ever before, and the trick is finding the right solution/equipment (or destruction service) for your hard drives.
A Job Worth Doing...
Just one hard drive can contain hundreds of thousands of files. When a digital file is “deleted” from a computer, the information actually remains on the drive, as do “deleted” e-mail messages and records of all online activity. Even reformatting or overwriting may not be enough to prevent confidential/proprietary/sensitive data from being recovered by a determined individual using the right techniques and equipment.
In light of the above, I favor a “belt & suspenders” approach — two proven methods of data destruction for absolute certainty. But there is more to information security than choosing the right destruction equipment. What you do with old drives prior to destruction is just as important. Keep them in a secure location prior to destruction, or they could be long gone before you even know they are missing. And keep records!
For any facility, I strongly recommend instituting a comprehensive information-security program — written procedures that must be followed. Such procedures should include detailed recordkeeping and labeling that states, for example, the serial number of each drive, the computer from which it was removed, and the date it was removed. The program should also include careful documentation of destruction dates and methods and a plan for in-house monitoring/verification. You never know when these records will come in handy.
Proper training is a must. These procedures should only be carried out by trusted employees or a security service, and supervised by management. By the way, if you have a written policy that calls for destruction of records on a regular schedule, it looks less arbitrary and suspicious if documents are missing when requested in the course of litigation or an audit.
Tools of the Trade
When is a hard drive really destroyed enough to prevent recovery of information it once held? That is debatable. Here are some choices for the safe removal of data:
- Overwriting the drive. “Disk-wiping” software is used to replace stored data with a pattern of meaningless characters. I felt obligated to mention this method, but I do so with reservations. There are many versions of such software on the market, so it is important that the chosen version be compatible with the drive to be overwritten. U.S. Department of Defense guidelines recommend this step for operable drives bound for disposal, prior to degaussing and/or destruction. But one overwriting “pass” is not enough, and this method must be carried out by someone who is patient and careful and understands the process, as it is time-consuming and based on the age and size of the drive.
- Degaussing. Degaussing is one of those words that evoke images of a mad scientist and large static discharges in the laboratory. Degaussing is simply the elimination of a magnetic field. There are two major methods of degaussing. The first method permanently erases data from hard drives when they are passed through the magnetic fields of powerful, fixed, rare-earth magnets. The second method uses a powerful electromechanical pulse that instantaneously generates a powerful magnetic field to permanently erase data from disks in an enclosed chamber. The degaussing device must have a high enough coercivity rating (magnetic power) to overcome the drive’s magnetic field and completely erase its stored information. If it doesn’t, the whole process is a waste of time. Degaussing is more effective than overwriting, but here, too, training is essential.
- Crushing. This method subjects drives to extreme pressure from a conical steel punch or similar device. Good for a low volume of drives, these relatively inexpensive units are available in manual and powered models. Although a deformed drive is inoperable, some information residing on its platter could still be intact, albeit much harder to retrieve.
- Shredding. Hard-drive shredders rip drives to randomly sized strips. The shredding process is much the same as in an ordinary paper shredder, but these machines are more robust and capable of destroying multiple types and sizes of drives. These shredders are also good for destroying cell phones, PDAs, electronic organizers, and other data-storage devices. Some data could be retrieved from the shreds by a determined thief, but with great difficulty.
- Disintegration. “Mechanical incineration” by a heavy-duty disintegrator (rotary knife mill) cuts items into smaller and smaller pieces until they are unrecognizable and unreconstructible. For hard drives, this is typically done after shredding. Disintegration is similar to shredding, although the end particles are much smaller and more damaged.
While all of these methods are effective, I favor a two-stage approach that combines degaussing with crushing or shredding. For the ultimate, choose degaussing, followed by shredding, followed by disintegration. Ideally, the decision to purchase destruction equipment and the implementation of a destruction program would be based on security needs, not on cost. But in a practical world, there are budgets to be met. Degaussers, shredders, and disintegrators all come in different sizes and capacities. While some of these units are relatively inexpensive ($1,000 to $5,000), others could run as high as $50,000.
The Outsourcing Option
For some businesses, the peace of mind that comes from knowing sensitive records will never leave their facilities intact makes the investment in destruction equipment worthwhile. Even so, many companies simply cannot afford to purchase this equipment for the relatively few items they need to destroy. These businesses may choose to outsource such destruction. Aside from budgetary considerations, if you rarely need to purge your files, only destroy 10 hard drives a year, or would simply rather not destroy sensitive materials on your own premises, by all means find a reputable destruction service. If you choose this option, be sure to do your homework thoroughly. Evaluate a service provider and its security protocols before signing the contract. Here are some questions to ask:
- If the service will pick up your hard drives, how will it transport them to the destruction facility? Does the service offer locked, trackable transport cases with tamper-proof security tags?
- Does the service require a long-term contract or a monthly minimum?
- Upon arrival at the facility, will your items be inventoried by serial number (or barcodes correlated with serial numbers) and stored in a locked, monitored area? How long are they likely to remain there awaiting destruction?
- Are job applicants thoroughly screened? Is the facility monitored around the clock by security cameras?
- What destruction methods will be used? Degaussers? Shredders? Disintegrators?
- Has the facility’s equipment been evaluated by the NSA/CSS?
- What proof will you have that items were actually destroyed? Would you be allowed to watch the destruction in person or on video?
- Will the destruction of your items be logged and certified in writing?
- What happens to destroyed waste? Computers contain valuable and toxic materials. Are these recycled in accordance with pertinent regulations?
- Is the facility bonded and insured, and to what limits?
If the service you are considering passes all the above tests, visit the facility in person. Even if you like what you see there and end up giving the company your business, it is a good idea to pop in from time to time for a surprise inspection.
And please note that a certificate of destruction does not free you from your legal responsibility. If a destruction contractor certifies that your confidential data was destroyed, yet the data surfaces somehow, you are still liable for damages suffered by the injured parties.
Methodical Choices Protect Your Business
Sometimes the best overall destruction/disposal solution is a combination. For example, you might choose to degauss your hard drives in house and then send the degaussed drives to a service for the next stage, such as shredding and/or disintegration. ou still get “belt & suspenders” — by choosing two (or more) destruction methods, you protect yourself against human error if someone falls down on the job at one stage or the other.
Although information-security programs will differ according to facility size and mission, every field of endeavor these days must address the disposal of sensitive electronic records. Confidential patient records are just as important to a small medical practice, for example, as proprietary product designs are to a large corporation. A wide selection of effective equipment is available to help a facility establish a program that meets its particular needs. Data security is an ongoing process, but by learning about threats and understanding destruction options, you will be in a much better position to protect yourself and your business.