Rapid technological advancements have led to massive transformations in the electronics industry. As a result, best practices and industry standards must constantly evolve to keep up with these latest developments. To that end, and to address the issues that the electronics industry is currently facing, the R2 Standard Consensus Body approved its formal interpretation of data sanitization software, which was published by SERI and went into effect on November 29th, 2022.
Why did SERI Publish Formal Interpretation of Data Sanitization Software?
R2V3, data sanitization requirements are covered under Appendix B, which applies to all R2 Facilities, including those ITAD that provide logical data sanitization (Using data sanitization software) and enhanced physical sanitization. However, during industry audits, SERI discovered several challenges faced by the electronics industry while implementing the data sanitization requirements on modern data-bearing devices. Therefore, SERI published a formal interpretation of data sanitization software in Appendix B to counter the challenges.
The challenges faced by the industry that prompted SERI are as follows:
- Promoting A Circular Economy: The Core 2 requirements in R2V3 are to support and promote a circular economy that requires the Reuse of electronic devices. Such devices can be reused only when data is sanitized using logical techniques. However, as discussions on logical data sanitization in R2V3 have revealed, devices will almost certainly be physically destroyed to protect sensitive data if there is no guarantee that data cannot be recovered. Transparency about who, what, where, when, and how a device was sanitized and documentation of each sanitization step holds the technician accountable for sanitization. It lends credibility to the sanitization process, boosts confidence, and promotes the Circular Economy.
- Increased Usage of Smart Devices: The smart device market has blown up, with more and more devices being sold without a data sanitization plan. The new devices have distinctive designs and smart storage capabilities that cannot be accessed and sanitized by commercially available data sanitization software. However, the software could incorporate the manufacturer’s reset instructions to manage the procedure and generate trustworthy records of data sanitization. Hence, it becomes prudent to have a data sanitization solution that complies with the new requirements.
- Improper Data Sanitization: Following improper data sanitization methods, like deleting, can lead to residual data and impede proper sanitization. Techniques like formatting and factory reset can be dangerous, as cited in the blog Myths of Data Erasure.
- Verification of Sanitization: R2V3 has set the level of sanitization to lie between NIST Clear and Purge methods. Clearing a device using a factory reset is not always viable for R2v3 because visual inspection would not satisfy Appendix B clause 13 requirements. However, Purge, on the other hand, goes beyond what R2v3 demands making data recovery infeasible even in laboratory settings. Appendix B (13) requires a minimum of 5% of the logically sanitized data storage media to be verified by a competent and independent party to demonstrate that data is not recoverable by commercial data recovery software.
After long deliberations and discussions, the R2 Standard Consensus Body approved the formal interpretation (1.0) in accordance with Article 10 - Interpretations Policy in the SERI Manual of Policies and Procedures.
R2V3 Formal Interpretation of Data Sanitization Software:
According to SERI, data sanitization software must be able to automate, regulate, and record results for each step taken in the sanitization process. In addition, data sanitization software can also include applications that can direct, control, and record manual workflow in devices that do not support automated sanitization software. The software must satisfy the data sanitization requirements in Appendix B clause 11 and the records requirements in Appendix B (10). However, formal interpretation does not apply when software is available, but the device is broken and cannot be linked to a computer. This interpretation should be implemented whenever software is available and is intended to replace manual resets with automated software solutions. Still, it prohibits using manual reset instructions for malfunctioning equipment where automatic software sanitization is an option.
The R2 Certified facilities are responsible for all data-bearing devices in their facility. The R2 Standard defines ‘Data’ as:
“Data is the private, personally identifiable, confidential, licensed or proprietary information contained on an electronic device or memory component that requires secured management and sanitization under this standard. Data does not include General Information as defined in the R2 Standard.”
The Standard also defines ‘General Information' as follows:
“General information is publicly available information or information that is provided with the original electronic equipment from the manufacturer. General information does not require sanitization.”
An R2 facility must examine 3 factors to establish the device category and data sanitization method
- Data Storage: The first consideration is whether the electronic device can store ‘Data.’
- Data Sensitivity: The second is whether a device has “Data” as defined by the R2 standard that needs to be sanitized or has “General information” that doesn’t need to be erased.
- Data Location: The third factor is whether the gadget keeps the data locally or remotely on a PC, Server, Cloud, etc.
Importance of Data Sanitization Records for R2v3 Audits:
According to SERI, simple records on a spreadsheet that showcases data sanitization are not considered acceptable records of software-based sanitization as these will be more susceptible to errors and may lead to an episode of a data breach.
SERI recommends Data sanitization records requirement in Appendix B (10) that have been modeled after NIST SP 800-88 Rev.1 Section 4.8 and include various parameters like:
- Device manufacturer
- Model & serial number
- Media Type (i.e., magnetic, flash memory, hybrid, etc.)
- Sanitization Type (Clear, Purge, Destroy)
- Software Used (including version)
- Sanitization person
- Verification method and person, etc.
- Unique Identifier assigned
You can read about the detailed data erasure records requirements on the SERI website.
Data Sanitization software like BitRaser generates tamper-proof reports of erasure that list all the parameters for secure data erasure as defined by SERI and NIST.
Furthermore, while assessing the integration of manual manufacturer reset procedures in Appendix B (11), it is important to review the manufacturer’s instructions carefully to:
- Ensure that the instructions render the data unavailable rather than just resetting the device’s settings.
- Ensure that workflow is structured to fail the process if there is any disturbance during the sanitization process.
- Update the instructions in the software with software patches and any manufacturing changes.
This formal interpretation of data sanitization software is binding and will be audited as part of an organization’s R2 certificate.
Conclusion:
The R2 standard continues to pave the way for a brighter future, with environmental sustainability and electrical Reuse as its primary goals. SERI’s latest publication gave a readily understandable interpretation of data sanitization software to the electronics industry. It will be useful for R2-equipped facilities dealing with data sanitization issues with technically advanced storage devices while also dispelling concerns about the data sanitization approach for damaged devices.