Shredding Through Time

July 28, 2020 at 10:00 am by Flora Knolton

Paper shredding can first be accredited to Abbot Augustus Low of New York, who filed a patent for an improved wastepaper receptacle in 1909, sparking the first idea for a paper shredder. Low’s invention was intended for use in banks and counting houses, but unfortunately was never manufactured.

The first known mechanical paper shredder actually was created in Germany in 1935. A man, Adolf Ehinger, was inspired by a hand-crank pasta maker to create a machine to shred sensitive material after being questioned about anti-Nazi literature in his garbage. The machine was cranked inside of a wooden frame that was large enough to handle one sheet of paper. Later in the 1940s, he added a motor to power the shredder and sold the shredders to a host of government entities.

During the cold war, Ehinger’s shredder increased in popularity. In 1959, his company, EBA Maschinenfabrik, created the first cross-cut shredder that cut paper into tiny bits for an increased security level. To this day, EBA Maschinenfabrik continues to design and produce shredders under the name of Krug & Priester, who purchased the business in 1998.

Since Ehinger’s invention, shredders have played a role in many important times in history. Before the 1980s, shredders were nearly exclusively used by the government, military, and banking industry. But in 1987, the U.S Supreme Court that ruled that your garbage, once brought to the curb outside, is considered public property. Come the 1990s, statistics proved how corporate and personal identity theft had skyrocketed. Most of the public wasn’t even aware of the existence of paper shredders until they began to surface in connection with scandals such as Watergate in the 1970s, Iran-Contra in the 1980s, and Enron in 2002. The increase in identity theft and scandals caused concern which led to businesses and individuals burning their paper waste. Because it is so detrimental to the environment, this increase in burning led to laws prohibiting the incineration of trash, which had the effect of businesses and regular citizens turning to paper shredders for secure document disposal. Despite the negative stories and unfair reputation from the media about how they are used to cover the tracks of the guilty, Ehinger’s purpose was to protect the innocent. Throughout the 20th century, paper shredders have become more secure by using cross-cut methodology and creating smaller shreds.

Privacy laws such as the Health Insurance Portability & Accountability Act (HIPAA), The Fair and Accurate Credit Transaction Act (FACTA), The Family Educational Right and Privacy Act (FERPA) to name a few, render organizations responsible for protecting customer/consumer information. It’s important for businesses to legally comply with these regulations and it is also a best practice for business to routinely destroy data that has outlived retention periods. Shredding paper opens up many environmentally-friendly disposal alternatives that are better than tossing it all in the dumpster.

In 1968, in what is now known as “The Pueblo Incident”, Navy intelligence vessel USS Pueblo was captured by North Korean patrol boats. According to U.S. reports, the Americans tried their best to destroy all the classified information aboard the ship. Unfortunately, with the volume of material on board it was impossible to destroy it all prior to capture. Korean War Veteran and founder of SEM Leonard Rosen was struck with the idea that there has to be a better way to destroy classified information. Within weeks of hearing this news, he had developed the concept for the world’s first paper disintegrator and the SEM legacy of destruction devices had begun. It’s fascinating that Ehinger and Rosen were both motivated by protecting their countries’ intelligence for the greater good of humanity at the time to produce such ideas.

SEM may have coined the term “disintegrator”, but every device from SEM is always quality. SEM’s high security paper shredders are NSA/CSS listed and reduce waste to particles no larger than 1mmx 5mm. All SEM NSA listed paper shredders meet the requirements of the new CUI security regulation that requires CUI documents to be shredded and meet  . The Model 344 paper shredder produces particles of 0.8mm X 2.5mm, which is half the size of the current NSA requirements, for those looking for the highest security. Many of SEM’s paper shredders are factory installed with an automatic oiler, but for those looking to reduce their carbon footprint, the Model 1201CC paper shredder may be what’s necessary. The Model 1201CC was the first high security paper shredder tested oil-free by the NSA and listed on the NSA EPL for classified document destruction. Oil free shredders save money on oil refills and are perfect for the eco-conscious consumer.

Buying a paper shredder is an insurance policy that helps protect sensitive information. Our trash is not “our” trash once it’s outside, and its vital to be conscientious about what is being thrown away. Paper shredders have been around for over 100 years now and will continue to be necessary even as  more offices vow to go paperless. Paper will still be around, and SEM has all the Classified and Unclassified paper shredders to meet your media destruction needs.

 

 

PIPEDA: Protecting the Privacy of Canadian Citizens

September 28, 2019 at 8:46 am by Paul Falcone

What is PIPEDA?

Since crafting the original Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, Canada has been an innovative force in sensitive-data privacy protection. Originally created to foster trust in ecommerce, PIPEDA has evolved to provide more stringent data protection across the digital landscape.

The basic premise of PIPEDA is to prevent Personally Identifiable Information (PII) from being used or disseminated without purposeful consent from the individual. If an organization wants to use PII for more than one explicit purpose, multiple requests or a comprehensive request must be made to secure the individual’s consent. The law also grants individuals the right to access their data and stipulates that organizations must make their compliance policies readily accessible and easily understood.

As of November 1, 2018, a new provision regulating protocol for a PII data breach was added to PIPEDA. All organizations that experience such a breach must report any ramifications that may put individuals at risk to the Privacy Commissioner of Canada. The organization must also notify the individuals affected by the breach and notify any other organizations that may be able to help the individuals avoid data misuse or harm. Detailed records regarding each breach must be kept at least 24 months after the date of the incident.

Organizations Subject to PIPEDA Regulations

PIPEDA applies to any private-sector organization (including those regulated on a federal level by the Canadian government) that collects personal information through commercial activity. Commercial activity excludes donations and fundraising, organizational membership fees, and lists related to communication generated by nonprofit organizations, schools, hospitals and political parties. However, if such lists are sold, bartered, or leased, that activity becomes subject to PIPEDA regulations.

Additionally, if a province has its own private-sector law that is similar to PIPEDA, then any private-sector organization operating solely within that province is not subject to PIPEDA. Currently, Alberta, British Columbia, and Quebec have such laws in effect; however, any business operating in Canada that handles PII is subject to PIPEDA if that information crosses provincial or national borders. Organizations operating solely within Ontario, New Brunswick, Newfoundland, Labrador, and Nova Scotia are also exempt from PIPEDA as concerns health data only. Since PIPEDA is similar to the EU’s General Data Protection Regulation (GDPR), information is allowed to flow freely from compliant organizations within the EU and Canada.

What Information is Covered by PIPEDA?

PII under PIPEDA regulations includes age, name, ID numbers (including Social Insurance and driver’s license numbers), financial information (including credit and loan records and disputes with merchants), race, religion or ethnic origin, marital status, health information (including DNA and blood type), education, and employment history (including employee files such as opinions and comments, evaluations, and disciplinary actions).

The Fair Information Principles

PIPEDA Schedule 1 Section 5 outlines ten stipulations—referred to as the Fair Information Principles—that must be followed:

1. Accountability: PII under an organization’s control is that organization’s responsibility. Organizations must designate a Privacy Officer to ensure compliance.
2. Identifying Purposes: At the time of PII collection, organizations are required to disclose any and all purposes for which the personal data will be used.
3. Consent: Except for cases in which legal, medical, or security reasons render consent impossible or impractical, an individual’s consent is required for collection, use, or disclosure of PII.
4. Limiting Collection: Data collection must be limited to data needed for purposes identified by the organization prior to individuals’ consent.
5. Limiting Use, Disclosure and Retention: PII may only be used for the purposes of its collection as agreed to by the individual. PII may only be retained for as long as is required to serve those purposes; subsequently, it must be disposed of securely (unless the individual consents to further PII retention and use).
6. Accuracy: PII must be as accurate and complete as possible to satisfy the purposes for which it’s used.
7. Safeguards: PII must be safeguarded against theft, loss and unauthorized access, use and modification.
8. Openness: Organizations must ensure that policies and procedures related to their management of personal data are easily accessible to individuals in language that is generally understood.
9. Individual Access: Upon request, individuals shall be informed of the existence, use, and disclosure of their PII and be granted access to it. Individuals may challenge the completeness of the information and have it amended. The only exception to this principle is when the information cannot be disclosed for legal or security reasons.
10. Challenging Compliance: An individual may challenge an organization’s compliance with PIPEDA directly through its Privacy Officer.

PIPEDA and Data Destruction

Fair Information Principle 5 stipulates that PII in any form no longer serving its specifically intended purposes must be disposed of securely, and that any information retained for statistical purposes must be rendered anonymous. Organizations should have a comprehensive plan addressing the PII life cycle that mandates (through proprietary or third-party means) adequately secure data destruction. Should destruction of electronic devices be necessary, one person should be assigned responsibility.

Organizations may use properly credentialed third-party vendors for data destruction and disposal, although the organizations are responsible for verifying results. Organizations must ensure that the third-party vendor used has comprehensive plans for both secure transportation and transmission of sensitive data to/from their facility, as well as comprehensive destruction plans. Ideally, the organization would have the capability to monitor third-party data destruction and conduct periodic reviews and audits. Of course, the most secure method is to utilize in-house data destruction.

Acceptable methods of data destruction are dependent on the media. Hard copies of data must be destroyed to the point of impossible recovery. Acceptable methods include disintegration, incineration, pulverization, melting, and shredding. Electronic copies of data must be destroyed through complete deletion without means of simple recovery, complete overwriting with non-sensitive data, or degaussing (for magnetic media only).

When being completely destroyed, all media containing PII should be disposed of in accordance with the parameters defined in internationally recognized data destruction guidelines from DIN Standard 66399. Materials classified within the DIN Standard are:

• Original-sized physical media (e.g., paper, printing plates—classified as “P”)
• Reduced-sized physical media (e.g., microfilm—classified as “F”)
• Optical media (e.g., CDs or Blu-Ray—classified as “O”)
• Magnetic data devices (e.g., payment cards and floppy disks—classified as “T”)
• Hard disk drives (classified as “H”)
• Electronic data devices (e.g., USB drives and SSDs—classified as “E”)

For each media classification, DIN Standard 66399 outlines security measures from 1 (lowest level: reproduction of destroyed data requires little effort) through 7 (highest level: reproduction of destroyed data is impossible given current state of technology) that have associated data-destruction specifications.

When procuring third-party vendors or machinery for data destruction, it’s imperative you ensure compliance with, and adherence to, the appropriate security ratings and PIPEDA regulations. Companies like SEM provide sophisticated data destruction technology solutions to keep your organization in compliance with PIPEDA and other global security standards.

Credit Cards & Identity Theft: There’s More Exposure Than You Might Think

August 19, 2019 at 12:23 pm by Paul Falcone

Beyond convenience, credit cards can also provide the cardholder with the ability to build credit (which is necessary for major purchases like buying a home or car) as well as to earn rewards and cash back. However, credit cards can also pose a major threat for identity theft, and likely in more ways than most realize.

Credit Cards & PII

Do you have a credit card? If so, take it out and look at it for a moment. From a glance, there’s a host of obvious Personally Identifiable Information (PII) that’s printed right on it—your name as well as the primary account numbers (PAN), which include the card number, CVV code and expiration date. This PII is certainly sensitive data and in the wrong hands could be used for credit fraud and identity theft.

However, there is also PII contained on your card where you might not think of it. For instance, PII data such as card holder name, service code, expiration date, CVV code and PIN numbers are also stored in the magnetic stripe of the card. Another unseen piece of technology within your credit card that holds the same PII data is an RFID chip. The only way to tell if your card has an RFID chip is if it has the words “Blink,” “PayPass,” or “PayWave” on it, or else a symbol that looks like a Wi-Fi signal turned 90 degrees clockwise.

RFID chips provide further cardholder convenience by allowing payment to occur simply by tapping the card on a pad near the terminal instead of inserting the card into a reader. Even though security codes for your RFID chip are generated every time you use it, it only takes one time for a criminal with the right equipment to intercept your RFID chip communication as you perform a payment transaction and steal all of this sensitive information. (Although the RFID signal is very weak and can only be read from a short distance of a few inches.)

And, even though your credit documentation is likely kept at home or in a credit app, there’s still the threat of theft from the paper trail or digital-document trail of PII connected to the credit card. This includes statements, bills and other communication mailed or digitally transmitted to the cardholder.

Issuers, Printers & PII

You don’t just get a credit card out of thin air. There are other players involved who will also have access to your PII for the application of the credit line as well as the creation of the credit card itself. Obviously, the financial institution and/or lender company that issued the line of credit and therefore the credit card to the cardholder also has full matching records (stored via print and/or digital media) of the cardholder’s PII to authorize and process card transactions.

What is often overlooked is the generator of the credit card, the security printer company that the financial institution and/or lender works with to create the cards. A printing plate unique to the cardholder is used to create the design, lettering and even some security features that are printed onto the card. This means the printing plate contains a copy of your PII. And the tipping foil that’s used to personalize cards can also have PAN left on the foil after it’s been used.

Proper Destruction of Credit Cards & PII Contained

It goes without saying that consumers must properly shred their expired credit cards and shred, pulverize or incinerate all paper documentation related to that credit card that contains PII. If the documentation is stored digitally, the data and the device need to be properly destroyed via software or hardware to clear the data and by overwriting non-sensitive information, or by degaussing the media and rendering the magnetic field permanently unusable, and by destroying the media by shredding, melting, pulverization, disintegration or incineration.

SEM EMP1000-HS Degausser

For a shredder data destruction machine, consumers should follow DIN Standard 66399, at a minimal Level P-5 for the end-of-life destruction of the credit card and ensuing paper documentation. Shredding at P-5 standards ensures the final particle size has a maximum cross-cut surface area of 30mm2 with a maximum strip width of 2mm, or 2x15mm. Shredded data at this size is unlikely to be reproduced even with special equipment.

The financial institution and/or lending institution should practice the same proper end-of-life destruction with their paper and/or digital record trail of the account information containing the consumer’s PII. The financial or lending institution should also ensure that their security printers practice the same standards for the end-of-life destruction of the printing plates and tipping foil used to create the consumer’s card. For these organizations, it’s recommended that they follow DIN Standard 66399 Level P-5, whether it’s for paper or digital media that stores the PII attached to the card and line of credit.

PII Theft Prevention: Complying with Intergraf

In addition to practicing proper data and device destruction when the printing plate and tipping foil reach end-of-life, the security printer should take preventive steps in the creation of the cards and the materials used. One such way to do so is for the security printer to use only printing machinery that’s Intergraf-certified.

Intergraf is a European-based federation for print and digital communication which works to ensure security of the sensitive data stored within those mediums as they’re created. An Intergraf-certified security printer machine provides: a clear structure of requirements and responsibilities, trusted security for printers and suppliers, recognizable reference for governments and industries, prevention of forgery and counterfeiting, maximum security from development to deployment and increased customer confidence and satisfaction.

Intergraf has developed an international standard for security printers and suppliers (.e.g CWA 14641, CWA 15374 and ISO 14298) that also help to direct how these organizations should destroy the printing plates and tipping foil to render them unusable and irrecoverable. For instance, Intergraf stipulates that the destruction standard for printing plates is DIN 66399 P-1, which renders the particle size to a maximum surface area of 2,000mm2, or 12mm strips.

Finding the Right Data Destruction Machine

SEM has both high-volume and high-security shredders that meet the DIN 66399 standards. It’s important to note, too, that SEM recommends on both consumer and commercial level that the machinery is purchased or leased and kept on-site with the consumer or organization. This ensures contact with the sensitive data is limited to only those authorized to receive it.

DIN 66399 Globally Standardized to ISO/IEC 21964

June 28, 2019 at 4:09 pm by Paul Falcone

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), who together form the specialized system for worldwide standardization, have established a joint technical committee, ISO/IEC JTC, in the field of information technology. In August of 2018, ISO/IEC JTC internationally standardized the German Institute for Standardization’s DIN 66399 terms and principles for destruction of information technology data carriers. This standard, ISO/IEC 21964, is now being referenced by organizations on an international level when referring to data destruction requirements. The materials referred to in security levels are identical to those referenced in DIN 66399 and are as follows:

P — information in original size such as paper, film, and printing plates

F — information in miniaturized form such as microfilm and microfiche

O — information on optical data carriers such as CDs, DVDs, and Blu-ray Discs

T — information on magnetic data carriers such as floppy discs, ID cards, magnetic tape cassettes, mag stripe cards, and CAC IDs

H — information on hard drives with magnetic data carriers such as rotational hard drives

E — information on electronic data carriers such as memory sticks, RFID chip cards, solid state drives, and mobile communication equipment

P-7, shown above, is the standard for the destruction of classified material on paper

The ISO/IEC 21964 limits for particle sizes also have not changed from the DIN 66399 standard and remain as follows:

Paper Media

  • P-1: Particle size ≤ 2,000mmor strip width ≤ 12mm x unlimited strip length
  • P-2: Particle size ≤ 800mmor strip width ≤ 6mm x unlimited strip length
  • P-3: Particle size ≤ 320mm2or strip width ≤ 2mm x unlimited strip length
  • P-4: Particle size ≤ 160mmand for regular particles: strip width ≤ 6mm, such as our Model 5141P
  • P-5: Particle size ≤ 30mmand for regular particles: strip width ≤ 2mm
  • P-6: Particle size ≤ 10 mmand for regular particles: strip width ≤ 1mm
  • P-7: Particle size ≤ 5 mmand for regular particles: strip width ≤ 1mm or dissolved with particle size ≤ 5mmor shredded ash with particle size ≤ 5mm2 such as with our Model 244/4
NSA listed DVD shredder
O-6, shown above, is the standard for the destruction of classified material on DVDs and Blu-ray Discs.

Optical Media

  • O-1: Particle size ≤ 2,000mm2
  • O-2: Particle size ≤ 800mm2
  • O-3: Particle size ≤ 160mm2
  • O-4: Particle size ≤ 30mm2
  • O-5: Particle size ≤ 10mm2, such as with a Model 0201.
  • O-6: Particle size ≤ 5mmor shredded ash ≤ 5mmor melted compound, such as with a Model 0200 OMD/SSD with Cabinet Kit
  • O-7: Particle size ≤ 0.2mmor shredded ash ≤ 0.2mmor melted compound

Magnetic Media

  • T-1: Medium physically unusable
  • T-2: Medium broken into several parts and particle size ≤ 2,000mm2
  • T-3: Particle size ≤ 320mm2
  • T-4: Particle size ≤ 160mm2
  • T-5: Particle size ≤ 30mm2
  • T-6: Particle size ≤ 10mm2
  • T-7: Particle size ≤ 2.5mmor shredded ash ≤ 2.5mmor melted compound, such as a Model DS-400
H-3, shown above, is an approved method of destruction of classified material found on rotational hard drives, as long as the hard drive has been previously degaussed in an NSA listed degausser.

Hard Drive Media

  • H-1: Hard drive physically/electronically unusable
  • H-2: Data carrier damaged
  • H-3: Data carrier deformed, such as with a Model 0101 Crusher
  • H-4: Data carrier broken into several pieces and deformed and particle size ≤ 2,000mm2, such as with a Model 0305
  • H-5: Data carrier broken into several pieces and deformed and particle size ≤ 320mm2
  • H-6: Data carrier broken into several pieces and deformed and particle size ≤ 10mm2
  • H-7: Data carrier broken into several pieces and deformed and particle size ≤ 5mmor heated above Curie temperature
ssd shredder
A 2mm particle, shown above, falls under the E-5 category and is the standard for the destruction of classified material on solid state drives and devices.

Electronic Media

  • E-1: Media physically/electronically unusable
  • E-2: Media broken into pieces, such as with a Model 0101 with SSD Kit
  • E-3: Media broken into pieces and particle size ≤ 160mm2, such as a Model 0304 Combo Shredder
  • E-4: Data carrier (chip) broken into pieces and particle size ≤ 30mm2, such as a Model 0205
  • E-5: Data carrier (chip) broken into several pieces and particle size ≤ 10mm2, such as a Model 2SSD
  • E-6: Data carrier (chip) broken into several pieces and particle size ≤ 1mmor shredded ash ≤ 1mm2
  • E-7: Data carrier (chip) broken into several pieces and particle size ≤ 0.5mmor shredded ash ≤ 0.5mm2, such as with a Model SSD1-HS

Film Media

  • F-1: Particle size ≤ 160mmwhere 10% of the material may exceed the specified particle size, but shall not be more than 480mmin size.
  • F-2: Particle size ≤ 30mmwhere 10% of the material may exceed the specified particle size, but shall not be more than 90mmin size.
  • F-3: Particle size ≤ 10mm2  where 10% of the material may exceed the specified particle size, but shall not be more than 30mmin size.
  • F-4: Particle size ≤ 2.5mmwhere 10% of the material may exceed the specified particle size, but shall not be more than 7.5mmin size.
  • F-5: Particle size ≤ 1,0 mmwhere 10% of the material may exceed the specified particle size, but shall not be more than 3.0mmin size.
  • F-6: Particle size ≤ 0.5mmor shredded ash ≤ 0.5mmwhere 10% of the material may exceed the specified particle size, but shall not be more than 1.5mm2in size.
  • F-7: Particle size ≤ 0.2mmor shredded ash ≤ 0.2mmor dissolved. The particle size shall not be exceeded.

For more information, please visit our DIN 66399 (ISO/IEC 21964) page here.

How to Maintain Data Security in the Secure Printing Industry

February 25, 2019 at 2:12 pm by Paul Falcone

Let’s Get Personal.

When you work in the secure printing industry, you’re working with Personal Identifiable information (PII) every day. Regulations like the Fair and Accurate Credit Transaction Act (FACTA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and Intergraf have changed the way that we handle and process paper, credit cards, printing plates, and more. So, with all these rules and regulations, are you taking every step necessary when these prints reach the end of their life and need to be securely destroyed?

The Risks:

You may feel that your company or organization is doing a good job destroying data because you’ve been breech-free and have had no major security problems. But in private data and security, threats are constantly evolving, changing, and adapting to the systems that are in place. If you end up being the victim of a breach and word gets out, the following can happen:

– Loss of customers/clients and confidence in your business
– Fraud losses, legal costs, and fines/penalties
– Ultimately lose jobs and go out of business

In fact, studies show that over 60 percent of small businesses that experience a breach never recover and end up going out of business within one year. To avoid this, you need to have a preemptive plan of how to destroy sensitive data correctly and efficiently.

Destruction Guidelines: What Do I Do?

Paper:

A high quality data destruction shredder can be used to shred all documents that contain any PII. According to FACTA, a shredder needs to make paper unreadable and unable to be recovered. For print, this includes shredding, pulverization, and burning. The NSA standard for print to be unrecoverable is a 1mm by 5mm particle size. A machine like the 244/4 High Security Paper Shredder would do the trick.

In Europe, GDPR not only pushes for just the secure destruction of PII. According to Article 17, the “Right to Erasure”, any consumer can request to have all their personal information wiped from a company at any given time. If a consumer makes the request, the company has 30 days to comply to remove all sensitive information they have on the individual. GDPR standard for paper destruction is a 10mm particle size. This Unclassified shredder list will meet the standard set forth by the GDPR while allowing you to choose a model that fits your workload.

Credit Cards:

credit-card-shred

When creating a new credit card data, PII can be left behind before the card is even shipped out. Within the process of printing information on a new card, a printing plate is used to create the lettering, design, and some of the security features on the card. In the same manner, tipping foil that is used to personalize cards can have the numbers from the card left in the foil after use.

To be properly secured and maintain client security, all parts of the process must be properly destroyed, including the credit cards themselves. Intergraf, the European federation for print and digital communication, is a rising standard that is quickly becoming adopted in the secure printing industry. The most security-focused printers are choosing to become Intergraf certified, as more and more clients begin to request that their information is properly handled and destroyed. The standard for printing plates is DIN 66399 P-1, while for credit cards the standard is a minimum of P-5.

Credit cards shredded to the DIN 66399 P-5 standard.

When you have a large load of cards to destroy, a machine like the 0201 OMD Optical Media Destroyer would be more than enough to securely destroy cards to a size no one could recover. If you need to destroy credit cards, tipping foil, and printing plates, we recommend using a machine like the 1012/5, which not only destroys all the materials listed, but also runs free of oil.

While the world around us likes to say that print is going away, the reality is that it’s not. The steps that you take today to prepare for the destruction of PII could not only save you money, but your entire job and company as a whole. Keep up to date with the latest standards and use high quality shredders to ensure that you maintain data securely and professionally for you and your clients.

What’s the ‘Din’ about DIN?

February 15, 2019 at 4:03 pm by Heidi White

Under a Microscope: Dissecting the Implications of DIN 66399

Covering everything from safeguards for children’s toys to design requirements for roller sports equipment, DIN Security Standards are also used to help define and standardize the different levels of security for international physical data destruction. Originating in Europe, these standards are continually making headway toward global acceptance as a benchmark to set the size and type of data that needs to be destroyed appropriately.

DIN-p-7
The DIN 66399 P-7 standard for paper destruction is 1mm x 5mm, the same as the NSA standard for the destruction of classified paper.

DIN 66399 specifically addresses standards for the destruction of data devices. This particular standard—which replaced DIN 32757—features over 40 variations based on protection classes, material/media and security levels. These three broad criteria are intended to drive the data device destruction process, guiding users so they can make informed end-of-life data disposal decisions.

Protection Classes

Companies or government entities must begin the destruction process by first determining what type of data needs to be destroyed. DIN 66399 has three protection classes that help you define the requirements and classification for your data:

Information from professional service firms including lawyers and attorneys would fall under Class 1 or Class 2, depending on the type of data.
  • Class 1: Normal Protection: Sensitivity for internal data that’s accessible by fairly large groups of people. Unauthorized information disclosure or transfer at this level could have negative effects on a company or make individuals vulnerable to identity theft and besmirching of reputation.
  • Class 2: Higher Protection: Sensitivity for confidential data that’s restricted to a small group of employees. Unauthorized information disclosure or transfer at Class 2 would have serious effects on a company and could lead to violation of laws or contractual obligations. Disclosure of personal data runs the risk of serious damage to an individual’s social standing or financial situation.
  • Class 3: Very High Protection: Sensitivity for confidential and top-secret data that’s restricted to an extremely small group of named individuals. Any information disclosure here would pose catastrophic, existential threats to a company/government entity and/or lead to violation of trade secrets, contracts and laws. Disclosure of personal data runs the risk of jeopardizing an individual’s personal freedom, safety, or life.

Material/Media Classification and Security Levels

Having determined the applicable protection class, you should subsequently consult DIN-66399 to classify the material on which your data resides and identify the corresponding security level. Per DIN standards, this data destruction security level will dictate the appropriate final shredding size for your media or paper documents.

DIN-66399-electronic-Media
SEM lists devices that meet every type of DIN 66399 destruction requirement. Click here for details.

DIN 66399 requirements by data device material are as follows:

  • Film: DIN 66399 Material Classification F refers to information in miniaturized form (e.g., microfilm), with security levels running (lowest to highest) from F-1 to F-7. For example, F-1 stipulates a maximum material particle size of 160 mm2, while F-7 stipulates a corresponding size of 0.2 mm2.
  • Optical Media: DIN 66399 Material Classification O pertains to information on optical data carriers (e.g., CDs/DVDs). Security levels run from O-1 (max 2,000 mm2) to O-7 (max 0.2 mm2).
  • Magnetic Media: DIN 66399 Material Classification T pertains to information on magnetic data carriers (e.g., ID-cards, floppy disks and diskettes). Security levels run from T-1 (media must be rendered mechanically inoperable) to T-7 (max 2.5 mm2).
  • Hard Drives: DIN 66399 Material Classification H pertains to information on hard drives with magnetic data carriers. Security levels run from H-1 (media must be rendered mechanically/electrically inoperable) to H-7 (max 5 mm2).
  • Electronic Media: DIN 66399 Material Classification E pertains to information on electronic data carriers (e.g., chip cards and memory sticks/flash drives). Security levels run from E-1 (media must be rendered mechanically/electrically inoperable) to E-7 (max 0.5 mm2).
  • Paper: DIN 66399 Material Classification P pertains to information presentation in original size (e.g., paper, films and printing plates). Security levels run from P-1 (max strip width of 12 mm or max particle surface area of 2,000 mm²) to P-7 (1 mm x 5 mm).

The Relevance of DIN 66399 Regarding NSA Standards

In the U.S., of course, standards for classified data or otherwise protected information and data destruction device compliance are determined, implemented, and monitored by the NSA—not by DIN.

Nonetheless, DIN 66399 is increasingly gaining merit worldwide, including the U.S., as reflective of best practices within the data destruction industry, and DIN is frequently referenced in U.S. data destruction requirements. What’s more, despite the use of DIN Security Standards being voluntary, they can become mandatory in certain instances when they are referred to in contracts, laws, or regulations.

For these reasons, it’s important to stay current on the structure of DIN 66399 and its compliance requirements when you are beginning your data destruction process.