Dealing with Electronic Waste: What Happens to the Data? [Part 3]
This week, we have been running a series about the various services your ideal ITAD provider should be able to offer. We looked at recycling initially, with the second part focusing on other key processes like asset redeployment, remarketing, software harvesting, reporting and the compliance standards that companies should keep an eye out for when it comes to choosing a recovery vendor. This third part looks at one other very important element in the ITAD process: data destruction. When it comes to IT asset recovery, one often overlooked aspect of ITAD by organizations is the importance of data destruction. Do not misconstrue this to mean companies don’t practice data destruction. No, they do. Just not competently enough. Remarkably, most are entities with a dedicated IT department, complete with the division’s head honcho. Yet, the idea of meticulously wiping off data from their media devices somehow never comes to mind. Or it does but is often taken for granted. Probably. In fact, an awfully embarrassing lot of breaches that have occurred in the last couple of years have been attributed to improper disposal: from health institutions to retail chains to multinationals. Heck, even governments who supposedly should be having the best data security minds have not been spared either. The point is, as burning as the desire to dispose of old assets may be, so should the same attention (more even) be given to the aspect of data destruction. For IT asset disposition companies, data destruction is a standalone service on its own, particularly when there are many machines (or media devices) involved. Several alternatives to data erasure exist, with some allowing for hard drive reuse while others condemn the storage devices to total destruction. Overwriting/Wiping Data Organizations looking to remarket their equipment often turn to this common solution that involves replacing written data with random data. Data clearing can be done once or could involve multiple passes. Usually, hard drives manufactured post 2007 require just a single wipe. Notwithstanding, this service is best left to certified experts who can be trusted to do away with the data for good. Older data erasure methods such as trash-can-and-delete, or shift-delete do not just cut it. Even the Gutmann wiping method that comprises a series of 35 patterns being run over the region is now considered archaic. As you would guess, wiping procedures that were once effective on older devices are no longer the case with today’s hard drives. The type of hard drive also has a say on the technique of data erasure. Take solid-state drives (SSDs) for example. They usually store their data in flash memory chips that don’t allow for any moving parts. They are smaller, use less energy, are cooler than their traditional counterparts, and more durable. However, they cannot go through standardized wiping methods when it comes to clearing confidential data. Rather, they need custom wiping since they tend to have a restricted number of write and erase sequences. Never mind the fact that they are more costly. When it comes to resale value though, they are king. Hard Drive Purging/Shredding Another effective method that guarantees destruction of data. Purging, a magnetic erasure process, degausses the media thus rendering the hard drive useless. This is often proceeded by physical destruction of the drive, also known as shredding. Typically, disks sent for purging during asset disposition tend to hold highly sensitive data and there is no intention to reuse them. Also, they were mostly manufactured before 2007. Drives made before that year require a three-pass clearing process but their value doesn’t correspond to the cost of the multiple passes they will be subjected to. Solid-state drives, on the other hand, skip degaussing and head straight for destruction. Hard drive shredding can be done regardless of whether the drive has been degaussed or not. The asset recovery company you do business with should be in a position to inform you whether or not to degauss or head straight to shredding. Last Word The selection of a competent vendor to handle ITAD for you is a critical decision for organizations. Failure to do it well could have serious implications since company data may be exposed to risk which in turn could have a negative butterfly effect: exposing consumer sensitive data, damaging a company’s reputation, upsetting stockholders, legal penalties including fines and sanctions, not to mention executives who could be left facing civil or criminal prosecutions. As much as companies already have in place an IT asset management (ITAM) program, integrating end-of-life IT assets into the same could prove valuable with regard to minimizing risk and maximizing device value. Always insist on a reputable recovery solutions vendor; they could be the difference between life and death of your company if you care to think about it deeper.