The Right Way to Destroy Sensitive DataVerne Kopytoff
A company gives a batch of old computers to a recycler but neglects to delete the data stored on them. A few months later the hard drives—full of Social Security numbers, credit-card information, and corporate secrets—are for sale on EBay or a street corner in Ghana. It’s a corporate nightmare. And it’s an all-too-common scenario with e-waste.
Allowing sensitive information to leak out is embarrassing, of course, but it can also infuriate customers whose information is exposed and open the door to lawsuits and government fines. “There’s always headlines where a hospital has donated its computers and patient information is still on them,” says Robert Johnson, chief executive officer of the National Association for Information Destruction, a trade group that certifies specialists who erase data and shred paper documents. “It’s not as bad as it was five years ago, but we still have a long way to go.”
Lots of companies have their electronics hauled away by recyclers, a practice that in many states is a legal requirement. In some cases the computers, printers, and servers are still useful enough to be refurbished and resold. The most decrepit are stripped of parts, harvested for valuable metals such as gold and copper, and turned into scrap.
Preventing the release of data stored on the devices requires “sanitization,” in the lingo of the little-known data-destruction field. Specialists have a variety of tools to do the job, depending on the sensitivity of the data and how much the customer is wiling to spend.
Companies can destroy data in-house, of course, but many have other businesses do it for them. Document-shredding services, electronics recyclers, and computer-leasing firms frequently dispose of data for clients as part of their services.
Shredding hard drives is perhaps the strongest of the tools. Hard drives are fed into a machine that resembles a photocopier, which chews and spits out slivers of scrap metal. Drilling a hole in a hard drive is a second option. A very determined hacker may be able to recover some of the data, but only after spending a lot time, effort, and money.
Another technique is to pass hard drives, floppy disks, and computer tapes through a powerful magnet. Known as degaussing, the process scrambles any data saved on the drive so that it can’t be recovered.
The final option is to overwrite whatever is saved on a hard drive with new data. Often done with specialized software, overwriting—also known as wiping—replaces the information in a computer’s memory with gibberish. How many times a hard drive should be overwritten, however, is a subject of debate. Studies have shown that once is enough, while the standard for businesses is generally three passes.
Data-destruction contractors make house calls to companies that are finicky about giving up control of their information. Using portable equipment, contractors can shred hard drives while the customer watches to verify the work.
Peter Jegou, CEO of All Green Recycling, an electronics recycler in Somerset, N.J., says companies vary widely in how much attention they pay to the potential dangers of data on recycled electronics. Some customers have asked for photographs and video of their hard drives being shredded, he says. Others, particularly small companies, seem to have no clue, Jegou says, and educating them is part of the job: “It still baffles me that some of these smaller companies don’t understand.”
Businesses looking for a recycler should check whether they are certified. The Environmental Protection Agency endorses two standards, e-Stewards and R2, both of which require periodic independent auditing of participating recyclers. In addition to verifying their environmental credentials, the programs require that they wipe or shred all hard drives processed at their facilities. The National Association for Information Destruction offers additional certification.