Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security

11:21 AM
Andrew Kelleher, Security Engineered Machinery (SEM)
Andrew Kelleher, Security Engineered Machinery (SEM)
Commentary
50%
50%

Get Real About Responsible Hard Drive Destruction

Just because data has been erased, doesn't mean it can't be recovered. But similarly, physical destruction of hard drives doesn't mean simply to pound away at them.

There is some troubling advice out there for destroying used computer hard drives. “Bash them with a hammer in the parking lot,” says one blogger. “Toast them with a blowtorch,” says another. “An acid bath is the way to go,” says a third.

Effective hard drive destruction is best accomplished with proven equipment that is safe and easy to use. And you deserve the assurance that no one is going to recapture a bit of data off your discarded drives. This is not as paranoid a view as it used to be. Data-recovery technology continues to advance, and information can be recovered even from seriously damaged drives.

If account numbers or other sensitive records fall into the hands of identity thieves, an individual harmed by the release can sue the responsible party. Hard drives might also contain information your competitors would love to see, such as customer lists, sales figures, internal pre-bid memos, etc.

A Job Worth Doing

We all have to replace computers from time to time. Just one hard drive can contain hundreds of thousands of files. When a digital file is “deleted” from a computer, the information actually remains on the drive, as do “deleted” e-mail messages and records of online activity. It is wise to lock old drives in a secure location prior to destruction. I strongly recommend a comprehensive information-security program with written, mandatory procedures to be carried out by trusted, properly trained employees and supervised by management. Recordkeeping should include labeling that states the serial number of each drive, the computer from which it was removed, the date it was removed, and the date and method of destruction. There should be protocols for in-house monitoring/verification. For many financial-services corporations, such programs are required by federal law. The credit card industry has its own international protocols to protect customer data and proprietary information.

Tools of the Trade

Let’s take a look at some choices for the safe removal of data:

Degaussing A degausser uses magnetism to erase a drive’s data more effectively than overwriting, provided the model chosen has a high enough coercivity (magnetic power) rating.

Crushing Crushers deform drives. Some information remains, but it is much harder to retrieve.

Shredding Hard-drive shredders rip drives to randomly sized strips. Some data still could be retrieved by a very determined thief, but with great difficulty.

Disintegration For top-secret data, rotary knife mills cut shreds into smaller and smaller pieces until they are unrecognizable and unreconstructible.

The Outsourcing Option

Degaussers, shredders, and disintegrators all come in different sizes, capacities, and prices. Some businesses decide the investment is worth the peace of mind that comes from knowing sensitive records will never leave the facility intact. Others, because they cannot justify purchasing their own equipment for the relatively few drives they need to destroy, outsource destruction. If your data resurfaces somehow, you are still liable for damages suffered by injured parties, so if you choose outsourcing, be sure to thoroughly evaluate a destruction service before signing the contract. Here are some questions to ask:

1. Will the service pick up your hard drives and transport them in locked, trackable transport cases with tamper-proof security tags?

2. Upon arrival at the destruction facility, will your items be carefully inventoried and stored in a locked, monitored area?

3. Are job applicants thoroughly screened?

4. Is the facility monitored around the clock by security cameras?

5. What destruction methods will be used?

6. What proof of destruction will you receive?

7. Is the facility fully bonded and insured?

Methodical Choices Protect Your Business

I favor a “belt and suspenders” approach. For example, drives can be degaussed or crushed in house and then sent to a destruction service for shredding and/or disintegration. Although information-security programs will differ according to facility size and mission, every field of endeavor these days must address the disposal of sensitive electronic records.

Andrew Kelleher is president of Security Engineered Machinery (SEM), a supplier of supplier of high-security information destruction equipment to the United States federal government and its various security agencies.

Register for Insurance & Technology Newsletters
Slideshows
Video