Data is the lifeblood of just about every American business and, unfortunately, it attracts the unwanted attention of thieves who will try to steal private information and use it for illegal gains.
The sensitive nature of data extends far beyond its useful business life. Information stored on hard drives has the possibility of lasting forever unless you take appropriate steps to destroy it when the data is no longer needed.
You may be tempted to go cheap or do it yourself, but for maximum protection and full peace of mind, you should consider hard drive destruction as the most effective means of data protection.
What is hard drive destruction?
The hard drive is manually destroyed by a mechanical device ensuring the data cannot be recovered or stolen. The hard drive is transformed from a single platter where data is stored and turned into tiny particles. Think of it in much the same way that a woodchipper works on tree branches (this is true for shredding only).
Hard drive destruction extends to just about any type of sensitive electronic media, including:
- Computer Hard Drives
- Compact Disks
- Floppy Disks
- USB Drives
- Credit Cards
Hard drive are often destroyed by shredding, similar to how a household paper shredder operates, or by crushing/punching which creates a giant hole(s) punched into the middle of the hard drive, destroying the delicate magnetic surface that contains any sensitive information.
Can you successfully destroy your own hard drive?
You can try, but there will always be the nagging possibility that you will not be successful.
Simply deleting files is not enough, nor is erasing the hard drive with a program that does not meet industry standards for data destruction.
If you want to get more medieval and think you can smash your hard drive into pieces with a hammer, think again. It is still not a fool-proof method (although you may feel better taking some of your aggression out on a defenseless piece of computer hardware).
Tossing the hard drive in the trash and hoping it winds up in a landfill or recycling it at one of those computer recycling drives will also leave you and your data vulnerable to theft and misuse.
Taking matters into your own hands could also land you in trouble with the U.S. Environmental Protection Agency. Computer components are toxic and should be disposed of properly.
There is more to it than first meets the eye, which is why data and hard drive destruction are always best left to the professionals. That means you should only work with a vendor who follows NAID certified best practices.
What is NAID AAA certified destruction?
The National Association of Information Destruction (NAID) is the largest international certification body for information and data destruction. The NAID is an independent auditor that checks a shredding company’s compliance in 22 areas.
Using an NAID compliant vendor is not only a good idea, in many cases NAID AAA Certification is required by hundreds of government offices and thousands of private contracts.
The organization verifies secure data destruction companies’ services’ compliance with all known data protection laws through scheduled and surprise audits by trained, accredited security professionals, fulfilling customers’ regulatory due diligence obligations.
As part of NAID AAA Certification, a vendor will record the serial number of each hard drive that is shredded and give a NAID Certificate of Destruction to the customer, providing proof that the hard drive was destroyed according to regulations.
The lesson here is that you should never just accept a vendor’s word that a hard drive has been destroyed without written documentation. You need the protection that a paper trail will provide if there are issues later.
What happens when you do not follow best practices?
In a study conducted by the NAID, 40% of used electronic devices sold on the secondhand market contained Personally Identifiable Information (PII). So even if you think you have wiped your hard drive clean, there is an almost 1 in 2 chance that you have not.
The bottom line is, if you value your data, destroy your hard drives following industry best practices.
What are some of the legal issues that could arise by not properly disposing of data?
If you are negligent and do not dispose of your hard drive the right way, you could run afoul of several laws that protect consumers from data breaches.
Perhaps the most well-known of these is the Federal HIPAA law.
The Health Insurance Portability and Accountability Act of 1996 created security standards to establish measures ensuring the security of healthcare information maintained by healthcare providers, healthcare institutions and health insurance companies.
The Gramm-Leach Bliley Act (GLB Act) created significant restrictions on the use of customer information in the financial industry (i.e., insurance, banks, stockbrokers, mortgage, escrow, lenders, etc.)
The Fair and Accurate Credit Transactions Act (FACTA) established a national system of fraud detection so victims can alert all three major credit rating agencies with a single phone call.
The U.S. Supreme Court also ruled that dumpster diving is not illegal. As a result, it has been a common method for stealing sensitive data for quite some time now.
What should I do with the hard drive until it’s ready to be shredded?
Many companies are required to maintain data for a certain period, either due to company policies or legal compliance. You may be tempted to take full and old hard drives and stick them in a “secure” storage facility onsite. But if you do, you are still leaving your company vulnerable to a significant data breach.
When you store old hard drives and data onsite, you are creating an attractive target for criminal activity. Instead, you need to find a secure off-site location and limit access.
Is it better to have hard drives shredded onsite or offsite?
Either is acceptable. What you really need to be concerned with is the level of chain of custody practices. Chain of custody is defined as the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.
Many vendors will come to your place of business and allow you to witness the actual destruction of the hard drive or other electronic media. Others will securely transport hard drives to a remote location where they will be securely shredded. Generally, the hard drives are placed in a secured and locked container for transport before they are destroyed.
Onsite shredding can take a little more time, so it is slightly more expensive. Dropping your hard drives off at a shredding facility or having them transported is generally cheaper.
What happens to the hard drives pieces after they are shredded?
Recycling is an important part of hard drive shredding. To prevent environmental pollution and associated health hazards, shredded pieces are recycled using a raw metal extraction process that creates new metal and plastic products.