Advice for implementing a data destruction policy


The perception is that certain industries need a data destruction policy far more than others. Of course institutions like banks and hospitals need to enforce data destruction, as they handle vast amounts of confidential data. At first glance, a business like a restaurant does not even compare. However, as every business is examined, one constant becomes clear: data. All companies – regardless of size or industry – house data.

A restaurant possesses employee data as well as the consumer credit information passing through it daily. A consulting firm holds employee data in addition to classified company material from its clients. Real Estate firms carry their employee data, not to mention the confidential financial records of their clients. Data is everywhere in every industry. The question is not whether a business is an information silo; it is how big is that information silo – how much data is being stored?

Industry news tends to focus on highlighting risk in the biggest silos like insurance companies and medical offices. But the fact is that every company now has cybersecurity risks. Having a formal and thorough data sanitation policy ensures that corporate secrets remain in only the right hands. The following steps provide a starting point for companies to use when determining their physical data storage security needs:


When does data need to be destroyed?
Universities like New York University reported having a policy that all devices containing confidential data must be purged before and after each student has used them. This step will prevent one student from accidentally seeing another’s private information. Every company that handles private data should seek to emulate this standard in its data destruction policy.

Before any device is sold or transferred, its classified data must be completely removed. When any machine with data storage is being decommissioned, that data must be permanently wiped and destroyed.

“The offending private enterprise will always be held responsible for a data breach.”

Accounting for how regulation affects data destruction
It is important to note that – according to the National Conference of State Legislatures – every state has data disposal laws for private enterprises. These laws vary from state to state, with some being more lenient than others. Regardless of the tolerance, the law is universal in that the offending agency will be held responsible should a data breach occur.

Certain industries have specific mandates – such as 1996 federal Health Insurance Portability and Accountability Act, or HIPAA, in health care – that dictate an automatic investigation into a data breach. Health care is treated with the utmost scrutiny because so much confidential data must be stored for long periods of time. The same applies for institutions working in the education sector.

That said, companies should not be too ready to delete data. This is especially true if the data in question still has value of any kind. To highlight an example, The Associated Press recently covered a story on a developing lawsuit in Georgia, where a computer containing election results was wiped after an investigation into the legitimacy of recent election results began. The Center for Elections Systems at Kennesaw State University is in legal trouble because an employee likely followed blind protocol instead of adapting to extenuating circumstances that kept the election data relevant.

Companies across all verticals should keep the same common sense regulations in their data destruction policies: Data should be sanitized only after it has ceased being relevant to all parties involved.

Smartphones contain confidential information like corporate emails and passwords.
Smartphones contain confidential information like corporate emails and passwords.


What types of data need to be destroyed?
The obvious data sources are hard drives and solid state drives on computers, but technology has expanded the list further. Hard drives can also be found on devices like printers and copiers. Smartphones also have flash media. Smaller devices – even an Internet of Things-enabled thermostat – have caches of flash media storage.

At first glance, the idea of thermostat data is harmless. After all, it is not common policy to store files in random locations like the company’s kitchen television. What makes these devices potentially dangerous is their network information. Every IoT-enabled office device must have proper security clearance to be part of that company’s network. For instance, if an outside party were to get a hold of an improperly sanitized flash media storage device, that party would have the office network’s password.

Once in, this source could access any information within the company network. So an IoT-enabled thermostat is not the safe but rather a key to the safe.


Why implement a uniform policy? 
Corporate technology resources like recommended the institution of a uniform company data destruction policy. Under this kind of approach, an organization would treat all devices containing confidential data the same.

This one-size-fits-all style of policy may sound extreme but will go the furthest in preventing cyberattacks. This is where a bring your own device policy stops working, as corporations do not have the authority to access and alter an employee’s personal data. While companies have gotten used to the idea of providing employees with a computer, they must now adjust to the notion of giving their workers a smartphone as well.

The idea of two phones sounds cumbersome but solves the problem of carrying and integrating classified data onto a personal device. In this vein, companies should pay close attention to the emerging wearables market, as each wearable becomes an additional personal flash media storage device.

Cybercrime requires only one point of entry. The best computer protocol in the world is meaningless in a policy that does not treat every form of storage equally.

Companies want to be sure that they invest in a machine capable of fully destroying their data.
Companies want to be sure that they invest in a machine capable of fully destroying their data.


Which devices are best for data destruction?
Companies want to use data destruction devices tested and approved by the highest authorities. The National Security Agency, Department of Defense and North Atlantic Treaty Organization all test data sanitation devices to determine their worth. In particular, the NSA and Central Security Service release updated reports on which devices meet data destruction criteria. These evaluated products lists also discuss various methods involved with proper data sanitation.

While these products may be more expensive than untested counterparts, the peace of mind is worth the extra investment. Companies using NSA-listed devices are less likely to have their data stolen and become the subject of legal investigation.

“Degaussers completely remove a computer’s ability to read a hard drive.”

Hard drive degaussing: When is destruction not enough?
Degaussing is one particular method of data sanitation that may be more important than shredding or destroying. Hard disk drives operate on magnetic fields that structure the data, allowing the machine to read it in a way that makes sense. Degaussers alter that magnetic field, removing the computer’s ability to decipher what is on the hard drive.

Once a hard drive has been degaussed, it can never be read again. There is no method by which a hacker may realign the magnetic field. Even a shredded hard drive can theoretically be reassembled into working order. For hard drives, degaussing is a relatively simple and 100 percent effective solution.


The SSD difference
SSDs – found in certain newer desktops and laptops – have no moving parts. They, like memory cards, operate on circuit infrastructure. This means that a magnetic degausser will not alter the data as it would with a hard drive. For companies using this method of flash media storage, rewriting and shredding/destroying is the best way to achieve proper data sanitation.

Devices should be rewritten several times, as SSD data is not always completely removed after one wipe. Companies may also want to institute a scattering practice as part of their data destruction policies – placing the leftover parts in different waste containers. This step ensures the destroyed flash media will not go to the same place, making the device virtually impossible to reassemble.

The world is changing, and companies across all industries need to be sure that they are prepared and guarded from crime in all its forms. IoT-enabled devices are only expected to grow more prevalent, and SSD technology is also becoming more widespread. A thorough, uniform and adaptive data destruction policy is the best defense against cybercrime.




About DT Asia

DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.

Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.