Tag: degaussing

7 Essential Elements of a Chain of Custody for Secure Data Destruction

September 5, 2025 at 7:32 pm by Paul Falcone

When it comes to securely destroying sensitive or classified information, maintaining a chain of custody is essential. With regulations like HIPAA, GDPR, and GLBA becoming stricter, a failure to maintain a proper chain of custody could expose an organization to fines, lawsuits, and, in some cases, reputational damage. But what exactly does a secure chain of custody look like, and why is it so important?

Critical Shreds

  • A documented chain of custody is essential for compliance and security, protecting organizations from legal, financial, and reputational risks.
  • Every step of the data destruction process must be logged and verified.
  • The use of secure tools and tracking systems can strengthen the chain of custody.
  • Involving internal compliance and security teams is critical in closing any potential gaps in the chain of custody.

Clear Documentation of Ownership and Responsibility

The chain of custody starts from the moment an asset is deemed end-of-life, whether it’s a hard drive, printed document, or other data-bearing device. The first thing you need is clear documentation of who owns the asset, where it’s coming from, and when it was taken out of service.

Secure Collection and Transport

Once the materials are identified for destruction, they need to be securely collected and transported to the destruction site. This is a key part of the process because, without proper safeguards, the data can become compromised when in transit. Secure, tamper-proof containers are a necessity, in addition to every step of the journey being logged for who handled it, where it was stored, how it was transported, and when it was moved.

Verified Receipt and Storage

Once the materials arrive at the destruction facility, they should again be verified, logged, and stored securely until they are destroyed. This phase is where efforts to document the data’s every movement should be double-checked to ensure nothing is lost, misplaced, or accessed improperly while waiting for destruction. It may seem repetitive, but it is a crucial step in protecting end-of-life data that is classified as sensitive or top secret.

Tracking Destruction with Serial Numbers or Barcodes

Each item should be tagged with a unique identifier, whether that is a unique serial number or a barcode, to track its progress throughout the destruction process. This makes it easy to know exactly where an asset is in the chain of custody at any given moment.

For example, the SEM iWitness Media Tracking System plays a key role in maintaining the chain of custody during the destruction of magnetic hard drives. First, the system scans the drive’s unique barcode before degaussing. Once degaussing begins in the Model EMP1000-HS degausser, a barcode appears on the screen that can also be scanned, documenting the drive’s erasure status. This data can then be exported and added to the chain of custody, providing proof that the drive’s data has been successfully destroyed.

Audit Trail and Real-Time Logging

An audit trail is one of the most crucial aspects of maintaining a secure chain of custody. This involves documenting every action, every time: who handled the asset, when, and what was done. Ideally, this should be done in real time. Since audits focus on media sanitization, compliance regulators want documented proof that data-bearing devices are properly destroyed, which a detailed chain of custody can prove.

Witnessing the Destruction Process

In many cases—especially when dealing with highly sensitive or classified data—the destruction process should be witnessed by an authorized individual, such as another internal staff member. The idea is to make sure someone is present to confirm that destruction happens as promised. (And you guessed it: the names of the witness and person conducting the destruction should also be logged!)

enterprise-drive-destruction

Destruction Certification and Final Documentation

After destruction is complete, a certificate of destruction should be issued. This certificate should provide a full summary of the destruction process: the items destroyed, the method used, and the date and time of destruction. This is the last and final step in proving that the end-of-life data was successfully destroyed.

Why a Documented Chain of Custody Matters

The importance of maintaining a documented chain of custody cannot be overstated. Inconsistent documentation or missing records at any stage can trigger audit findings, fines, or legal action. In industries like healthcare, finance, and government, where data security is paramount, improper disposal of sensitive data can lead to serious penalties, loss of business, or worse—security breaches that put lives or national security at risk.

Many companies and organizations fail to involve their compliance, legal, and security teams in the decommissioning process, which can lead to major gaps in the chain of custody. It’s crucial to formalize your decommissioning procedures and workflows, making sure every asset is tagged, tracked, and properly destroyed.

The Bigger Picture: High-Security Data Destruction

With the rise of cloud-based systems and digital data, organizations today face more challenges than ever in managing and decommissioning data securely. As more organizations move to the cloud, they must recognize the importance of a documented chain of custody, ensuring that every piece of sensitive data is tracked and destroyed securely.

At the end of the day, a secure chain of custody isn’t just about compliance, it’s about protecting your organization (and those whose data you collect and store). By incorporating these seven key elements into your data destruction process, you’ll not only meet regulatory standards but also build a robust defense against potential breaches and audit issues.

4 Features to Look for in a Data Destruction Device

August 25, 2025 at 6:05 pm by Amanda Canale

When your organization handles sensitive or classified data, the right destruction equipment isn’t a luxury, it’s a necessity. From federal agencies to private enterprises, the stakes are too high for anything less than complete and compliant data elimination.

With dozens of options on the market, it can be hard to separate marketing hype from true security features. Here are four essential qualities to look for when evaluating data destruction equipment.

Critical Shreds

  • Always begin any search with a deep dive into the relevant compliance regulations your industry and data classification need to abide by.
  • One size doesn’t fit all, so make sure whichever solution you choose is designed to destroy your specific media.
  • Avoid bottlenecking your operations by choosing a solution that matches your volume needs.
  • Solid build quality, minimal maintenance, and readily available service support keep your operations running smoothly for years to come.

1. Relevant Compliance Regulations

Before any preliminary research on a device can begin, it is critical to understand the compliance regulations your organization must follow depending on your industry and data classification level.

For example, if an organization is in the healthcare sector and handles patients’ personal health information (PHI), it must comply with the Health Insurance Portability and Accountability Act, or HIPAA, regarding the collection, storage, and destruction of data. Similarly, if an organization works within the government sector and manages top secret and classified information, it must adhere to the standards set by the National Security Agency, or NSA.

When it comes to top secret and classified information, devices listed on the NSA/CSS Evaluated Products List (EPL) are tested and proven to render that kind of data irrecoverable. It’s important to remember that using non-compliant equipment, regardless of the industry or data classification, can open your organization to compliance violations and costly data breaches. This is why understanding the relevant regulatory bodies, choosing certified tools, and following best practices at every stage of the data lifecycle is so critical.

Compliance Check Background

2. Media Type Compatibility

The further we get into the digital age, the more likely it is than an organization will use a mix of media to store their data, ranging from hard drives and solid state drives to paper, flash memory, optical media, and more. Unfortunately, there are no one-size-fits-all solutions. Each media type requires a specific method to ensure complete and compliant disposal.

That said, there are multipurpose solutions available that are designed to handle multiple forms of media. For example, hard disk and solid-state drive combo shredders allow for streamlined disposal of both types in one device, while high-capacity disintegrators can destroy paper, optical media, flash drives, and more, all within a single workflow.

Choosing the right machine for your media types will not only ensure compliance with regulatory standards, but will also increase operational efficiency, reduce the need for multiple disposal processes, and ultimately streamline your overall data destruction process. Investing in the right equipment now can save time, reduce risk, and support a secure and well-organized information lifecycle.

3. Throughput Capacity

In high security environments, time is truly of the essence. In these settings, delays in data destruction can lead to bottlenecks, compliance risks, or even security vulnerabilities. That’s why the speed and volume capacity of your data destruction equipment play a critical role in overall operational efficiency.

Regardless of the media type and industry, it’s essential to ensure that the chosen equipment can keep pace with the volume and urgency of your organization’s data flow. If your destruction process delays decommissioning schedules, sensitive materials may remain in circulation longer than is safe or compliant.

By investing in machines with the right throughput and automation capabilities, organizations can maintain a seamless and secure workflow, minimize downtime, and reduce the risk of human error.

Destroyed retired IT equipment in a shredder

4. Durability and Maintenance Support

Reliable performance starts with quality construction. In high-demand environments, your data destruction equipment needs to perform consistently day in and day out, without unexpected breakdowns or constant maintenance interruptions. That means choosing solutions engineered with durable components, precision manufacturing, and rugged materials that can withstand the rigors of continuous use.

Beyond construction, ongoing reliability also depends on the level of support behind the equipment. Even the best-built machines will occasionally require service, calibration, or parts replacement. In those moments, quick access to expert technical support and fast service turnaround can make all the difference in preventing extended downtime and keeping operations running smoothly.

Conclusion

Choosing the right destruction equipment is the final and most critical step in a comprehensive data protection strategy. It ensures that your organization remains secure not just during the storage and usage phases, but throughout the entire data lifecycle. Whether you’re handling classified government materials, personal health information, or proprietary business data, proper destruction is what closes the loop on security.

The right equipment doesn’t just protect data, but rather it protects your reputation, ensures compliance with evolving regulations, and gives your organization the confidence that no trace of sensitive information remains. In today’s risk-filled digital age, secure data disposal isn’t optional, it’s essential.

Hard Drives vs. SSDs: How Destruction Methods Must Evolve with Technology

August 11, 2025 at 8:00 am by Amanda Canale

Secure data destruction has evolved over the Digital Age from a best practice to a legal and operational necessity. Yet many organizations still rely on outdated processes that were initially designed for hard disk drives (HDDs) but are ineffective for newer technologies like solid-state drives (SSDs).

At Security Engineered Machinery (SEM), we recognize that the storage medium matters when it comes to data destruction. Understanding the technical differences between HDDs and SSDs is crucial to ensuring total data sanitization.

Critical Shreds

  • HDDs use magnetic platters while SSDs use flash memory chips, meaning the difference in technology requires different destruction methods.
  • Combining degaussing and shredding provides secure destruction of HDDs. However, degaussing is not applicable to SSDs and shredding can often leave recoverable data behind.
  • Improper HDD and SSD destruction increases the risk of data breaches and violates data protection laws like HIPAA, NIST 800-88, and the NSA/CSS standard.

How HDDs and SSDs Store Data Differently

HDDs and SSDs serve the same purpose—data storage—but use entirely different technologies under the hood. HDDs rely on magnetic platters that spin while mechanical read/write heads access data. The magnetic nature of these platters makes them ideal candidates for destruction via degaussing, crushing, or shredding.

SSDs, on the other hand, use flash memory chips to store data electronically. Instead of a central platter, data is distributed across numerous microscopic cells embedded within integrated circuits. These memory chips retain data even after being damaged or wiped, which makes secure destruction much more complex. The same methods that easily destroy HDDs often leave SSDs partially intact.

HDD and SSD artwork on a green background

Why Traditional HDD Methods Don’t Work on SSDs

Degaussing is a proven solution for magnetic media as it neutralizes magnetic fields and scrambles the binary code, rendering HDD platters unreadable. However, degaussers have no effect whatsoever on SSDs since they contain no magnetic components.

Similarly, shredders designed for HDDs often fail to fully destroy SSDs. HDDs can be shredded into coarse strips or chunks while still meeting compliance. But SSDs require a much smaller particle size, ideally 2mm or less, to ensure all flash memory chips are destroyed. Shredding SSDs without reaching this level of granularity can leave data recoverable by forensics tools.

The distributed architecture of SSDs means a fragment as small as a thumbnail can still contain sensitive data. That makes precision destruction absolutely critical.

DD: Degauss and Destroy

While it’s been established that degaussing should only be used for magnetic HDDs, it’s important to note that it should not be the sole method of destruction. Per the NSA, a magnetic HDD carrying classified information should be degaussed then physically destroyed by way of shredding or crushing. This, “degauss and destroy” two-way method ensures the complete and total obliteration of any end-of-life media. At SEM, we have a line of Degauss and Destroy options that combine the use of the Model EMP1000-HS degausser and other NSA-listed HDD destroyers.

Though this process is required for classified information, it is a good rule of thumb for all sensitive information, regardless of the industry.

SEM Degauss and Destroy bundle
Disintegration: Ultimate Security

While shredding may work for some storage media, SSDs require a more precise and thorough approach to ensure complete data destruction.

Since data is distributed across the cells on an SSD, typical destruction efforts such as shredding or crushing can often leave drives partially intact, and stored data vulnerable to theft. This is where disintegrators come into play. Contrary to shredders, disintegrators utilize rotor knives to pulverize material and push it through a predetermined screen size. This mechanism grinds end-of-life material into uniform, fine particles, leaving no fragmented pieces behind. With this method, drives are repeatedly cut until they can pass through the screen, producing a much smaller (and more secure) particle size.

According to the NSA, for a solid state disintegrator to be NSA/CSS listed, it must be able to “reduce any solid state storage device to a maximum edge size of 2 millimeter or less.” A prime example of this kind of technology is the SEM Model SSD2-HS Solid State Disintegrator, a high security destruction device that breaks down end-of-life SSDs down to required 2mm particle size.

The Risk of Inadequate SSD Destruction

Failing to completely destroy SSDs at end-of-life is a major security risk. Sensitive data—including financial records, healthcare files, classified information, or customer credentials—can remain on leftover memory chips. This residual data can be extracted by criminals or competitors with minimal effort.

Even if an organization believes data has been deleted or wiped, data recovery software and hardware forensics tools can still retrieve unencrypted remnants. The consequences are far-reaching: data breaches, identity theft, intellectual property theft, and noncompliance fines are all on the table.

The risk isn’t just technical—it’s legal. Compliance regulations like HIPAA, NIST SP 800-88, and PCI-DSS all require verifiable data destruction methods based on media type and sensitivity level.

SSD2-HS SSD Disintegrator Media Feed

Built for Compliance and Peace of Mind

To mitigate risk and ensure compliance, organizations must implement destruction processes that align with:

  • National Institute of Standards and Technology (NIST 800-88)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • General Data Protection Regulation (GDPR)
  • Federal Information Security Management Act (FISMA)

Failure to comply can result in audits, penalties, and reputational damage. Proper destruction practices are essential not just for security, but for legal protection and organizational integrity.

Looking Ahead: Future-Proofing Your Data Destruction Strategy

As storage technology evolves, data destruction methods must keep pace. Organizations should continually evaluate their policies and equipment to ensure alignment with modern threats and storage formats.

Forward-thinking approaches may include:

  • Investing in SSD-specific crushers or disintegrators
  • Implementing secure chain-of-custody protocols
  • Regularly updating policies in accordance with regulatory changes

After all, proper planning today can prevent catastrophic failures tomorrow.

Non-Government Organizations – Are You Required to Destroy Magnetic Media?

November 29, 2018 at 3:53 pm by SEM

Many organizations or companies, that have no connection with state or federal government agencies, possess large amounts of information that reside on hard drives, backup tapes, and a variety of other magnetic media that contains extremely sensitive information. Depending on the nature of your business, much of this data requires complying with strict industry standards. It is difficult to mention all of the industry standards that are out there, but here are a few that may apply to your business: HIPAA (Health Insurance Portability and Accountability Act), FERPA (applies mostly to colleges and universities), FACTA (Credit Transactions Act), and Sarbanes Oxley Act and PCI DSS (Payment Card Industry- Data Security). Non-compliance on the part of your organization could result in fines or expose your company to criminal and civil liabilities.

Growing Need for Proper Media Sanitization & Destruction: Why Degauss?

emp 1000HS
SEM’s NSA listed Model EMP1000-HS degausser is an ideal solution for rotational hard drives; however, degaussing has NO effect on solid state media.

Media sanitation and destruction is the one thing you can control internally to guarantee total confidentiality for your organization. Computer technologies are changing every day, creating more powerful computers with track densities that make previous methods of destruction totally obsolete. Degaussing is a method that exposes the magnetic media, like hard drives and backup tapes, to a powerful magnetic field. This method not only destroys the media but also the firmware that manages the device. Some of the more prominent high security IT organizations and test facilities in the U.S. prefer this method of destruction over all others.

Is Physical Destruction Really Necessary?

Some people consider physical destruction the ultimate form of media destruction. Physical destruction of hard drives can be accomplished by shredding, crushing, or using a device that bores a hole in the center of the drive creating severe damage to the housing and internal workings of the drive. Incineration and melting will also destroy media, but these methods may be impractical or unavailable to your average company. Most physical destruction devices have a relatively small footprint and can be located in your IT department or in a designated area within the company. Depending on the importance or security categorization of your data, you might consider a two-step process where degaussing and physical destruction go hand-in-hand. Most government agencies are dealing with extremely sensitive data, which requires degaussing and some form of physical destruction. This is something to seriously consider with the increasingly sophisticated level of encryption that is out there today.

The Missing Link in Cloud Security

November 16, 2018 at 4:16 pm by Heidi White

cloud-securityDefinition of Cloud Security from the Cloud Security Alliance (CSA):
Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Recently, there has been a hyper focus on cloud security — and with good reason. According to a report by McAfee titled “Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security,”cloud services are now a regular component of IT operations, utilized by more than 90% of organizations globally. In fact, 80% of all IT budgets are committed to cloud apps and solutions. Service companies have the highest adoption of public cloud platforms with engineering and government having the highest adoption of private clouds. Amazingly enough, this surge in cloud adoption is not equally met with security and trust with only 23% of organizations today trusting public clouds to keep their data secure. And yet, 62% of organizations reported storing personal customer information in public clouds.

cloud-data-securityThese statistics indicate that cloud security is lagging far behind cloud storage and adoption — similar to cell phone batteries. Cell phone technology continues to advance at an exponential rate while cell phone battery technology advancements are sluggish at best. As a result, cell phone battery life continues to be a major consumer issue regardless of the technological advancements made by cell phone manufacturers. What good is a beautiful, high resolution screen with lightning fast processor if the phone can’t handle the battery load? Likewise, cloud security threats have escalated alongside cloud data expansion due in large part to the sheer number of records now being stored. For example, the number of data breaches from 2014 to 2015 actually decreased, while the number of compromised records containing sensitive information more than doubled from 67 million to 159 million in the same time period. The decreased number of data breaches is indicative of the consolidation of cloud data storage providers, and yet the large increase in compromised records show that one data breach affects far more records today than it did just five years ago.

IT-asset-managementAs a result of the serious challenges presented by cloud data security, numerous methodologies have been recommended in an effort to combat the reputation degradation and astronomical cost associated with compromised data. Some of the more frequently utilized processes include user authentication, encryption of data both in transition and at rest, ongoing vulnerability testing, role-based access control (RBAC), intrusion detection and prevention technology, and staff training. In addition, the establishment and enforcement of cloud security policies is critical to the success of any data protection program. In researching cloud security, any number of articles and guides can be found that address the aforementioned strategies. An incredible amount of focus is placed on encryption, end point security, user controls, and conducting security audits. All of these strategies focus on protecting data from digital threats such as hackers and bots, which is of huge importance. However, a critical piece of security control is missing from most data security plans – an end-of-life policy.

circuit-boardCloud security providers who actually define an end-of-life strategy are rare, and a comprehensive program is even rarer still. Many providers erroneously think that erasing or overwriting a disk is sufficient, or more unsound thinking that a failed drive is precisely that – failed, and non-recoverable. Unfortunately, nothing could be further from the truth. Drives that were “erased” have shown up on eBay with sensitive information and overwritten and failed drives invariably contain original data that is fairly easy to recover. Criminals and thieves tend to be one step ahead of security and law enforcement initiatives, and cyber criminals are no exception.

Degaussing followed by crushing is one methodology for sanitizing hard drives that has been approved by the NSA.

Fortunately, many compliance regulations do address data end-of-life, which is why any cloud security provider should adhere to an appropriate regulation. Whether HIPAA, FACTA, FISMA, PCI DSS, or the most stringent NSA requirements, these compliance regulations are put in place to protect sensitive data and personally identifiable information from falling into the wrong hands whether through firewall vulnerabilities or data retrieval at drive end-of-life. In-house data destruction is the ideal way to securely manage drives at end-of-life; however, the method of data destruction varies greatly depending on volume, location, regulatory requirements, and operational procedures. There are many data destruction devices available from high security disintegrators capable of handling up to 500 drives per hour to enterprise specific, portable, and NSA listed solutions. There is simply no one-size-fits-all solution when it comes to data destruction; therefore, organizations looking to incorporate data destruction into their cloud security program should receive a thorough evaluation to determine which solutions best fits their need. One thing is for sure: no cloud security program is complete without addressing end-of-life destruction.

Many third-party providers offer drive end-of-life services, including degaussing and crushing as well as shredding. But while it is possible to outsource data disposal to third parties, it is NOT possible to outsource risk. Therefore, security-minded organizations must evolve towards a risk mitigation approach to data security that includes in-house data end-of-life destruction and disposal. By maintaining a proactive approach to security operations, companies and businesses can reduce the reputation degradation, frantic clean-up, and astronomical cost that typically comes with a reactive approach. Cloud security should not and cannot follow the path of the cell phone battery without disastrous consequences.

In-House Hard Drive Destruction: More Affordable Than You Think

June 27, 2018 at 10:43 am by SEM

What’s the best in-house hard drive destruction for today’s drives?

The most commonly used hard drives in today’s computing world are the 3.5”, 2.5”, and 1.8” form factor drives. In fact, they represent over 95% of the drives being used in today’s offices. Larger drives only represent a small portion of the drives that are in use today. So what is the best method of hard drive destruction?

Until recent years, a practical solution for in-house destruction was not available other than deleting software, drilling holes in the drives, burning, or other methods that are not very practical and did not guarantee any level of security. From a security standpoint, there is no substitute to controlling your own IT destruction program in-house, especially if user-friendly, affordable equipment is available that can be utilized by IT personnel.

Crush a Drive. Use an SEM Model 0101.

This device represents final destruction for some companies while other high security government organizations use them to disable drives after they have been magnetically degaussed to NSA standards. The Model 0101 takes up very little space (22” h x 10”w x 19” d) and can easily be transported to other locations. A deployment case is available for easy transport. The method of destruction is a hardened, pointed conical punch that comes in contact with the drive with 12,000 lbs. of force, causing trauma to the drive chassis and internal platter. The process takes about 10 seconds. While it sounds kind of menacing, this unit is actually quiet, safe, and requires minimal maintenance. It is also very affordable and ideal for in-house destruction.

Hard Drive Shredding. Try an SEM Hard Drive Shedder.

Several years ago, the average hard drive shredder needed its own building! It was so big that it was only practical for most organizations to use an outside destruction service or salvage company when HDD’s needed to be shredded. Nowadays, there are plenty of options. When volume or total destruction is needed, the SEM hard drive shredder series is your best solution. These units have amazing destructive power with a very small footprint. They will destroy from 500-3,500 drives per hour and power consumption is minimal. They are quiet, compact, and built to last. Numerous safety features are incorporated into the design. Maintenance is minimal and can be done by your own company personnel or by PM contract with the manufacturer.

What is Magnetic Degaussing?

Degaussing is a method for destroying hard drives that utilizes powerful magnets. The SEM Model EMP1000-HS meets NSA EPL (Evaluated Products List) guidelines for destroying classified drives. Other commercial grade degausses are also available from SEM. All units are extremely safe, compact, and very practical for in-house destruction. All degaussers can also be bundled with HDD shredders or crushers if drives need to be destroyed after magnetic erasure as required by NSA.

For more information, Please visit www.semshred.com or call us at 800-225-9292 to speak to your representative.

Destroying Classified Magnetic Media: Outsource or In-House?

November 30, 2011 at 9:34 am by SEM

When it comes to eliminating classified magnetic media, a government IT security manager must establish a process that ensures the media is properly destroyed and disposed of. To some, the options may be limited in getting this done. As required by NSA, classified magnetic media must be degaussed using an NSA evaluated degausser and then it is highly recommended to physically destroy the device. Most agencies will choose to eliminate their classified magnetic media in one of two ways, in-house or outsource. These options are usually weighed based on cost, volume, and level of security.

 

Agencies that eliminate their magnetic media in-house will purchase the necessary equipment and create a program to perform the destruction on-site. In most cases, security managers prefer in-house destruction because the media is never transported outside classified areas, where it is at risk to be lost or breached. Although these programs require agencies to purchase equipment up-front for their program, it eliminates the cost of having to coordinate high security transportation of the media, including cleared escorts and secure transportation. They can also take advantage of the high recyclable value of various magnetic storage drives.

While agencies can choose to outsource their magnetic media destruction, often by sending it to the NSA or another classified agency with in-house capabilities, it is both risky and more costly. Why? Outsourcing requires a scheduled secure shipment and cleared escorts every time the media leaves the classified area for transport. This process can be expensive and time consuming. Since it can be difficult at times for an IT security department to secure up-front funds for their own equipment, agencies find it easier to spend less money for each shipment and stay within their monthly operating budget. However, many agencies justify creating their own in-house program by weighing the long term costs vs. buying their own equipment. Outsourcing can also add unnecessary security risks by transporting the media outside of classified areas.

To get a more in depth understanding of finding the best data decommissioning policy, read SEM’s whitepaper on the topic here.