Chapter 6: Data Destruction Best Practices
Chapter 6 of 6 | Published on Nov 30, 2021
In the previous chapters, we covered data destruction policy and standards as key enablers for implementing the data destruction methods and techniques. This chapter of the knowledge series highlights the best practices to ensure that your data destruction framework— comprising the techniques, policy, and standards— generates the desired outcomes. By determining the best inputs for the “what”, “when”, & “how” of your overarching data destruction framework, these best practices set up your organization for consistent success.
To this end, we take a multifaceted perspective, highlighting the data destruction best practices in terms of the functional efficacy, costs, Environment, Health, and Safety (EHS) impact, and compliance aspects of a given approach.
Further, these best practices span all types of storage devices, including hard drives (HDD, SSD, & hybrid), mobile devices (iOS & Android), memory cards, embedded flash memory, point-of-sale devices, IoT devices, network devices like routers & switches, etc. We make media-specific remarks where required.
Data Destruction Best Practices: Key Areas
Before deep-diving into the best practices for data destruction, knowing the underlying key consideration areas can help you understand the needs a given best practice fulfills. This insight can help you adopt the applicable best practice(s) to suit your organization’s needs.
This area addresses the effectiveness of a data destruction method or technique vis-à-vis the target storage media. Best practices on this aspect focus on determining the ideal combination of technique(s) to sanitize a storage device such that the data is destroyed forever with no chances of recovery or leakage.
NIST SP 800-88 Rev. 1 provides an extensive media sanitization matrix by mapping the techniques to different storage media types. You can refer to Chapter 5: Data Destruction Standards & Guidelines for more details on the NIST media sanitization matrix.
Data destruction, like other business processes, incurs costs such as acquisition cost, operating expense, service costs, etc., quantifiable as Total Cost of Ownership (TCO). Best practices in this area intend to maximize the value or results attained with given methods against the total costs incurred (cost-effectiveness). The best practice also focuses on reducing the absolute costs associated with data destruction methods or approaches in a specific context.
For example, the TCO and cost-effectiveness of a degausser are considered significantly higher than that of data erasure software, considering the degausser’s high acquisition cost (US$3000–US$18000 & higher), limited throughput based on the degausser capacity, and single-site deployment at a time. In contrast, data erasure software can deliver the utility for less than US$ 5, offer pay-per-use licensing, have minimal operating expense, and can wipe several thousand hard drives at once. Further, cloud-based data erasure software like BitRaser also allows multisite deployment and erasure via a unified cloud console.
3.Environment, Health, and Safety (EHS) Impact
EHS is a critical consideration for drafting a data destruction strategy, considering the policymakers’ growing emphasis on the environment & health impact of the IT asset destruction industry. Best practices in this area focus on driving the adoption of safe & sustainable data destruction methods in line with reputed e-recycling standards like Responsible Use and Recycling (R2v3) and e-Stewards.
These sustainability standards emphasize reuse and reintegration of storage devices and e-recycling as per prevailing EHS norms. They hold IT asset destruction and e-recycling companies responsible for EHS impact, throughput tracking, facility management, focus materials, transportation, etc.
[Suggested Reading]: Are you an ITAD Upgrading to the R2v3 Standard? Here’s a Checklist!
Data is an invaluable asset as it allows organizations to deliver optimal solutions to their customers. However, data can also be a liability for businesses, considering the obligations brought upon them by data protection regulations like GDPR, CCPA, PIPEDA, etc.
Data destruction best practices keep regulatory compliance at the forefront of methods, techniques, and policies followed in a given organization.
Effective Data Destruction: Must-Follow Practices
Data destruction is a complex undertaking for organizations of all sizes across any industry. This fact considers data’s prodigal growth, the wide variety of storage devices & their lifecycle stages, emerging threat scenarios, and increasingly stringent data protection laws. You may read Chapter 2 to get insights into the key drivers of data destruction.
Considering these complexities, pursuing “best practices” is paramount to attaining successful data destruction outcomes. The following practices can help your organization traverse the sinuous road to favorable results:
1. Audit The Devices To Identify All Types Of Storage Media
A crucial aspect is to be aware of the different media types constituting a device before choosing the appropriate data destruction methods. For example, a desktop PC may comprise a hard disk drive, solid-state drive, ROM, RAM, and motherboard with embedded memory. Similarly, smartphones typically consist of integrated non-volatile memory and removable memory chip.
The NIST SP 800-88 Guideline (Section 4.1) recommends that “An organization may ask a product vendor for assistance in identifying storage media that may contain sensitive data. This information is typically documented in a ‘statement of volatility’.”
Further, mobile devices, particularly Android smartphones, tablets, and other handheld or portable devices, use microSDHC and microSDXC cards to expand their built-in storage capacity. These nonvolatile memory cards can contain additional data that may not be effectively destroyed using native sanitization techniques such as Clear (factory data reset) and Purge (eMMC Secure Erase or Secure Trim command).
For such removable & nonvolatile memory, you should contact the device manufacturer to determine the sanitization procedure based on the type of data stored on the card. Additionally, you can refer to NIST Special Publication 800-101 Revision 1 “Guidelines on Mobile Device Forensics” for more details on removable memory and data recovery capabilities.
2. Determine The Initial Configuration Of Each Device Type
Finding out a storage device’s factory configuration at the onset is crucial for the success of the data destruction procedure. The configuration details provide you vital inputs to choose the appropriate setup and technique for the best outcomes. Further, it allows resetting those configuration options that might limit access to the addressable memory locations.
According to the NIST SP 800-88 (Appendix A), “the proper initial configuration of each type of device helps ensure that the sanitization operation is as effective as possible.” The guideline recommends referring to the Defense Information System Agency Security Technical Implementation Guides (STIGs) to determine the recommended settings and factory configurations of devices.
3. Do Not Rely Solely On The Native Read/Write Interface For Overwriting
Read and write commands issued through the device interface may not overwrite all areas on the storage media. These memory locations could include areas that are not mapped to active addresses on the storage media.
As per NIST SP 800-88 (Section 2.4), “one major drawback of relying solely upon the native Read and Write interface for performing the overwrite procedure is that areas not currently mapped to active Logical Block Addressing (LBA) addresses (e.g., defect areas and currently unallocated space) are not addressed.”
4. Match The Sanitization Technique Carefully To The Media Type
Dedicated sanitize commands issued through a storage device’s native read/write interface must be carefully matched against the type of storage media and host interface. Considering the evolution of media types such as flash storage and host interfaces, relying on unverified sanitize commands can increase the risk of data exposure.
1 Logical block addressing (LBA) is a scheme for specifying the location of blocks of data stored on computer storage devices.
NIST SP 800-88 (Table A-5) states, “although the host interface (e.g. Advanced Technology Attachment (ATA) or Small Computer System Interface (SCSI)) may be the same (or very similar) across devices with varying underlying media types, it is critical that the sanitization techniques are carefully matched to the media.” For example, the SECURITY ERASE UNIT command on ATA hard disk drives and Enhanced Secure Erase feature on ATA SSDs can vary based on the make & model of the drive. Therefore, you must verify the precise command and its implementation for specific models through the OEM.
5. Avoid Using Degaussing To Sanitize The Evolving Magnetic Media
The degaussing technique faces inherent challenges to sanitizing the emergent magnetic storage media. Firstly, the evolving magnetic storage devices have stronger coercivity, hindering the existing degaussers from sufficiently demagnetizing them to attain data destruction.
As per the NIST Guideline, “traditional techniques such as degaussing become more complicated as magnetic media evolves because some emerging variations of magnetic recording technologies incorporate media with higher coercivity (magnetic force). As a result, existing degaussers may not have sufficient force to effectively degauss such media.”
Further, careful matching of the degausser magnetic field strength with that of the storage device is necessary to attain the desired outcome. However, it might be difficult to determine the media’s coercivity by checking the label.
So, avoid using degaussing or use it after overwriting the media using a data erasure software. That way, you can rest assured that the data is destroyed completely.
6. Use Cryptographic Erase (CE) With Discretion
Cryptographic erase offers an efficient method to protect the data stored on self-encrypting drives (SEDs) by sanitizing the media encryption key or MEK. Without the decryption key, the previously encrypted data on the drive is rendered in encrypted form as ciphertext, which is impossible to read if strong cryptography is used.
However, the technique cannot secure potentially unencrypted data on the device against the risks of exposure or recovery.
For example, you should not use CE if encryption was enabled after storing data on the device without prior sanitization. Also, CE should not be used on devices that were backed up or where you suspect the existence of the encryption key copies beyond your organization’s knowledge or custody. Further, cryptographic erasure may sometimes pose challenges to the verification of the results. In those cases, you should use another media sanitization method altogether or complement CE with additional procedures.
7. Maintain A Security Categorization For The Information & Media
Security categorization can help you take a targeted data destruction approach based on the confidentiality levels defined for particular information or media type. You can use the Federal Information Processing Standard Publication 199 (FIPS 199)2 to determine the confidentiality levels of data and assess the potential impact of information disclosure. Other system categorization standards you can consider include NIST SP 800-60 Rev.13 and CNSSI 12534 .
Further, be aware that information could exist in your organization without explicit categorization or labeling. This information could include internal communications such as presentations, memoranda, financial data, minutes of meeting, etc. As per the NIST Guideline (Section 2.5), “Organizations should label these media with their internal operating confidentiality levels and associate a type of sanitization method described in the guideline.”
8. Perform Full Media Sanitization Instead Of Partial Sanitization
Sometimes, an organization may prefer sanitizing a subset of the storage media instead of destroying the complete data. For example, a hard drive on a server may store the data of several customers at a time and the company may prefer destroying the data of only the churned customers while retaining the rest of the data on other storage areas on the drive.
However, in partial media sanitization scenarios, there is no definite way to ensure that all the sensitive target data is effectively destroyed. This fact is because partial sanitization generally uses the standard Read/Write commands that may not be able to directly address the target storage locations on the media. Further, the target data may reside beyond the designated locations selected for partial sanitization or stored in a manner not fully known to the user. So, we strongly recommend performing full media sanitization considering the innate challenges with determining the efficacy of partial sanitization.
9. Erase All Hard Drives Before Releasing Their Custody
A best practice you must follow to guarantee data protection is to erase all hard drives before handing over them to any third party such as resellers, IT asset destruction vendors, e-recyclers, charity, etc.
For example, erasing all hard drives before shipping them to offsite shredding facilities nullifies the chain-of-custody risks. Further, erasure also safeguards the warehoused IT assets against potential risks of hardware theft and data leakage.
Common scenarios entailing such transactions include device resell, return, donate, exchange, disposal, etc., where the organization invariably loses control over the storage media and the underlying data.
10. Verify The Data Destruction Results, Equipment, And Personnel
You must rigorously verify the end results of a given data destruction method to ascertain its efficacy in accordance with the applicable data protection and sustainability norms.
For example, overwritten or erased ATA or SCSI drives must be validated for the data destruction results by reading all the accessible memory locations. If this is not feasible, perform representative sampling by selecting pseudorandom locations on the media and verify the results. NIST SP 800-88 Guideline recommends selecting at least two mutually exclusive pseudorandom locations from different subsections of the media and read and verify them. Further, check the first and last addressable memory locations on the storage media.
Aside from verifying the results, also test and calibrate the sanitization equipment such as degausser or workstation and determine the potential maintenance needs. The verification scope should also consider the competency of personnel responsible for executing the data destruction methods.
11. Maintain “Tamper-proof” Records Of Data Destruction
For every storage device or drive sanitized, you must preserve a verifiable certificate and report of data destruction. These records serve as tamper-proof audit trails to meet compliance with applicable data protection laws. They also help organizations comply with standards that place additional obligations towards controlling the EHS impact of the shredding and e-recycling industry.
Further, maintain these data destruction records in a readily accessible & shareable form to provide on-the-minute evidence for contingent situations. Imagine, a claimant appealing to legal authorities concerning their personal data leakage from a drive or server that belonged to your organization! Having a data destruction certificate for the drive— preserved in a tamper-proof and readily accessible form— will provide you strong evidence for rebuttal.
For legally admissible and compliant recordkeeping, we recommend going with data destruction solutions that natively generate digitally signed certificates & reports for immutable (tamper-proof) documentation. Further, choose a solution that provisions cloud repository to maintain historical audit trails with always-on and anywhere access. Generally, this kind of system of records is available with professional data erasure software.
View the sample report and certificate generated with BitRaser:
12. Consider The Cost Vs. Benefit Tradeoffs When Choosing A Method
Costing is a decisive component of the data destruction strategy, impacting the choice of methods and techniques. So, organizations should assess the available data destruction methods based on a cost-benefit analysis.
For example, methods like degaussing might not be a cost-effective solution considering the high upfront costs of acquiring and operating a degausser, restricted application scope, and limited per cycle output. In comparison, the overwriting technique implemented using professional data erasure software can offer a highly cost-effective solution through pay-per-use licensing options. Further, you can execute data erasure through existing computer systems and IT infrastructure without incurring additional expenses. From a benefits perspective, data erasure software offers scalability, fast execution, multi-site deployment with high manageability, and tamper-proof audit trails in the form of reports and certificates.
Further, physical destruction methods such as shredding involve third-party vendors considering the need for specialized competence. The cost-effectiveness of physical data destruction methods depends upon factors like volume of storage devices requiring sanitization, type of storage media (HD vs SSD), logistics needs (onsite vs offsite). A key benefit of shredding is a comprehensive utility, as the method can destroy the data stored on virtually any type of storage media. However, physical destruction results in hazardous e-waste, making your company liable for adverse impacts on the environment, health, and safety (EHS).
13. Consider The EHS Impact Of Data Destruction Methods
Like data security, environmental impact and personal health are other crucial needs of safe and compliant data destruction. Responsible recycling standards like R2 and e-Stewards obligate e-recyclers and IT asset destruction services to comply with the guidelines to attain compliance.
According to R2 version 3 (© SERI, 2020: The R2 Standard by SERI Version 3 (R2v3)), “an R2 facility shall identify, analyze, and demonstrate effective control of important environmental impacts, and health and safety risks that it can control and those that it can influence, both internal to the R2 Facility and through its recycling chain activities.” Similarly, section 8.4 of e-Stewards® Version 4.0, directs e-recyclers to process only those electronic equipment for which they have sufficient technical capability and further identify and manage environmental, health, safety, and operational risks.
As an enterprise, you need to consider the EHS impact of data destruction methods like shredding and degaussing that invariably cause e-waste generation. Instead, you can choose overwriting or a combination of native media-specific commands to sanitize and reuse or resell the media. Also, exercise due diligence while signing agreements and defining liabilities, and maintaining the data destruction record for every single storage device sanitized and/or recycled by the vendor. The Morgan Stanley data breach incident reported in July 2020 presents a stark example of an organization finding itself amid a legal storm due to alleged lapses in vendor management.
14. Perform Due Diligence When Hiring & Dealing With Vendors
This is another critically important best practice that can save your organization from data breach risks due to lapses on the data destruction vendor’s side. Firstly, organizations must conduct rigorous research and gather supportive evidence on the vendor’s practices and historical track record through references before onboarding it.
15. Create And Maintain A Formal Data Destruction Policy
Create a formal policy document capturing all the critical aspects necessary to perform effective and compliant data destruction. The document should comprise specific guidelines on the types of data destruction methods used for the different storage media and information.
Also, include the checkpoints and specific people with their responsibilities through the devices’ chain of custody. Further, maintain the document’s version record and keep it updated as per the latest notifications and updates in the industry standards.
[Further reading]: Data Destruction Policy — Everything You Need to Know
Compliant data destruction is imperative for businesses to operate in the rapidly evolving data privacy landscape shaped by laws such as GDPR, CCPA, and the like. Today, organizations’ ability to execute a robust “data destruction practice” underpins their ability to sustain the whirlwind of exceedingly nuanced and stringent data privacy laws. Any lapses in data destruction can lead to financial losses, brand damage, and litigation due to data breaches. It can also dampen the long-term prospects for the company and even risk its existence.
This chapter described the best practices to attain effective and compliant data destruction in line with the regulatory norms and applicable circumstances. Adopting these practices can ensure your organization the best outcomes consistently.
Looking for advice on data destruction best practices, solutions, or any other aspect?
Please drop us a note on email@example.com, our experts will reach out to you.