We explore how digital data can be securely destroyed – and why it’s vitally important for any business to ensure it’s done properly
Dealer Support has delved into many of the reasons why the destruction of data is vitally important. With the general data protection regulation (GDPR) coming into effect last May – immediately following tax season – awareness of how data should be treated, and the various processes involved in its life cycle, has been at an all-time high.
However, the one thing we haven’t previously discussed is how businesses can truly rid themselves of digital data. The digitalisation of physical files enables the user to properly and securely archive their work; we have looked at the shredding of those physical files – using various shredding grades, on or off-site, depending on what is more secure – but what about when the now-digitised information needs destroying? Dealers and resellers should know how and why data disposal might be needed, in order to pass this guidance on to customers; now is a good time to update your existing record destruction services.
Get processes in place
There are many reasons why digital data would need to be wiped – not just relating to new GDPR requirements. “Any public sector is going to be under scrutiny if they suffer a security breach,” explains Mikey Anderson, partner programme manager at Ontrack – a business which specialises in both recovering and securely getting rid of digital data for good. He goes on to recall a case in 2008 where four hard drives containing the sensitive personal data of 79,000 NHS patients were sold on eBay; the seller had been sub-contracted to destroy said hard drives. “Cases like this highlight that, in these situations, it’s top priority to be secure and have processes in place,” he continues.
There are two main ways to destroy data – the hardware route and the software route. In terms of software there are many businesses offering disposal services; this will often involve a programme which completely overwrites any space in the storage with ones and zeros. What’s left is a ‘zeroed-out’ (which is the technical term for this process) piece of hardware which even a recovery company won’t be able to dig into for information. The ‘zeroing-out’ is conducted a number of times, just to ensure there’s nothing left on the device; while one pass is normally enough, organisations which rely heavily on ensuring they remove sensitive data may perform up to 50 passes of the process. “Three passes is fine and will get rid of even the most intricate data,” Mikey confirms.
Types of destruction
The hardware route involves destroying the physical device or drive, by shredding or smashing it, or by degaussing; this is where the device is subjected to a magnetic pulse which damages the physical drive and destroys any data on it. This method allows the parts to still be used afterwards, but the data is inaccessible.
Shredding or destroying drives in these ways involve processes which are either very noisy or require specialist equipment, meaning they often happen off-site. This brings security into question; the previous story regarding the NHS data breach provides a cautionary tale about putting faith in outsourcing.
Personal data is just that – personal – and has to be protected at every stage of its life cycle. GDPR states that data must be erased sufficiently at the end of its life and that customers now have the power to request that their information is destroyed; individual businesses are likely to have their own data retention policies over and above this. For example, it might be a requirement that employee e-mail data is saved for five years and, at the end of that time, the employer has to ensure the data is disposed of beyond recovery. Perhaps an employee leaves and their laptop needs to be wiped; the employer must ensure that the next person to use that laptop can’t simply run a recovery programme and bring the original data back.
Certain sectors will do both – destroy the software and the hardware separately. Peace of mind is worth the additional security measures; lest we forget, failure to adhere to GDPR can cost as much as four per cent of annual global turnover, or €20m – whichever is highest. The cost of a data breach, the new data regulation notwithstanding, can also bring down a business – or, at least, heavily impact its reputation.
“We provide a service where our customers will send us drives and devices that they have destroyed the data on themselves, and we see how well they’ve done it by attempting to recover the information,” says Mikey. “In many cases, we’re able to find that data and read all of it if we want to. It really shows companies that they need to look more closely at their processes.”
It’s important to remember that destroying data is not necessarily a one-size-fits-all solution; degaussing, for example, differs depending on the amount of data on the drive, and a degausser that works perfectly for a few megabytes of data won’t work for the same number of terabytes. “The solution needs to be compatible,” Mikey continues. “It’s worth making sure the process is water-tight no matter what vertical you’re in. Regardless of the company, its reputation will be damaged if information is leaked or recovered by a criminal – you never know what can happen.”
Dealers offering refurbished devices, data disposal services, IT refresh services or those that are simply looking to move further into the IT sector must be aware of this need for increased security regarding digital data. Don’t get caught out – get zeroed-out.
Don’t forget to follow Dealer Support on Twitter!