Hard Disk Wiping: What’s the Magic Number on Overwriting Passes?

May 23, 2020

As you are probably aware, chucking hard drives and other IT equipment and devices in the trash when you’re done with them is a big no-no.  These devices, collectively termed “e-waste”, contain plastics, metals, and in some cases, toxic components that cannot go in a landfill.  They must be repurposed or recycled.

In addition, however, responsible South Dakota business owners understand that the data on these devices must also be eradicated.  This is why so many businesses partner with certified ITAD service providers to shred hard drives, eliminating any potential for data recovery and tearing drives asunder so parts can be recycled.

What if your hard drives are still viable, though?  What if you want to pass them along to new employees, donate them to charitable organizations, or remarket them to recoup some expense?  In this case, wiping is an ideal solution, but it must be a method that complies with consumer privacy laws (and possibly, regulations for your type of business, specifically).  How many wiping passes are required to meet your legal requirements and protect your company and your customers?

NIST Standards

Most businesses operating in the private sector will find that the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88, Revision 1 standard is sufficient when it comes to data sanitization.  This standard calls for just a single overwrite pass with a fixed pattern (0 character, 1 character, or a random character) for devices containing magnetic media, followed by a verification pass to ensure that the process has rendered “target data recovery infeasible using state of the art laboratory techniques”.

DoD Standards

The U.S. Department of Defense uses what some might refer to as the gold standard in wiping procedures – no surprise considering the high level of confidential data they deal with – but even they have different levels of wipes.  The DoD 5220.22-M standard includes seven passes in the following order:

  • 0 character
  • 1 character
  • Random character
  • Second random character
  • 0 character
  • 1 character
  • Random character

After this, a final verification is conducted to confirm that all original data has been eradicated in the overwriting process.  For the average business, this is overkill.  There’s also DoD 5220.22-M ECE, which is a three-pass overwrite process using a 0 character, followed by a 1 character, and then a random character, before a final verification pass.  Again, this may be beyond what many companies need these days, but it depends on a couple of factors.

Your Hardware and Data

The wiping process you choose will depend mainly on the type of data you’re purging and the type of device that data is stored on.  Data storage has seen incredible technological advances over the past few decades, and standards for data destruction have adapted accordingly.

For instance, the DoD 5220.22-M standard was last updated in 2006.  NIST SP 800-88, Rev. 1 was released in 2014, and now serves as the business standard.  That said, you may find yourself wiping older devices, or dealing with highly confidential data.

Your certified ITAD service provider can help you to determine which method of wiping is suitable for your particular needs.  Contact the experts at SEAM today at 605-274-7326 (SEAM) or online to learn more and request a quote.

SEAM provides IT recycling and data destruction services including onsite shredding and hard drive wiping to South Dakota, North Dakota, Minnesota, Iowa, and Nebraska.

Schedule a pickup or contact us for more information.