Advice for implementing a data destruction policy

 

Perceptions about which industries necessitate a robust data destruction policy vary widely. It’s commonly assumed that sectors like banking and healthcare are essential due to their handling of extensive confidential data. Conversely, businesses such as restaurants may seem less pertinent at first glance. However, upon closer inspection, it becomes evident that every enterprise deals with data, irrespective of size or sector.

For instance, restaurants manage employee details and daily consumer credit information. Consulting firms handle employee records and sensitive client data. Similarly, real estate agencies store employee information alongside confidential financial records. Data permeates all industries; the focus should not be on whether a business stores information but rather on the scale of their data repository.

While industry news highlights risks in major sectors like insurance and healthcare, every company faces cybersecurity vulnerabilities. Establishing a formal and comprehensive data sanitation policy is crucial to safeguarding corporate secrets. Here are foundational steps that companies can adopt to define their physical data storage security requirements:

 

Determining Data Destruction Needs

  1. When to Destroy Data:
    • Emulate practices like New York University’s policy where devices containing confidential information are purged before and after each use to prevent unauthorized access.
    • Ensure complete removal of classified data from any device before sale or transfer, and permanently wipe data from decommissioned machines.
  2. Regulatory Compliance:
    • Understand state-specific data disposal laws outlined by the National Conference of State Legislatures, which hold private enterprises accountable for data breaches.
    • Industries like healthcare (under HIPAA) and education have stringent regulations mandating investigations into data breaches due to the sensitive nature and long-term storage requirements of confidential information.
  3. Balancing Data Retention:
    • Exercise caution before deleting data that still holds value, as illustrated by recent legal challenges involving election data in Georgia. Deleting data prematurely can lead to legal repercussions if circumstances dictate otherwise.

Adopting sensible regulations within data destruction policies ensures data is sanitized only when it no longer serves any relevant purpose to involved parties. This approach safeguards businesses across all sectors from potential data breaches while adhering to legal standards and maintaining data integrity.

Smartphones contain confidential information like corporate emails and passwords.
Smartphones contain confidential information like corporate emails and passwords.

 

Which types of data require destruction?Traditional sources of data such as hard drives and solid-state drives in computers are the obvious candidates, but advancements in technology have expanded this list significantly. Devices like printers and copiers also house hard drives, and smartphones utilize flash media. Even smaller gadgets, like Internet of Things-enabled thermostats, contain caches of flash storage.

Initially, data from a thermostat might seem innocuous—after all, it’s unlikely to store files like a company’s kitchen television. However, what makes these devices potentially risky is their network connectivity. Any IoT device in an office environment must meet stringent security standards to access the company network. For example, if an improperly sanitized flash storage device falls into the wrong hands, it could provide unauthorized access to the office network, potentially compromising sensitive information. Thus, an IoT-enabled thermostat acts not merely as a harmless device but as a potential gateway to valuable data.

Why adopt a standardized policy?Experts such as PrivacySense.net advocate for the implementation of a uniform data destruction policy across corporate technology resources. This approach entails treating all devices containing confidential data equally.

While this uniform policy may seem stringent, it is crucial for thwarting cyberattacks comprehensively. It underscores the limitation of bring your own device (BYOD) policies, as companies lack the authority to manage personal data on employee-owned devices. While providing employees with computers has become standard practice, the shift towards issuing company smartphones is now imperative to prevent the integration of classified data onto personal devices.

While the concept of employees managing two separate phones may seem cumbersome, it effectively mitigates risks associated with personal device usage. Companies must also monitor the evolving wearables market closely, as each wearable device represents another potential repository of personal flash media storage.

Cybercrime exploits vulnerabilities in any system. The most robust cybersecurity protocols are ineffective without a policy that treats every storage medium with equal rigor.

Companies want to be sure that they invest in a machine capable of fully destroying their data.
Companies want to be sure that they invest in a machine capable of fully destroying their data.

 

Which devices are optimal for data destruction?

Companies prioritize using data destruction devices that have been rigorously tested and approved by esteemed authorities such as the National Security Agency (NSA), Department of Defense (DoD), and North Atlantic Treaty Organization (NATO). These organizations conduct evaluations to assess the effectiveness of data sanitation devices. The NSA and Central Security Service regularly update reports detailing which devices meet their stringent criteria for data destruction. These evaluations also cover various methodologies involved in ensuring proper data sanitization.

Although these certified products may come at a higher cost compared to uncertified alternatives, the assurance they provide is invaluable. Companies that utilize NSA-listed devices are significantly less vulnerable to data theft and potential legal repercussions.

“Degaussers completely neutralize a hard drive’s ability to retrieve data.”

Hard drive degaussing: When is destruction inadequate?

Degaussing is a critical data sanitization method that surpasses mere shredding or physical destruction, especially for hard disk drives. These drives operate using magnetic fields to organize and store data, enabling computers to read it comprehensively. Degaussers disrupt this magnetic field, rendering the data on the hard drive indecipherable.

Once a hard drive undergoes degaussing, it becomes permanently unreadable. Unlike shredded hard drives, which could theoretically be reassembled, the magnetic alignment altered by degaussing cannot be reversed. For hard drives, degaussing presents a straightforward and 100% effective solution.

The SSD distinction

Solid-state drives (SSDs), prevalent in modern desktops, laptops, and memory cards, differ significantly as they lack moving parts and rely on circuit-based infrastructure rather than magnetic fields. Consequently, magnetic degaussers do not affect SSD data as they would with traditional hard drives. Companies employing SSDs typically opt for a combination of data rewriting and physical shredding or destruction to achieve thorough data sanitization.

Due to the residual nature of SSD data, it is advisable to overwrite it multiple times during the sanitization process. Additionally, implementing a practice of dispersing remnants into separate waste containers as part of the data destruction policy ensures that fragmented pieces of destroyed flash media do not coalesce, rendering the device virtually irrecoverable.

As the landscape evolves, businesses across all sectors must ensure they are well-prepared and fortified against various forms of cybercrime. With the proliferation of IoT-enabled devices and the expanding use of SSD technology, adopting a comprehensive, consistent, and adaptable data destruction policy remains the most robust defense strategy against cyber threats.

 

Source: https://www.protondata.com/blog/data-security/advice-implementing-data-destruction-policy/

 

About DT Asia

DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.

Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.