Clear, Purge &amp; Destroy: When Data Must be Eliminated, Part 2

Part 2 of a 2-part series on information disposal requirements

In part 1, we considered the growing demands on companies to delete data, whether individual files or entire devices. This month we review best practices for eliminating that data.

Not surprisingly, the National Institute of Standards and Technology is the leading authority. According to NIST’s widely adopted Guidelines for Media Sanitization, also known as Special Publication 800-88 Rev. 1, data sanitization requirements primarily depend upon two factors: the type of media upon which the data resides and the sensitivity of the data itself.

As for media type, NIST breaks down its recommendations based on the following nine categories: hard copy storage (such as paper); networking devices (like routers and switches); mobile devices (phones and tablets); office equipment (copiers and printers for example); magnetic media (internal hard drives, external floppy disks and tapes); peripheral devices (external, but locally attached, hard drives); optical media (CD, DVD, Blu-ray); flash memory (including a wide range of assets, such as solid state drives, USB removable media, memory cards, and embedded flash memory on motherboards or network adapters); and RAM/ROM-based storage.

NIST also proposes three different sanitization techniques based on the sensitivity of the data, as well as whether the media will remain with the company after sanitization or repurposed for third-party use. These three techniques, which vary in the levels of security protection they afford, are defined using the terms Clear, Purge and Destroy.

Clearing data is the most common sanitization method. It is meant to prevent data from being retrieved absent the use of “state of the art” laboratory techniques. Clearing often involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings.

Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Conventional methods include degaussing (for magnetic media) and, where data is encrypted, using a method called Cryptographic Erasure to sanitize the cryptographic key rather than the related data.

Destroying data is designed not merely to render the information unrecoverable, but also to hinder any reuse of the media itself. As a result, destruction is a satisfyingly physical process that may involve shredding media to pieces, disintegrating it to parts, pulverizing it to powder or incinerating it to ash.

Regardless of method, NIST recommends that organizations test the sanitizing tools they use, train employees and use representative sampling to verify the elimination of data. Organizations also should check whether any data is subject to retention requirements before getting trashed.

Fortunately, adopting and implementing an adequate data sanitization program is not an impossible mission. Nor is it Mission Impossible. Left to their own devices (pun intended) your organization’s data will not self-destruct in five seconds. Your mission, therefore, should you decide to accept it, is to implement a sound sanitization program. As always, should you or your IT force fail, your company may disavow any knowledge of your actions. Good luck.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.