All About Data Destruction And How ITAD Helps

Recent Posts

A Comprehensive Guide To ITAD August 24, 2022
All About Data Destruction And How ITAD Helps June 29, 2022

Share

Services

Industry

All About Data Destruction And How ITAD Helps

As the word says, data destruction is annihilating the data once and for all. It is equivalent to removing the existence of data to its last traces. But does deleting a file eradicate that particular data? Or does physical destruction eliminate the data from the device? How does every minuscule data that's ever created removed from the digital loop?

Know answers to all your queries about data destruction in the subsequent sections.

The necessity of data destruction Top

We are eventually becoming a technology-driven world with data as the epicenter of almost everything. Be it your device or an institutional setup, both active and dormant information on machines needs cremation after they have served the designated purpose. So, to ensure the security of every data set, it's important to destroy it.

Here are a few points that explain the importance of data destruction:

  1. Legal Requisite

    2. Businesses are mandated to protect their client’s crucial information. Confidentiality of minor details is important to ensure their trust, accordingly for the growth of business in the public domain.

    For example, the European GDPR( General Data Protection Regulation), HIPAA((Health Insurance Portability and Accountability Act) of the United States, and Data Protection Act of the United Kingdom have strict policies for data management by legally registered companies. They have laid down protocols for its destruction as well.

    In case of failure of legal compliance, companies face acquisitions in the court of the state. Britain’s National Health Service Trust underwent a legal suit in 2012 for vending a computer on a digital platform that had the records of its patients. The institute had to pay a heavy tax of $500,000 as compensation.

  2. Phishing attacks

    3. As the internet progresses, so does its complexity, entangling every component present on the web. This emphasizes the importance of data destruction to protect it from espionage, cyberpunks, malware, and illegal data traders.

    Often, stories about data auctioning(Oklahoma Corporation Commission’s data of more than 5,000 social security numbers was auctioned) are heard when a famous company suffers massive hacking of their IT systems leading to identity theft and defrauding activities. To avoid this, it is important to protect data after it is used; data destruction is the ultimate method of doing so.

  3. Business Reputation

    4. Privacy is the foremost priority of clients, employees, and customers of a business company. Larger the size of the company, the higher the risk of a data breach. This puts the personal information of patrons at risk, consequently affecting the repute of the enterprise.

    As per reports, 81% of consumers do not prefer to use the services of a company that has suffered a data breach in the past.

  4. Decommissioning equipment

    5. If you are planning to discard one of your electronic devices such as a computer, tablet, SSD, hard drive, or mobile phone, do keep in mind that even a complete format does not terminate the existence of files from the equipment. It reaches its dead-end only after data destruction, which becomes even more important in cases of reselling or refurbishing.

    The renowned University of Florida College of Medicine, Jacksonville, suffered data leakage, which included photographs of more than 1,000 patients due to improperly disposing of the computer.

  5. E-waste reduction

    6. Often, companies prefer destroying their physical assets intending to remove the information. However, technically advanced data destruction methods eradicate information to the extent that even forensic analysis fails to trace its existence.

    Devices can be remodeled and reused after this procedure makes their data unrecoverable. Thus, data destruction is a substantial contribution to reducing e-waste, subsequently reducing carbon footprints and protecting the mother earth.

Mechanism of data destruction Top

Data destruction is now a full-fledged branch of data science. Several methods have been developed to achieve accuracy in the 100% removal of targeted data. The sensitivity of information is the biggest factor that determines the method of data destruction used. Some of the techniques are elaborated on below.

Overwriting Top

Similar to re-recording a cassette, overwriting is the process of superseding new data over the previous data to make it unreadable. It is one of the forms of data wiping, which includes overriding the existing data with a specific or random pattern of 0s and 1s. The latter format of exclusive pattern aids in the verification of the replaced data.

Standard Protocol

The wipe standards issued by the Department of Defense of the United States (DoD 5220.22-M). These protocols ensure resistance to both software and hardware-based data recovery techniques in an HDD.

The 3-pass method is used to implement the override process in the following method:

  • Pass 1: Overwriting all target locations with binary 0s.
  • Pass 2: Overwriting all target locations with binary 1s.
  • Pass 3: Overwriting all target locations with a random bit pattern
  • Verification of the overall pass
  • Extended seven-pass method

Currently, the DoD doesn’t emphasize any standard protocols; however, the 3-pass method is followed across the globe.

Pros of Overwriting

  1. Ease of use due to availability of software to execute it.
  2. Data can be overwritten on an entire device or some segment of it.
  3. The number of wipes depends on the level of security of the device; multi-layer secured equipment requires multiple wipes.
  4. It is an environment-friendly method of data destruction.

Cons of Overwriting

  1. The foremost requirement is that the media to be overwritten should be intact.
  2. A certified software application is needed for the host-protected part of the media.
  3. High-standard overwriting methodologies must be followed for a successful process.
  4. Little expensive since it requires guidance from an experienced data destruction firm, and license costs also have to be covered.
  5. Time-consuming.
  6. No data security assurance is involved.

Degaussing Top

A full-proof method of data destruction, Degaussing destroys data stored in the magnetic field of a device. It is executed in two steps. First, high-powered magnets are deployed to disrupt the original magnetic field of a floppy disk, hard drive, or magnetic disk. Then a degausser is used to perform data destruction.

Pros of Degaussing

  1. Implemented in very little time
  2. Successful in rendering data unreachable by software applications
  3. Suitable for the destruction of very sensitive and crucial data for business firms

Cons of Degaussing

  1. Makes the equipment unusable as it destroys its basic integrity
  2. No method to verify 100% removal of data from the equipment. An electron microscope is helpful in this case; however, it is a costly option
  3. The determination of magnetic fields is a difficult task.

Physical Destruction Top

As the word says, it is destroying equipment physically by throwing it from the 10th floor of a building or smashing it with a hammer. Physical destruction assures companies of 100% trashing of the data stored in it. This is the only method of data destruction for SSDs.

Standard Protocols

Two standards that are followed for physical destruction are NSA/CSS Policy Statement 9-12 (NSA/CSS Storage Device Sanitization) and the NIST Special Publication 800-88 (Guidelines for Media Sanitization)

Methods of Physical destruction

It's just not the hammers; we have several designated methods of physical destruction, which are listed below.

  1. Incineration
  2. Shredding
  3. Cutting
  4. Embossing/knurling
  5. Burning
  6. Chopping, pulverizing, and wet pulping
  7. Smelting

Pros of Physical destruction

  1. 100% satisfaction about data destruction
  2. A simpler process as compared to other methods

Cons of Physical destruction

  1. Contributes to electronic waste and thus hampers the environment negatively.
  2. Costly
  3. Prone to fallacies
  4. No verification process to guarantee all data is destroyed.
  5. Not a full proof method as forensic analysis is trained to retrieve data from this method.

Shredding Top

This method applies to almost all kinds of devices, including SSDs, optical drives, hard drives, motherboards, laptops, and debit cards.

It is suggested for enterprise centers with bulk hard drives and other types of equipment to destroy. It involved reducing electronics to sizes less than 2 millimeters.

Crypto-shredding

It involves the destruction of keys that are responsible for the encryption of data, rendering it impossible to decrypt.

Pros of Shredding

  1. Reliable and cheap method of data destruction
  2. Recommended for high-security data sets
  3. For crypto shredding, only centralized encrypted keys need to be shredded, followed by automated implementation on others.

Cons of Shredding

  1. Contributions to e-waste
  2. Crypto Shredded data still occupies the memory space in the system. Researchers advise using a combination of physical destruction and software-based data erasure methods to achieve maximum efficiency.

Data destruction vs. Data Sanitization Top

Data sanitization is the next level to data destruction. The latter is only related to the destruction of data from electronic equipment, whereas the former is concerned with the assessment of the percentage of data that has been destroyed.

Data sanitization has been emphasized by government agencies to maintain the CIA triad, i.e, Confidentiality, Integrity, and Availability. It is based on NIST 800-88 recommendations that suggest data be Cleared(overwriting), Purged(degaussing or overwrite), and Destroyed(shredding or incineration).

Need of data sanitization

With an increasing number of digital devices and a subsequent increase in stored data, data sanitization becomes important to secure private information from the vulnerability of the internet.

Constant connectivity with IoT devices, cloud-based servers, and other electronic devices expose crucial information to public networks. Data sanitization protects the data by masking it, protecting it from unprecedented breaches.

It plays an important role in huge data sets with private information such as association rule hiding, Privacy Preservation Data Mining, and blockchain-based secure information sharing. These are widely used in the healthcare sector to secure the information of millions of patients on hospital databases.

Methods of data sanitization

  1. Physical Destruction: This is the manual method of data destruction. It included degaussing and shredding. The device cannot be reused after physical destruction.
  2. Cryptographic erasure: A quick and reliable method of data sanitization as it involves the removal of the encrypted key that is responsible for encrypting the whole system. Once the encrypted key is destroyed, the system is rendered indecipherable.
  3. Data erasure: Similar to overwriting, data erasure involves disguising all the targeted data by binary 0s and 1s. It is said to be the most precise and verifiable method as an analysis can be done to check the percentage of data that is masked. This method also maintains the sanity of devices and makes them reusable.

Data destruction policies: ITAD Top

Data destruction is a regulated process. The protocols that govern the disposal of unwanted and damaged hardware are known as IT Asset Disposition(ITAD). It is considered an emerging focus area of the third-party technology risk domain.

ITAD ensures data destruction efficiently. They figure out how much data needs to be erased, what part of the hardware will be damaged to what extent, and can also save on some systems which can be managed to reuse. There are two reasons which make ITAD an integral component of data destruction.

  1. Data Privacy: All data is not important. This means that every data set is sensitive to different degrees and thus can be disposed of in different formats. ITAD guarantees data sanitization to the endpoint of its existence, therefore, making sure that all private data is discarded without traces.

  2. Environmental concerns: Gone are the days when physical destruction or shredding were the only formats of data destruction. Along with the data, it is important to reduce the number of scraps that reach landfills.

    ITAD based companies specialize in methods of software-based destruction that render the data unrecoverable and also save on equipment damage. Many times mid-way solutions are possible where data is destroyed and the device is refurbished, extending its life cycle for another decade or more.

ITAD certification Top

Every process needs to be standardized to maintain its consistent execution. Data destruction vendors also carry out data destruction under some standards that depict their level of services, the efficiency of data destruction, and thus, the success of the procedure. Here are a few certifications devoured to the ITAD vendors for their compliance with the standards issued by these bodies.

  1. National Association for Information Destruction (NAID):

    2. It is the supreme authority that formulates standards relating to the data destruction industry. The NAID acts as a consumer protection forum that scrutinizes data destruction providers and inspects the efficacy of methods used by them to protect consumer information.

    NAID is also responsible for developing and upgrading new and existing methods of data disposal to achieve maximum annihilation of data. It offers AAA certification that ensures the following three things.

    • NAID AAA certification includes handling, transporting, storage of equipment before destruction, followed by secure destruction and disposal.
    • A comprehensive, three-tier background screening strategy is utilized to verify that no person with a known criminal history will be managing confidential data-related devices.
    • Registered companies with NAID AAA companies are liable for an uninformed audit program to inspect their standards of services and compliance to the protocols.

  2. ISO/IEC 27001:

    3. Introduced specially for Information Security Management Systems(ISMS), this standard details essential requirements for launching, implementing, and improving the ISMS. It deals with the security of critical information like financial details, IPR, consumer data, and legal credentials. It is now becoming an integral component of ITAD, intending to maintain the privacy of consumer data.

  3. Assured Service (Sanitisation) Scheme (CAS-S)

    4. Designed by National Cyber Security Standard, U.K, CAS-S aims to execute cybersecurity surveillance across the web and believes in an agile response to malware. It mainly deals with government data.

  4. R2(Recycling and Reusing): Although launched in 2005, R2 has been upgraded consistently and is currently in its third stage of renovation, termed R2v3(2021). This is regulated by a Non-profit organization in the US, SERI(Sustainable Electronics Recycling International).

    R2 certification mandates commission of the NIST 800-88 Guidelines for Media Sanitization. It standardizes the sanitization protocols for the destruction of covert data according to its sensitivity and confidentiality. It is developed in a way to ensure environmental safety and tracking throughput for successful data storage, security, destruction, and finally, recycling.

  5. Asset Disposal and Information Security Alliance (ADISA): Approved by the UK Information Commissioner under the GDPR scheme, ADISA was launched by a Hertfordshire-based audit team. It is known for its two tools for data sanitization, namely Product Claims Test (PCT) and the Product Assurance Test(PAT)
  6. e-Stewards: Introduced in 2009 by the Basel Action Network, e-steward was launched to curb the release of e-waste related hazardous trash. The ISO-4001 standard compliance is mandatory for ITAD vendors to receive e-steward certification.

Executing IT Asset disposition: End-of-life disposition Top

Data disposition requires vigilance to destroy it to make it extinct. Often minor loopholes make it recoverable and pose serious consequences if handled by data thieves. Therefore, a few things should be kept in mind while implementing the procedure of data destruction and selecting a data destruction service or vendor.

  1. Verify 100% data wiping of the device in consideration

    2. As per standards laid down by the Department of Defense, the German Federal Office for Information Security (BSI), and the UK HMG Infosec Standard No. 5, data wiping eradicates data up to 99.999%.

    Therefore it is important to select a vendor that is compliant to pace up with the system upgrades and incomplete wiping scenarios. Hard drives and various mobile devices have previously experienced this glitch and require consistent monitoring to check the presence of wiped data.

    Secondary verification of hard drives and devices is also an option in such cases. Often the cost of wiping is comparable to the value of the device, and a competent vendor should suggest a better idea between wiping and manual destruction. Some ITAD service providers have also derived sustainable solutions that allow refurbishing of the device after data wiping.

    Nevertheless, the core concern remains the same, ensuring that data stored in the equipment is wiped completely

  2. Security during logistics

    3. For successful destruction of data and devices, the equipment must reach the designated facility. International surveys reveal that electronic equipment is the most stolen item from cargos and trucks. So, it is important to track the vehicle from the office to the facility.The Transported Asset Protection Association (TAPA) has also laid down certain rules to assure the safe delivery of such items to their destination.

    Heavy processes like incineration and smelting require proper setup to execute them; however, various on-site shredding processes and software-based destruction techniques have been introduced that reduce the risk involved in the transition.

  3. Tracking of the IT assets:

    4. The data is not considered dead until it is cremated. Just because the equipment is out from your office does not assure the destruction of data stored in it. Vigilant surveillance is needed until it reaches its dead-point. Make sure that the facility is well guarded and deploys sufficient physical security and cyber security measures.

    The most secure measure is to track the device by its serial number, scanned barcodes, and internal reporting system that will let you know the exact location and software state of the device.

    Vendors and services should be strictly inspected for their compliance with the three standard protocols as elaborated previously.

  4. Sustainable routes to the 3 R's

    5. Resell, Reuse, and Refurbish are the three 3 R's that should always be considered while opting for any solution that donates towards e-waste.

    While selecting an ITAD company, emphasize the greener solution. Besides being competent towards the environment, this is also an opportunity to gain some returns on the investment done on the device. After successful wiping of data, the electronic device can be remodeled and refurbished, followed by marketing to gain some solid profits.

    However, as lofty as it sounds, there is a certain risk involved in the process. It is important to calibrate the efficiency of the servicing authority to execute data destruction followed by its sanitization. In cases of data remanence, there are chances of data theft followed by its illegal use, extortion, and many other serious consequences.

    To follow this route, it is advisable to conduct due diligence before handling the devices to the vendor. A visit to their facility is advisable to get an idea of their methodology along with consistent tracking of the device until remodeled — research prices before selling the item to ensure returns as per investment.

  5. Recycling and shredding of end-of-life assets

    6. In cases of zero resale value or not choosing that route, end-of-life is the ultimate step to be undertaken. It is mandatory to remove hazardous elements of the electronic media, shredding of tools followed by dissolution of the shredded commodities from the parent device.

    The detached commodities are resent to the manufacturers for revival, and commodities worth utility is sent to the downstream recyclers. All this process is recorded and verified by certificates.

    It is very important to conduct complete dismantling of equipment to reach end-of-life because if the equipment ends in a third-world country, someone can reconfigure and check the asset tag and file legal suits for irresponsible disposal of electronic devices in terms of causing harm to the environment via e-waste.

Data Destruction and its impact on the environment Top

Statistical reports by the Global E-waste Monitor state that the world witnessed the generation of 53.6 Mt of electronic waste in 2019, out of which only 19% was recycled; the rest found their way amidst forests or in large landfills located at the outskirts of town.

It also predicted that global e-waste might pile up to 57.4 million tons in the next few months, growing at the rate of 3-4%. If arranged physically as a pile, it would exceed the height of the Great Wall of China.

Electronic equipment is disassembled to its several parts before discarding it. Some parts consist of hazardous materials like lead, copper, and dioxins. These are processed through smelting, acid etching, desoldering, and treated with chemicals to isolate elements like gold and silver.

In return, toxic fumes are released into the environment, infecting the air with carcinogens and lead-like poisons, increasing the global burden of cancer, neurological and respiratory diseases. Non-recyclable e-waste is responsible for 4.25% of total carbon footprints.

Besides air pollution, seepage of toxins like mercury, barium, cadmium, lithium, polybrominated flame retardants, and several others into soil contaminates its core properties like ph, particle size, and fertility making it dangerous for crop harvesting.

From soil, these find their way into the water, degrading the underground water. This also affects the water flora and fauna, often leading to the extinction of species and biomagnification.

Ultimately, it is the humans who have to bear the brunt of rising piles of e-waste. On the one hand, with the regular release of the hi-tech phone, the demand for such devices is surging; on the other hand, it accelerates the transfer of obsolete media into landfills.

Intoxicated air, water, and soil hamper the lifespan of an individual due to various cardiovascular, liver, kidney, and skeleton ailments.

As a result of reckless management of obsolete electronic devices, precious metals like indium, neodymium, and cobalt are getting scarce. These are required in large numbers for the manufacture of laptops, TVs, HDDs, etc.

Data destruction and challenges of recycling Top

Practicing data destruction is no easy game. The accelerating advancement in hacking techniques and consequently the cybercriminal activities, destroying data to its very last slice is becoming challenging day by day, often positioning recycling as a risky solution.

The biggest representative that opposes recycling is the optical media such as DVDs, CDs, and Blu-ray discs. NSA has issued strict guidelines for the destruction of optical media into particle sizes less than 2mm2 for DVDs, and 5 mm2 for CDs, reducing them to particles of dust. This comes as a result of its composition of plastic resins, which declines their chances of recycling.

Guide to selecting the best ITAD company Top

There are a plethora of companies offering ITAD services; however, to choose the best, it is important to have clarity on certain aspects to maintain the privacy of data being discarded and the best possible solution to show compliance towards the environment.

  1. Availability of Full-life cycle management: From designating the data to be destroyed to the final step of its extinction, ITAD company must provide full-lifecycle management. This is most useful to hardware centers which may involve frequent refresh cycles or decommission. ITAD companies that provide full-lifecycle management must also ensure data sanitization for incomplete wiping procedures.
  2. Expertise and efficiency: An ITAD company should have well-established facilities for data destruction along with experts from the field to manage the errands associated with it. They should provide a wide breadth of services, including degaussing, wiping, smelting, and physical destruction whenever needed. The firm should have provisions for on-site destruction and software-based data destruction methods. The procedure should maintain the sanity of the data, i.e., its privacy and security. From the pickup to the end-of-life disposition, the company should provide efficient GPS tracking of IT assets, security while transitioning, and verification after data wiping. Their amenities and communication should match your demands to carry out an efficient process.
  3. Certifications: One of the most important things to look for in an ITAD company is its credentials. Certification from national and international standardizing bodies is essential, both legally and professionally. Some important certifications are R2, ADISA, NIST SP 800-08 compliance. It should be compliant with legal protocols such as HIPAA, FACTA, GLBA, SOX, and FERPA. These might vary as per the location of the ITAD company.
  4. Recycling and remarketing: To maintain the green streak, an ITAD company that offers sustainable options for data destruction is always the first
About The Author
img

Jennifer Gard

Jennifer Gard is a content writer at eWaste PRO. She loves writing and educating people about different things. Engineering things, specially. You can read more blogs and articles written by her on our blog.