The Criticality of On-Site Data Destruction in Secure IT Asset Disposal

November 21, 2018 at 3:38 pm by Heidi White

PII-securityAs the world marches inexorably towards a completely digital future, there is an ever-increasing demand for cloud-based data storage. To accommodate this digital sprawl, expansive data centers are being built at a rapid rate, with their servers continuously writing and overwriting data onto increasingly dense hard drives, with absolutely no downtime. As a result, data centers are constantly removing and replacing hard drives as they fail. The big question: what happens to the old drives?

The answer is not a simple one. Several methodologies are utilized for end-of-life data disposal, many of which are determined by security compliance requirements — such as NSA, NIST, HIPAA, and more recently GDPR— as well as health, safety, and environmental standards. In addition, volume of e-waste and drive type also come into play when determining the best solution for IT asset disposition, or ITAD. Regardless of the methodology employed, the commonality of secure ITAD is the critical importance of complete data sanitization.

cybersecurityNews stories on data breaches, cybersecurity threats, and compromised personal information have become a daily occurrence, and both rotational hard disk drives (HDDs) and solid state drives (SSDs) store vast amounts of data on small surfaces. Even when these devices are cracked, scratched, or broken, data is still retrievable from remaining fragments — as long as the remaining pieces are large enough. Drilling into a platter-based hard drive or snapping a solid state drive into several pieces is largely ineffective at preventing the possibility of data retrieval. Likewise, erasure, overwriting, and/or reuse of hard drives is a completely inadequate method of end-of-life data disposal. Erasure and overwriting frequently miss small blocks of data on the drive, making reuse an absolute security disaster. Even small amounts of personal or sensitive data left on a drive can result in catastrophe if the device is compromised. Any company truly concerned about secure ITAD understands that total destruction of the drive is the only acceptable option.

HDD and SSD destruction is accomplished through crushing, shredding, or disintegration of the drive, and the ultimate solution is largely dependent upon drive type, volume, and security requirements. In addition, convenience, operator health and safety, space limitations, user interface, noise concerns, and budget also have an impact. Choosing the right solution isn’t as simple as picking a shredder from a catalog, and instead requires a comprehensive situational consultation and assessment. Because most manufacturers of data destruction devices don’t offer consultative services, many data centers, hospitals, educational, and financial institutions find themselves frustrated with the process and instead turn to outside vendors to manage their data destruction – a decision that invites the potential for serious consequences.

Third party data destruction services are available as either off-site or on-site. Off-site services pick up discarded drives at the client’s location and transport them to a data destruction center. The inherent risk with off-site data destruction is three-fold:

  1. Allowing drives with live data to leave the premises increases liability.
  2. Some less-than-savory off-site destruction companies have been known to employ questionable business practices. For example, one company caught their disposal vendor trying to outsource destruction to a third party, and then caught a different vendor selling off old devices rather than destroying them, even though their contract explicitly said not to do so.
  3. The extended chain of custody with off-site destruction exacerbates risk.

Third party on-site data destruction is a better option, but still carries with it some uncertainty. Third-party destruction services only provide the most commonly utilized destruction devices; therefore, unique devices and more stringent regulatory requirements present challenges to many third-party providers. In addition, drives still physically leave the premises and are in the hands of people not in the drive owner’s employ. Unfortunately, the introduction of each and every outside element adds a layer of risk that exponentially increases liability.

degauss-destroy
SEM’s degauss, destroy, document bundle provides audit-proof peace of mind for secure information end-of-life. NSA listed and NIST compliant.

Clearly, the safest, most secure methodology for sensitive end-of-life asset disposal is in-house, on-site hard drive destruction. Fortunately, solutions exist that readily meet the strictest regulatory, health, safety, and environmental requirements, as well as accommodate today’s more rugged enterprise drives and ever-increasing drive volume. Shredders and disintegrators are available with different final particle shred sizes, horsepower, throughput, and even noise level, and degaussing and crushing solutions are available that meet even the NSA’s stringent two-step requirement for secure HDD disposal. The most demanding organizations will even find the availability of comprehensive in-house documentation options that provide a fully audit-proof destruction paper trail for meticulous record-keeping that mitigates liability.

SEM has over 50 years of industry experience. Click for timeline.

One question remains: what is the best in-house data destruction setup? The reality is that there is no easy answer. Determining the most efficient and effective solution can pose a challenge without proper guidance, and most data destruction solution providers have limited depth of expertise. After all, the demand for large-scale secure data destruction is relatively new, as data centers didn’t even exist until the early 1990s. Having been in the secure information destruction business since 1967, SEM provides a unique approach to end-of-life ITAD by working as a trusted partner with our clients, who benefit from our extensive industry knowledge and decades of experience with top secret government clients and their demanding destruction requirements. The good news is that once the most cost-effective and secure in-house data destruction solution has been determined, security-focused organizations enjoy the ultimate in data protection, efficiency, and peace of mind.

Is Your Data Disposal Plan GDPR-Ready?

at 3:29 pm by Heidi White

gdpr-readyWith GDPR just around the corner, data security has been enjoying some much-needed time in the limelight. Never before has there been such a hyper-focus on the protection of sensitive data, particularly confidential and personally identifiable information (PII) such as healthcare records, personal data, financial information, and legal records. While data privacy conversations have more traditionally revolved around identify theft issues, the new GDPR regulation prioritizes the fiduciary responsibility of all sensitive and personal information.

Savvy organizations began planning and implementing their GDPR compliance programs months ago. Because of the numerous ways in which GDPR mandates data privacy across all storage media and within all facets of an organization, a comprehensive compliance program requires a well-researched, detailed approach with multi-departmental buy-in and execution.

healthcare-data-securityFor example, a healthcare provider possessing sensitive patient data in the form of medical records is obvious. What would not be so obvious would be the numerous other places where a patient’s PII may reside. The scheduling department keeps PII such as address and birthdate, the billing department has financial and insurance information, while the marketing department may possess email and browsing data for patient communications. And let’s not forget the backup servers. Personal data is literally everywhere.

Safeguarding sensitive data throughout an organization is critical, and many organizations are well aware of the need for firewalls, passwords, physical security measures, encryption, and employee training. What may be more of a need and challenge for some organizations is GDPR’s Article 17 Right to Erasure, also known as the “right to be forgotten.” While it is not an absolute, the basic premise of Article 17 is that an individual’s request to have his data removed must be honored within 30 days. In some instances, the request is not realistic. For example, banks must retain records for a minimum of seven years, so deleting the data would be in direct conflict to an existing legal mandate. However, Article 17 states that individuals have the right to have their personal data erased without undue delay if the data is no longer necessary for the purpose for which it was originally processed or collected, and this applies in a large number of cases with consumer transactions.

online-data-securityConsumer transactions typically include the storage of personal information such as address, phone, and payment information. While large organizations may have their own servers and storage solutions and are therefore more easily able to purge a consumer’s data from their system, the thousands of smaller organizations typically rely on outside vendors and cloud storage providers to manage their data. Data stored in the cloud is actually housed in data centers, where data is duplicated across multiple drives in an effort to create redundancies that help to mitigate data loss when drives fail — and drives DO fail on a very regular basis. After all, these drives are running 24 hours a day, seven days a week, year-round, so their life expectancy is understandably rather short. When a drive fails, the data it contains is still for the most part intact. Therefore, a comprehensive data disposition program should always include drive destruction so that personal data is not compromised at end-of-life. But end-of-life is only part of the problem. Smaller organizations and others who outsource their data storage must confirm with their providers that their data removal policy is GDPR compliant and must include policies and procedures for the Right to Erasure in their GDPR programs.

GDPR is a broad and encompassing regulation that is actually long overdue. While implementing a GDPR program is proving to be more challenging than organizations may have originally thought, particularly with regard to Article 17 and the Right to Erasure, the safeguarding of data and the diligent focus on data privacy have been positive results of GDPR. In a time where data breaches and identity theft are increasing exponentially, the implementation of a means by which to protect our privacy and security is most welcome.