Why Physical Data Destruction is Absolutely Vital

What really is physical data destruction? Physical destruction of data is the process of destroying data stored on tapes, hard disk drives, and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes. Unfortunately, many people neglect to take proper physical destruction into consideration when it is time to retire storage devices. In light of the very real risk of data breach, it is imperative to be highly security conscious of our digital imprints. This article discusses the importance of physical destruction, best practices in data destruction, and the potential repercussions associated with failure to physically destroy data at end-of-life.

Data destruction is not the same as destroying the media on which data is stored (physical destruction). When a device is physically destroyed, it is rendered completely unusable, most frequently by disintegrating, shredding, or crushing the media. For rotational hard disk drives (HDDs), it is highly recommended to degauss the drive prior to physical destruction. Degaussing scrambles the magnetic fields present in HDDs, rendering the drive completely unusable. Newer and smaller devices tend to use solid state drives (SSDs) that pose different threats regarding their physical destruction. According to SSD market research, the global market for solid state drives is expected to reach $229.5bn by 2022, which means it’s crucial to understand the physical destruction necessary for these drives as their usage increases. Degaussing, for example, is not effective with SSDs due to the fact that SSDs use interconnected flash memory chips (integrated circuits) to store data, and only magnetic media is able to be degaussed. Many organizations rely on standard HDD shredders to also shred their SSDs. Unfortunately, this is an unsafe practice as these machines create larger shred sizes and fail to completely destroy the data on high density solid state chips. To put it into perspective, the US’s National Security Agency (NSA) requires that classified SSDs be destroyed to a 2mm final particle size, whereas they require HDDs to be degaussed and then physically destroyed, either with a shredder or crusher. These two methodologies of destruction are light years apart; however, according to research conducted by Blancco, more than one-third (33%) of enterprises in the U.S. and Canada do not have a different process for dealing with SSDs compared to HDDs!

Many global enterprises use inappropriate data removal methods, or just aren’t dealing with them at all. Earlier this year, Blancco’s research showed 80% of U.S. and Canadian respondents from 1850 senior decision makers across the US, Canada, Europe, and Asian Pacific region have reported their end-of-life devices are just being stockpiled in storage somewhere. This adds up to around 400,000 devices, or about 272 per company. To add to the risk of potential internal data breaches, 57% of respondents reported taking longer than two weeks to erase these devices, let alone physically destroy them. Respondents also claim that around 18% of devices are left “somewhere” within the company with no action ever being taken. In Blancco’s research, they discovered two in five enterprise organizations are spending more than $100,000 a year to store unused hardware. These are huge security issues that pose heavy compliance risks that should be addressed immediately.

The EU General Data Protection Regulation (GDPR) outlines data protection principles that EU organizations must follow when collecting and storing EU individuals’ personal data. The California Consumer Privacy Act (CCPA), which went into effect 1 January 2020, has brought the US closer to GDPR. While CCPA is just a state law, it has also become the informal national standard for the time being. Companies will have to disclose to California customers what data of theirs has been collected, and to delete it and stop selling it if the customer requests. The fines easily add up — $7500 per violation if intentional, $2500 for those lacking intent, and $750 per affected user in civil damages. Consumers are going to be holding more power than ever as they become aware of what their information is worth and as more laws favoring their privacy come into existence. As data usage expands, it becomes ever more important to understand appropriate destruction methods that both comply with consumer requests and protect the organization from leak or breach. Stockpiled drives are an invitation to disaster.

What’s Hot on Infosecurity Magazine?