This article originally appeared in the Summer 2019 issue of E-Scrap News. Subscribe today for access to all print content.
For IT managers, the eradication of hard drive data might seem similar to pulling up dandelions from the front yard.
You hope the weeding gets out all the roots in the same way you cross your fingers and pray sensitive data won’t show up one day on those drives you discarded.
There’s an extreme way to rid your lawn of unwanted flora: build a concrete patio. But while the weeds will certainly not reappear again, the cost in doing so is high, both financially and environmentally.
The same is true for data management. Many IT departments and business owners push to shred drives so they know the information is gone for good. But often there is a more nuanced and beneficial way to get to the root of the issue.
The downsides of destruction
It’s certainly true that great satisfaction comes from hearing metal ground into confetti. And at the end of the process, you are left with physical evidence that the designated media cannot be recovered.
But the question remains: Is all of that truly worth it?
While there are occasions when hard drive shredding does make sense, or is even required, it shouldn’t be the “go to” solution every time clients need to delete data from old drives in a secure and accountable fashion. In most situations, it’s the data that needs to be destroyed, not the hard drives themselves.
Let’s consider some of the disadvantages to the shredding approach.
First and foremost, drive destruction is costlier than data erasure. This makes sense, since destruction requires special shredding equipment to complete the task. The hard drives must also be transported either before or after the shredding process, adding another cost. Furthermore, if the drives are transported before the actual destruction process, you have added a window in which drives could be lost or stolen.
Then there is the fact that once the drives are shredded, they no longer have any inherent value. When drives are wiped, on the other hand, they can be sold on the secondary market and garner income that can finance the purchase of new drives. Like any business decision, opportunity costs should be considered when choosing between erasure or shredding.
Another important piece to keep in mind is the environmental cost. Hard drive destruction produces metal fragments that must be disposed of someplace, and with China no longer accepting many types of scrap metal, the dilemma has grown even more challenging. What’s more, computer hardware contains toxic metals that do not decompose and can eventually leak into groundwater. Corporate clients that promote green initiatives or are environmentally conscious should be aware of these negative impacts from drive destruction.
In addition, while shredding will efficiently destroy many drives, solid state media require special methods in order to be effective. With SSD shredding, the destruction machinery needs to be specifically engineered, as rotational disk shredders produce a larger shred size. Such engineering can add expenses and time.
Finally, it’s important to remember that companies that must provide documentation for industry or government compliancy concerning data destruction simply get a certificate of destruction, whether they data-wipe the drives or take the extra step to physically destroy them. In other words, there are no regulatory brownie points for shredding.
Building support for erasure
When we talk about the secure deletion of data, we aren’t talking about DIY techniques that simply reformat a drive. “Delete and reformat” does not equal erase. The complete deletion of data requires more than the equivalent of sending it to the recycle bin on a computer desktop or running the Diskpart utility.
But how do you explain the sophistication and reliability of our industry’s erasure methods to nervous or skeptical clients?
Getting IT managers on board with software-driven data destruction is a touchy topic. At Exit Technologies, we approach this conversation by highlighting the three steps we take for drive data destruction and hardware recycling. We follow these same three steps regardless of whether we are working with government entities, Fortune 500 companies or other private-sector clients. By making it clear we have a tested and standardized approach, we help earn client trust.
The steps we follow and lay out for customers are as follows:
- Breakdown, palletize and ship: It is important to know who has access to the hardware and data. Once a client’s equipment is palletized, we schedule a freight carrier to pick up the equipment and transport it to our R2-certified facility. Hard drives are stored in a secure room until erased.
- Wipe away: We use a proprietary system to access the hard drives without hardware or software-based manipulation. The drive is tested to make sure it will wipe properly. The data is then wiped and overwritten by using zeros and ones to overwrite meaningless information onto all the sectors of the device. By doing so, the original data is rendered unrecoverable and the drive is now securely and properly sanitized. Make sure the data wiping software holds the same guidelines as the U.S. Department of Defense or better to ensure data can never be pulled from the drive.
- Offer validation: To ensure each drive was wiped, we provide a certificate of destruction for each serial number. We also provide detailed chain-of-custody reporting as well as an open line of communication so that clients can see exactly where their equipment sits in the process chain at any given moment.
Of course, it’s also critical to be able to clearly explain to IT managers why data erasure is the preferred choice and why exactly it can be less expensive and better for the environment.
One big upside is flexibility in terms of who needs to be where. Because the erasure process is software-based, data destruction can take place both locally and remotely over the network.
In addition, a single erasure process can typically handle both SSD and HDD drives, meaning all component types can be handled simultaneously. This reality boosts efficiency.
Another important point is that companies and institutions are increasingly reliant on data deletion solutions. With the passage of sweeping governmental compliance regulations, such as Europe’s GDPR and the California Consumer Protection Act, customers now have the right to request that their data be erased. This is referred to as the “right to be forgotten.” It’s impractical for companies that have user information on hand to shred drives for every request.
And of course the ultimate advantage is that erasure allows for the reuse of drives. By developing a cyclical process of drive wiping, companies can make sure they limit the amount of unnecessary data that just sits there laying vulnerable to data breaches.
The signs of a vigilant provider
Working with an experienced ITAD company shouldn’t require a leap of faith when it comes to the data erasing process.
An experienced ITAD company that is certified in their practices will first test each drive to confirm that it is indeed wipeable so that there will be no doubt about data security. In the event the drive is not wipeable, the device is flagged for destruction.
A vigilant ITAD company will also ensure the security of client data. While the National Institute of Standards and Technology (NIST) attests that a single pass of wiping is sufficient, many companies will perform triple passes upon request. Each additional pass increases the effectiveness of the erasure process with the goal being 100 percent unrecoverable drive data.
At the end of the process, the ITAD provider will issue a certificate of destruction for each drive according to its serial number. Many also provide chain-of-custody reporting so that the customer can visually see what step of the process their drives are currently in.
Hard drive shredding isn’t a bad thing; it’s just not always a necessary thing.
The process of erasure has evolved a great deal in the past decade and is now a proven system for destroying data in a secure and accountable way. With the guidance and services of an authorized ITAD service provider, companies and institutions shouldn’t have to worry about any remnants of their data poking up like dandelions ever again.
Kyle Rex is marketing manager at Naples, Fla.-based IT asset recovery company Exit Technologies. He can be contacted at [email protected]. More learn about data management and destruction options at the Exit Technologies website, exittechnologies.com.