Having a document destruction strategy in place is critical in a post-pandemic world.

As America’s workforce shifted to a more virtual environment, businesses were faced with a new set of problems and challenges for document security, storage, and destruction.

A new wave of cyber-criminal activity has been fueled by the pandemic. Employers must also be wary and alert to manage the level of security for their employees working remotely.

As the American workforce returns to the office, it is a good time to revisit document security and destruction policies and make sure every employee understands what they are and why they are so important.

Here are some things to look at again as your workforce returns to the office and shifts back to a more traditional work environment.

Why it is crucial to destroy old hard drives and data storage devices.

All companies depend heavily on electronic media to facilitate essential business activities. But when a data storage device reaches the end of its working life, data still needs to be secured or securely destroyed.

There is a good chance that your business only focused on critical operations during the pandemic. Unfortunately, the same challenges that you faced before the pandemic continue to be challenges that your business faces now.

Securely destroying old data devices is critical to protect yourself, your clients, vendors, employees, and others from any breach of sensitive data. Business owners large and small have a sacred obligation to maintain confidentiality.

And make sure that employees working remotely are destroying important documents just as they would in the office.

Stolen data can be used for a variety of purposes…none of them good. Identity theft, fraud, embezzlement, and other white-collar crimes can ruin a victim’s life. And in many cases, that victim could be you!

Aside from the ethical considerations, are you aware as a business owner that you are required to comply with privacy laws on how to dispose of data storage devices securely? If not, you could face significant penalties.

Some industries also face higher degrees of regulation due to HIPAA and FACTA laws already on the books. If you are not well versed in privacy laws, we suggest finding an expert such as an attorney, document shredding company, or data destruction company who can safely guide you through important compliance issues.

Here’s another important thing to consider. When you leave yourself exposed and suffer a breach, it could threaten the very existence of your business. Not only could you face theft from hacked accounts, but customers could also sue or abandon you. Partners and vendors may lose trust and refuse to work with you. Key employees could move on. Your reputation could be tarnished and have a significant impact on landing future customers.

What is a zero-trust security strategy?

For some businesses during the pandemic, out of necessity, employees may have been forced to use their own non-secure data devices to conduct work remotely. In other cases, you may have supplied employees with devices for use at home during the pandemic and some of these devices may have reached the end of their useful service lives.

Don’t think for a minute when your laptops, desktops, cell phones, and other electronics reach the end of their useful service life that you can take a hammer to them and be done with your data device security efforts.

It is a lot more complicated than that.

Business compliance is a critical reason to hire a firm that specializes in data device destruction. Although laws and rules can be somewhat inconsistent, businesses should adopt a zero-trust security strategy.

This means you should not trust anybody either inside or outside of your business. A zero-trust security strategy means following best practices instead of just doing enough to meet compliance standards.

Scammers are more sophisticated than ever.

Data theft and scan operations are more prevalent than ever after the pandemic. No business is too small or too big to become a victim of a sophisticated scam operation.

In fact, in many cases, scammers prefer to target smaller companies. They assume smaller businesses do not have the resources to put toward data security.

Making yourself a hard target on the front end, and protecting sensitive data on the back end, including the appropriate disposal and destruction of hardware, is a good step in the right direction.

Employees returning to work must be armed with as much knowledge as possible to guard against sophisticated scammers and data thieves. According to the Better Business Bureau, the six most common of these that businesses and employees need to protect against are:

• Imposters posing as a bank or credit card company pretending to verify account information but with the actual intent of gaining access to a business’s accounts.
• Scammers pretending to represent various government agencies who threaten to impose fines or take similar enforcement actions if a business does not pay fees or taxes.
• Fraudsters who offer businesses increased visibility through advertising, advanced search engine techniques, and business directories.

• Sending an invoice for services never rendered or trying to induce a business to pay for products they never ordered or received.
• Paying for goods and services with fraudulent checks from non-existent accounts.
• Scams involving tech support or ransomware demands.

Although every scam and every scammer are unique, most all share the same general characteristics. Here are some red flags to look for:

• They pretend to be someone you trust, either in the guise of a company, person, or government agency.
• They create a sense of urgency by setting a short deadline to respond.
• They use fear and intimidation, pressuring you to send a payment before you can check out their claims.
• They use wire transfers, gift cards, or other untraceable payment methods.

Based on what’s happened over the past year and a half, don’t be surprised if a potential scam is attached to some sort of pandemic-related issue. The same adage applies: If it sounds too good to be true, it usually is.

What do I do if I think I have been scammed?

Unfortunately, the best you may be able to do is to harden yourself against being a victim again. Getting lost money will be difficult.

Examine your current levels of security. Can you do more within your budget to enhance your protection?

If your company’s financial information was accessed or stolen as part of a scam, change as much information as you can. You may only need to change passwords, or you may have to close and reopen accounts.

If phones or computers were hacked, spend the money to have a top-tier security person either wipe the phone clean of malicious software or take other steps to ensure the breach no longer exists.

Develop a cybersecurity plan that looks at risks and identifies proactive mitigation efforts. Part of this should include a stringent password policy for all employees and their devices. Among other things, use two-factor or multi-factor authentication when possible.

Evaluate your data storage needs and processes. Scammers often nail a business through the back door. When you update with the latest security patches on your phones and computers, make sure your data storage is equally protected. Uncompromised data storage is critical, especially in cases where businesses are victims of ransomware schemes.

And finally, provide security training for your employees. Scammers know the weakest link in a business may be the human element. Don’t let that be the case in your business.

How do I choose the right data device destruction company?

If your business survived the pandemic, then congratulations!

Although you are gearing up on many different fronts, do not discount the many benefits of retaining a data device destruction company as an essential insurance policy for your business’s long-term health.

Data and device destruction is big business, and there are lots of companies to choose from. A few things you should look for in a vendor include:

Compliance. Ask if they are familiar with NSA and NIST guidelines.

Chain of custody. What are the company’s protocols to protect against a breach? Do they use tamper-proof containers, secured totes, and locked trucks during transit? Do they have secure and monitored facilities?

Certificates and documentation. Make sure the company provides certificates of sanitization for all media’s data that has been destroyed. It should include serial numbers, type of media, and how it was sanitized. Also, verify that documentation will be provided that shows an audit trail and proof of erased data.

Insurance. Does the company have liability insurance to adequately assume responsibility if there is a data breach or mishap? Also, ask about what kind of security training and background checks employees undergo.

Process. Get a detailed explanation of exactly how data devices will be destroyed and by what method.

Data is the lifeblood of just about every American business and, unfortunately, it attracts the unwanted attention of thieves who will try to steal private information and use it for illegal gains.

The sensitive nature of data extends far beyond its useful business life. Information stored on hard drives has the possibility of lasting forever unless you take appropriate steps to destroy it when the data is no longer needed.

You may be tempted to go cheap or do it yourself, but for maximum protection and full peace of mind, you should consider hard drive destruction as the most effective means of data protection.

What is hard drive destruction?

The hard drive is manually destroyed by a mechanical device ensuring the data cannot be recovered or stolen. The hard drive is transformed from a single platter where data is stored and turned into tiny particles. Think of it in much the same way that a woodchipper works on tree branches (this is true for shredding only).

Hard drive destruction extends to just about any type of sensitive electronic media, including:

• Computer Hard Drives
• Compact Disks
• Floppy Disks
• USB Drives
• DVDs
• Credit Cards
• Platters
• Microfilm
• X-rays
• Photographs
• Videotapes
• Transparencies

Hard drive are often destroyed by shredding, similar to how a household paper shredder operates, or by crushing/punching which creates a giant hole(s) punched into the middle of the hard drive, destroying the delicate magnetic surface that contains any sensitive information.

Can you successfully destroy your own hard drive?

You can try, but there will always be the nagging possibility that you will not be successful.

Simply deleting files is not enough, nor is erasing the hard drive with a program that does not meet industry standards for data destruction.

If you want to get more medieval and think you can smash your hard drive into pieces with a hammer, think again. It is still not a fool-proof method (although you may feel better taking some of your aggression out on a defenseless piece of computer hardware).

Tossing the hard drive in the trash and hoping it winds up in a landfill or recycling it at one of those computer recycling drives will also leave you and your data vulnerable to theft and misuse.

Taking matters into your own hands could also land you in trouble with the U.S. Environmental Protection Agency. Computer components are toxic and should be disposed of properly.

There is more to it than first meets the eye, which is why data and hard drive destruction are always best left to the professionals. That means you should only work with a vendor who follows NAID certified best practices.

What is NAID AAA certified destruction?

The National Association of Information Destruction (NAID) is the largest international certification body for information and data destruction. The NAID is an independent auditor that checks a shredding company’s compliance in 22 areas.

Using an NAID compliant vendor is not only a good idea, in many cases NAID AAA Certification is required by hundreds of government offices and thousands of private contracts.

The organization verifies secure data destruction companies’ services’ compliance with all known data protection laws through scheduled and surprise audits by trained, accredited security professionals, fulfilling customers’ regulatory due diligence obligations.

As part of NAID AAA Certification, a vendor will record the serial number of each hard drive that is shredded and give a NAID Certificate of Destruction to the customer, providing proof that the hard drive was destroyed according to regulations.

The lesson here is that you should never just accept a vendor’s word that a hard drive has been destroyed without written documentation. You need the protection that a paper trail will provide if there are issues later.

What happens when you do not follow best practices?

In a study conducted by the NAID, 40% of used electronic devices sold on the secondhand market contained Personally Identifiable Information (PII). So even if you think you have wiped your hard drive clean, there is an almost 1 in 2 chance that you have not.

The bottom line is, if you value your data, destroy your hard drives following industry best practices.

What are some of the legal issues that could arise by not properly disposing of data?

If you are negligent and do not dispose of your hard drive the right way, you could run afoul of several laws that protect consumers from data breaches.

Perhaps the most well-known of these is the Federal HIPAA law.

The Health Insurance Portability and Accountability Act of 1996 created security standards to establish measures ensuring the security of healthcare information maintained by healthcare providers, healthcare institutions and health insurance companies.

The Gramm-Leach Bliley Act (GLB Act) created significant restrictions on the use of customer information in the financial industry (i.e., insurance, banks, stockbrokers, mortgage, escrow, lenders, etc.)

The Fair and Accurate Credit Transactions Act (FACTA) established a national system of fraud detection so victims can alert all three major credit rating agencies with a single phone call.

The U.S. Supreme Court also ruled that dumpster diving is not illegal. As a result, it has been a common method for stealing sensitive data for quite some time now.

What should I do with the hard drive until it’s ready to be shredded?

Many companies are required to maintain data for a certain period, either due to company policies or legal compliance. You may be tempted to take full and old hard drives and stick them in a “secure” storage facility onsite. But if you do, you are still leaving your company vulnerable to a significant data breach.

When you store old hard drives and data onsite, you are creating an attractive target for criminal activity. Instead, you need to find a secure off-site location and limit access.

Is it better to have hard drives shredded onsite or offsite?

Either is acceptable. What you really need to be concerned with is the level of chain of custody practices. Chain of custody is defined as the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.

Many vendors will come to your place of business and allow you to witness the actual destruction of the hard drive or other electronic media. Others will securely transport hard drives to a remote location where they will be securely shredded. Generally, the hard drives are placed in a secured and locked container for transport before they are destroyed.

Onsite shredding can take a little more time, so it is slightly more expensive. Dropping your hard drives off at a shredding facility or having them transported is generally cheaper.

What happens to the hard drives pieces after they are shredded?

Recycling is an important part of hard drive shredding. To prevent environmental pollution and associated health hazards, shredded pieces are recycled using a raw metal extraction process that creates new metal and plastic products.

Be Diligent About the Records and Files You Should Keep vs. Those that Should be Destroyed.

How many times have you had an important document in your hand ready to destroy, but hesitated because you didn’t know if you were breaking some regulation, rule or just an old wives’ tale about how long to keep that information?

Oh, “let’s just keep it”, you say… to be safe.

A year later those files you decided to keep now become boxes, and a year later those boxes have multiplied like rabbits. Now you’re contemplating storing them offsite, or worse, taking up precious office space with information that should be destroyed.

In this article we will give you some tips on not only what you should keep, but the best way to destroy it.

We have a caveat to this important subject: There are rules upon rules, and regulations upon regulations that the government has instituted. But, there are also rules and regulations in many industries such as banking, accounting, legal, healthcare, etc. For example, doctors are required to keep patient records for extended periods of time.

There are far too many rules to try to cover in this article, so always—always—check with your accountant or attorney if you are unsure what to destroy.

Retaining Tax Records Generates the Most Questions and Stress for SDD’s Clients.

There aren’t many documents that businesses produce that contain more sensitive information and get sent outside of the business than tax records.

When you file electronically, for example, isn’t there a moment of near-sheet terror before you hit that “send” button?

There’s no reason to keep tax records longer than is required.

The Internal Revenue Service provides great information on its website. Here are its general guidelines:

“The length of time you should keep a document depends on the action, expense, or event which the document records. Generally, you must keep your records that support an item of income, deduction or credit shown on your tax return until the period of limitations for that tax return runs out.

“The period of limitations is the period of time in which you can amend your tax return to claim a credit or refund, or the IRS can assess additional tax. The information below reflects the periods of limitations that apply to income tax returns. Unless otherwise stated, the years refer to the period after the return was filed. Returns filed before the due date are treated as filed on the due date.”

Many customers believe there is a “7-year rule” that applies to the retention of tax records. While a safe guideline, the IRS has more specific rules depending on your situation (https://www.irs.gov/businesses/small-businesses-self-employed/how-long-should-i-keep-records):

1. Keep records for 3 years if situations (4), (5), and (6) below do not apply to you.
2. Keep records for 3 years from the date you filed your original return or 2 years from the date you paid the tax, whichever is later, if you file a claim for credit or refund after you file your return.
3. Keep records for 7 years if you file a claim for a loss from worthless securities or bad debt deduction.
4. Keep records for 6 years if you do not report income that you should report, and it is more than 25% of the gross income shown on your return.
5. Keep records indefinitely if you do not file a return.
6. Keep records indefinitely if you file a fraudulent return.
7. Keep employment tax records for at least 4 years after the date that the tax becomes due or is paid, whichever is later.

As for specific records you should keep the IRS recommends records that “clearly show your income and expenses”. While a broad statement, the implications are significant depending on your industry, as some industries have stringent rules on record keeping. Here is more information from the IRS: https://www.irs.gov/businesses/small-businesses-self-employed/recordkeeping

There are Important Non-Tax-Related Records that Should be Retained.

While the IRS focuses on records that support your income and expenses, there are many, many, many more records in your files that need a decision made on whether to keep or pitch.

In an excellent article on smead.com (http://www.smead.com/hot-topics/records-retention-guidelines-1394.asp), they provided common sense guidelines for general information.

“Keep everyday paperwork for 3 years. It’s rare that anyone is going to want to see an electric bill or credit card statement dating back more than a year. But, you may choose to keep the following non-tax-related items for up to 3 years for internal use:

• Monthly financial statements
• Credit card statements
• Utility records
• Employment applications (for businesses)
• Medical bills in case of insurance disputes”

Smead also identifies other types of records that don’t easily fit into specific categories, for example:

• Car records (keep until car sold
• Credit card receipts (keep until reconciled on your credit card statement)
• ATM and deposit slips (keep until reconciled on your bank statement)
• Insurance policies (keep for life of policy)
• Pay stubs (keep until reconciled with your W-2)
• Property records / builder contracts / improvement receipts (keep until property sold)
• Sales receipts (keep for life of warranty or life of the item on large purchases)
• Warranties and instructions (keep for life of product)
• Other bills (keep until the payment verified on the next bill)

Onsite Shredding Ensures Your Important Documents are Securely Destroyed.

Holding important documents the required period of time is only half the challenge.

When you are ready to dispose of the documents, Secure Document Destruction of St. Louis recommends onsite versus offsite. The differences between the two are significant:

• Offsite shredding. The service provider comes to your office (or residence), picks up your un-shredded confidential documents and materials, and takes them to a facility to be destroyed. For however long it takes that truck to get to the facility puts your important information at risk. The offsite service truck may make as many as 15-20 additional customer stops.
• Onsite Shredding by SDD of St. Louis. SDD’s onsite document shredding services for businesses or onsite shredding services for residences eliminate the risks of offsite shredding. We use state-of-the-art mobile shredding service trucks that shred your documents in real time, in full view within feet of your business. SDD’s bonded, uniformed Security Specialists are there monitoring every step of the process. When we leave your office, your important information is destroyed.

Regularly Scheduled Shredding Greatly Reduces Your Risks in Destruction of Important Documents.

Whether your schedule is monthly, weekly or even daily, SDD’s process is secure:

1. SDD places locked containers throughout your facility to hold sensitive materials to be purged.
2. An SDD shredding service truck comes to your office on your schedule.
3. The truck’s automated handling system securely deposits your confidential information into the truck.
4. The contents are immediately destroyed while you watch via closed-circuit cameras. No information leaves your office without being destroyed… ever.
5. You will receive a Certificate of Document Destruction before we leave your office.
6. The destroyed materials are disposed of at a recycling center.

SDD serves clients in some of the most highly-regulated industries which have strict requirements for information security, such as accounting, legal, banking and healthcare.

SDD’s regularly scheduled services offer the most secure and cost-effective way to regularly destroy your important information and materials. Click here today for a no obligation quote.

Our digital business world certainly has its positive attributes, but you must protect your small business data.  We can hold video conferences with clients across the country, or send documents to co-workers instantly no matter the time of day.

As long as we have wi-fi, our office can be anywhere.

That’s scary.

Unfortunately, as incredible as the technological advances are, it has become far too common to wake up in the morning and read about yet another massive data breach that disrupts a large organization with an important online presence.  All the while, disrupting innocent and unsuspecting customers using their service and leaving their suffering in their wake.

This doesn’t just happen to big companies.

All it takes is one employee mistake.  Whether it’s an executive using the wrong Starbucks wi-fi or your assistant making the misstep of sharing his or her passwords.  One simple slip can put your small or medium business at the top of the list for a security breach.

 

We at SDD want to minimize the risk your employees face to being subject to a security hack.  Therefore, we’ve compiled the five worst corporate security breaches of all time, how they happened and some important tips so this won’t happen to you.

Educate your employees about the latest phishing scams attempting to infiltrate your network.  Use SSL certificates for your website’s transaction security.  These act as padlocks to thwart identify thieves from stealing your sensitive information.  Also, make sure you have the proper malware blockers installed to your network, these security systems protect your business from destructive viruses.  And, always keep your employees in the know of the latest password rules and regulations for your business.

So please, read carefully and never stop working to keep your small business safe.

#5: eBay

The fifth on our list, the digital buying and selling giant, and one of the most widely used services in the history of the internet.

Here’s what happened.  Targeted eBay employees were sent phishing emails, which are fraudulent messages appearing to come from legitimate sources, in attempts to get them to divulge sensitive information.  When these employees clicked on the embedded link, malware was installed on the computer and the attacker gained control of their computers, eBay’s network, and all customer information.

What’s troubling here is that their database was hacked between late February and early March and the breach was not detected until May, allowing hackers access to eBay customers’ names, their encrypted passwords, email, registered addresses, phone numbers and date of birth.

Within five months the hackers breached a total of 145 million user accounts.  However, eBay and its users were all fortunate the hackers did not gain access to PayPal’s financial information, thankfully leaving customer purchase data safe.

Phishing attacks have become increasingly common in the business world and a key strategy for thieves to gain access to secure information.  However, thieves are taking it one step further by using new social engineering tactics.  The thief will send a phishing email to your employee, and then follow up with a phone call, making the interaction that much more believable.  The call will always be used to persuade the employee to click on the link, which would install the malware.

If it can happen to eBay, it can happen to your business.  At a minimum you should have an SSL certificates to protect your transaction activity and malware blockers installed.

For more information on keeping your digital sector of your small business secure please visit https://www.godaddy.com/web-security for a variety of different layers and tactics that can and will help identify and prevent your company from being breached.

#4: LinkedIn

Back in 2012, LinkedIn was the victim of an unauthorized access and disclosure of more than six million members’ passwords.  The security breach gave hackers access to users’ email addresses, passwords and other information. 

LinkedIn’s IT security responded immediately and required a mandatory password reset for all the accounts it believed were compromised. Not all employees complied.

Very shortly after the first breach, the LinkedIn security teams became aware of a second massive breach.  Despite LinkedIn’s enhanced efforts to protect user passwords—called salting and hashing—the Russian hacker known as “Peace” was able to infiltrate LinkedIn’s system, which resulted in an overall breach of a staggering 117 million LinkedIn members.

Even though LinkedIn’s security and IT departments had taken major precautions by hashing and salting every password in their database, which is adding an additional piece of code that encrypts the user’s information, it was still accessed.

We suggest you do two things right away.  First, visit a small business expert like https://www.godaddy.com/web-security for more information on how to properly protect your business and your customers’ digital information.  Second, tell your employees to reset their passwords with some type of phrase only they would know and make sure they’re always on the lookout for phishing scams.

For your personal or business hardware and paper destruction needs, please visit https://sddestruct.wpengine.com/business-document-shredding/ we’d be happy to help.

#3: Myspace

While Myspace is no longer making headlines, breached user data never really dies.

In 2014, a large set of stolen Myspace usernames and password combinations were discovered available for sale in a dark web online hacker forum.  Myspace tracked the information and was able to trace it back to Peace, the same Russian hacker who infiltrated LinkedIn the same year.

The original reports stated that there were more than 360 million accounts breached.  Each record contained an email address, password, and in some cases, a second password.  Security researchers stated that it was the largest data breach of all time.

Much like LinkedIn, the passwords were salted and hashed.  Myspace’s security force confirmed that the breach had no effect on any of its other platforms, apps, subscriber information, or other media properties, nor did the leaked data include any confidential financial information.

A near-foolproof option for employees is to use more complicated passwords (like phrases only they would know), reset them periodically, and take advantage of password management tools like https://www.lastpass.com to help keep track of your logins.

For any additional questions, please contact us. We’d be happy to help.

#2: Yahoo

You may want to be sitting down for this one.

In sheer size, it’s the most widespread data breach in history.  In 2013, it was first reported that email usernames and passwords of around six million of its account holders had been breached.

Yahoo’s PR and tech security teams swiftly dealt with the issue, notifying users with emails to change their login credentials. 

At the time, Yahoo believed it had nipped the problem in the bud.

However, throughout the Verizon merger process in 2016, Yahoo discovered the security breach had affected every single user account that existed at the time.  Not six million, but three billion users!  Three billion, and the majority of those were not notified that their account was hacked.

The sad truth is that if you had a Yahoo account from 2013 to 2016 your account was hacked.  Plain and simple.  The names, email addresses and passwords, of your and my email accounts were breached.

Yahoo still has not provided any information about the suspected hackers.  They required multiple password changes and invalidated unencrypted security questions to protect user information.

Our tip to you, for any questions or concerns for your business, check out https://www.godaddy.com/web-security/website-security for expert advice on small business web security.

Remember, try to have your employees consistently update their passwords and implement multiple step authentication on all their accounts.  Make sure they’re not accessing confidential information on shared or unsecure wi-fi connections, and always have conversations about the latest tools and tactics to avoid the ever-present phishing scams.

If you ever have any questions or concerns about hardware destruction, please see our article on hard drive destruction.

#1: Equifax

You couldn’t have traveled far enough away to escape hearing about its monumental mistake.  Without a doubt, Equifax’s breach is the most significant data breach in history. 

This breach wasn’t so much about the quantity of customers effected, but the quality and importance of the content that was breached.

Where almost all digital IT thefts in the past have involved stolen email addresses, phone numbers, and login credentials, Equifax’s information was much more sensitive.

Plain and simple, this 143-million-person breach went to the core of some of the most important information about Americans: names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers.

 

More than two months went by before Equifax reported the breach.  Once again, even with a highly sophisticated security team and an immense budget, they still were targeted.  If your business is ever the unfortunate victim of a security breach—immediately—contact a small business security expert like GoDaddy, or visit https://www.godaddy.com/web-security/malware-removal for an efficient and effective strategy on virus removal.

A greater emphasis on privacy helps create a culture that values security and employee privacy.  Keeping your business secure will take a combination of security tools and employee education if you are to stay ahead of thieves.

If you have any questions, concerns, or tips, we’d love to hear from you.

Please visit our website at www.sddstl.com or if you’d like to learn more, give me—John Steinhauser—a call at (314)795-0004 or email me at john@sddstl.com

And, stay safe out there!

John Steinhauser, co-owner, Secure Document Destruction of St. Louis (SDD).

Authors: Mindi McDowell, Matt Lytle – US Computer Emergency Readiness Team

Before selling or discarding an old computer, or throwing away a disk or CD, you naturally make sure that you’ve copied all of the files you need. You’ve probably also attempted to delete your personal files so that other people aren’t able to access them. However, unless you have taken the proper steps to make sure the hard drive, disk, or CD is erased, people may still be able to resurrect those files.

Where do deleted files go?

When you delete a file, depending on your operating system and your settings, it may be transferred to your trash or recycle bin. This “holding area” essentially protects you from yourself–if you accidentally delete a file, you can easily restore it. However, you may have experienced the panic that results from emptying the trash bin prematurely or having a file seem to disappear on its own. The good news is that even though it may be difficult to locate, the file is probably still somewhere on your machine. The bad news is that even though you think you’ve deleted a file, an attacker or other unauthorized person may be able to retrieve it.

What are the risks?

Think of the information you have saved on your computer. Is there banking or credit card account information? Tax returns? Passwords? Medical or other personal data? Personal photos? Sensitive corporate information? How much would someone be able to find out about you or your company by looking through your computer files? Depending on what kind of information an attacker can find, he or she may be able to use it maliciously. You may become a victim of identity theft. Another possibility is that the information could be used in a social engineering attack. Attackers may use information they find about you or an organization you’re affiliated with to appear to be
legitimate and gain access to sensitive data.

Can you erase files by reformatting?

Reformatting your hard drive or CD may superficially delete the files, but the information is still buried somewhere. Unless those areas of the disk are effectively overwritten with new content, it is still possible that knowledgeable attackers may be able to access the information.

How can you be sure that your information is completely erased?

Some people use extreme measures to make sure their information is destroyed, but these measures can be dangerous and may not be completely successful. Your best option is to investigate software programs and hardware devices that claim to erase your hard drive or CD. Even so, these programs and devices have varying levels of effectiveness. When choosing a software program to perform this task, look for the following characteristics:

• data is written multiple times – It is important to make sure that not only is the information erased, but new data is written over it. By adding multiple layers of data, the program makes it difficult for an attacker to “peel away” the new layer. Three to seven passes is fairly standard and should be sufficient.
• use of random data – Using random data instead of easily identifiable patterns makes it harder for attackers to determine the pattern and discover the original information underneath.
  use of zeros in the final layer – Regardless of how many times the program overwrites the data, look for programs that use all zeros in the last layer. This adds an additional level of security. While many of these programs assume that you want to erase an entire disk, there are programs that give you the option to erase and overwrite individual files.
• An effective way to ruin a CD or DVD is to wrap it in a paper towel and shatter it. However, there are also hardware devices that erase CDs or DVDs by destroying their surface. Some of these devices actually shred the media itself, while others puncture the writable surface with a pattern of holes. If you decide to use one of these devices, compare the various features and prices to determine which option best suits your needs.