By: Nihad Hassan
July 28, 2020
Data Destruction Policy
By: Nihad Hassan
July 28, 2020
As the world continues to digitalize, the dependence on papers and photographs has become its lowest. Digital transformation has changed how we study, work, shop, communicate, travel, bank, and even how we take care of our health. Nowadays, most information is created digitally and does not go onto paper at all.
Organizations of all types, both public and private, utilize computer technology to store and process data. As data storage costs go down, organizations are now storing huge volumes of digital data about their work and customers. Big companies like Amazon and Google have the necessary budget to keep all these data stored. However, the majority of organizations worldwide have limited data storage capacity, so they continually overwrite old digital data with the new data needed for their work.
On the other hand, when an organization wants to dispose of its old computing devices (laptops, desktops, storage media such as USB drives and external drives, tablets, smartphones), it must make sure that the storage devices do not contain any sensitive information. Deleting data from or formatting the device is not an effective solution to destroy it safely, as many recovery techniques can recover deleted data. By having a data destruction policy in place, an organization can be assured that no sensitive data leaves its doors and lower the possibility of a data breach that can lead to legal disputes.
Data destruction is considered an integral part of any high-quality data management program in today's digital age. Authorities in most countries require organizations and corporations that handle private data to destroy it securely to protect individuals and businesses from the potential impact of a data breach or inadvertent disclosure. Besides, if a company has work relations with other companies that include storing and exchanging information, the contract may specify how such data will be destroyed later. These terms should be obeyed carefully to avoid any legal issues.
A data destruction policy should come after your data retention policy. For instance, the data retention policy will state how long data and records are kept, and will also detail where data is stored within an organization's IT systems. Knowing the storage location of your data is essential for any successful data destruction policy. Many organizations store the same data in multiple locations (backups), and all these copies should be destroyed when disposing of the original version. On the other hand, sensitive data stored on outdated devices should be appropriately destroyed before sending it to trash or selling them as used items.
There are three types of hard drive destruction techniques: physical, degaussing, and logical destruction (sanitizing). Before describing each technique, it's important to understand the different types of computer hard drives in use.
- Hard disk drive (HDD): This is the traditional (mechanical) hard disk drive. It uses a metal platter made of glass or aluminum coated with magnetic material to store the digital data. This type is still widely used by organizations and individuals worldwide because of its reliability and low price.
- A solid-state drive (SSD): This is a more advanced version of a drive. It does not contain any moving parts and stores data on small microchip units, similar to USB flash drives. An SSD is faster than an HDD, but it is more expensive.
When destroying digital data, any of the following three methods could be used:
- Physical destruction: In this type, digital storage media (such as hard drives, USB sticks, magnetic tapes, CDs, DVDs and Blu-ray discs, and any digital storage media) is destroyed physically to prevent recovery. This is the most secure option and is commonly used by government organizations and some corporations to destroy high sensitive data.
- Degaussing: This technique works by exposing the HDD or magnetic storage media to the powerful magnetic field of a degausser to destroy stored data magnetically. This destruction technique will not work for SSD drives, as this type does not store data using magnetic materials.
- Logical destruction of data (sanitizing): This is the most commonly used technique by individuals and organizations to assure the safe destruction of data while still preserving the storage device to store data again. It works by using a specialized program to cover the old data and remnants of data with random characters written by the wiping tool.
Algorithms Used to Wipe Data on Hard Drives
There are different algorithms deployed to wipe clean (logical data destruction) digital data securely. The following table mentions the most popular and secure one.
There are different tools already available that implement these algorithms (some tools implement more than one destruction algorithm) when wiping data. The following table lists the most popular ones.
Any organization operating in today's information age must have a data destruction policy that states how digital data should be destroyed when it is no longer in need. Data protection laws around the world specify the amount of time each type of data could be retained by any organization, and detail how such data should be destroyed. Maintaining an up-to-date data destruction policy helps you comply with related regulations and avoid any legal disputes if a data breach occurs.