Destroying Data

As important as it is to back up your data securely, it is equally vital to dispose of your obsolete data effectively and according to applicable regulations.  In this issue, we discuss options and policies you should consider when it comes to destroying data at your organization. 

Yes, you read the title correctly. I know it may seem strange; after all, technology media outlets (Optimal Impact included) continue to reiterate the importance of data backup, recovery, and restoration. While companies focus on data retention, however, there seems to be a tendency to neglect the crucial flip side of the coin: data destruction.  

Protecting Your Organization
Did you know that deleting a file does not erase it from the hard drive? Simply deleting files using Windows Explorer usually only removes them from the directory of the disk—and they are fairly easily recovered. Formatting a hard drive is not enough to erase its contents, either.

Privacy protection laws require secure data management and data destruction of all customer and employee information. In almost any industry, the personal information collected in the course of doing business requires your organization's compliance with a variety of information security and privacy laws. By considering the nature of your business and reviewing laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Fair and Accurate Credit Transaction Act (FACTA), you may find that your organization is in critical need of a data destruction policy.  Where do you start?

Your Media, Your Options
First of all, take an inventory of the media that contain sensitive information. This list may include some or all of the below:

• Hard Drives (laptops, desktops, servers)
• Backup Magnetic Tapes
• Floppy Disks
• Floppy and Zip Disks
• Optical Media (CDs, DVDs)
• Offsite backup storage

Once you’ve identified them, decide how often these items must be destroyed. You may also find that your industry has specific rules about how you get rid of your electronic media, so make sure that you are aware of them.  

Next, choose a destruction method:

• Physical Destruction.  This is the only method that is 100% effective.  Physically destroying small data sources like CDs and DVDs in-house with a cross-cut shredder is easy enough, but destroying larger devices, including computer hard drives, must be done by an outside contractor. Companies should ask vendors to explain their destruction practices and to supply a certificate of destruction when the work is complete.
• Degaussing (demagnetizing).  In this method, magnetic data sources (i.e., floppy disks, hard drives, reel-to-reel tapes, etc.) are exposed to a powerful magnetic field, obliterating any data they contain. Degaussing requires specialized equipment, however, and is not suitable for nonmagnetic data sources like CDs and DVDs. Note that the use of this method of data erasure does not render the media unusable.
• Software—There are various types of software that you can find to delete information. Keep in mind, however, that at this point in time, degaussing and physical destruction are the only methods that are one 100% proven to remove sensitive data from a disk and make it completely unrecoverable.

Things to Consider
Before you create your organization’s data destruction policy, ask yourself the following questions:

• Did you research industry standards for data life cycle? How does this compare with your organization’s current policy on data retention?  Have you discussed these issues with an attorney?
• Is there a process in place to determine if the items you are destroying should be destroyed?
• Is someone responsible for recording an inventory of what is on the media before it is destroyed?
• Have you found a reputable organization that facilitates data destruction? Does the company send you certificates of destruction that would hold up in a court of law?

Last Word
All companies should follow a life-cycle approach to secure information that will eventually be destroyed. And, whatever secure data destruction policy your organization implements, note that the end result should be to render unauthorized access to the data impossible. It will cost money, but the total cost would be negligible compared to the money your organization would be forced to pay if found non-compliant with security and information privacy laws.

Have questions about the information contained within this article? Or, is there a new technology topic you would like to learn more about? We want to hear from you! Email us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it and tell us. Your topic may be covered in an upcoming issue of Optimal Impact!