Hard Drive Wiping: Good Enough?

When hard drives are ready for disposal, businesses need to have a proven data destruction plan that is safe, efficient, and, most importantly, effective. Many companies wonder if hard drive wiping is really “good enough” when it comes to data destruction. This is a fair question. With data-recovery technology more advanced than ever before, companies need to be very cautious when deciding what hard drive destruction method to choose. Make the wrong choice and there is a very real risk of private company data falling into the wrong hands.

Choosing Wiping vs. Shredding

When deciding whether to wipe or shred hard drives, companies must look at their individual needs. If done correctly, hard drive shredding is a great solution for total data destruction. The benefits of hard drive shredding include the guarantee that the device will never be able to be used again and the peace of mind that data was completely destroyed. However, it takes specialized, expensive equipment to ensure the drive is in fact shredded down to the appropriate size to eliminate the possibility for data to be retrieved. This means companies must either purchase this equipment to operate in-house, while managing all of the health, safety and environmental standards that come into play if operating an industrial shredder, or they must outsource to a reputable company who can prove their hard drive shredding process is done in accordance with recognized certifications and standards. Shredding also voids any potential for resale, which limits the options for remarketing and reduces dollars coming back to the organization.

Due to these downfalls of shredding, hard drive wiping is often chosen as the data destruction solution. The benefits of hard drive wiping, if done correctly, include verifiable data erasure along with the opportunity for reusing the drive, which means resale value. However, wiping also takes specialized, expensive software to ensure the data is 100% cleared. Companies must have well-trained in-house staff who know how to wipe and test hard drives properly, or be able outsource the drives to a vendor who uses certified software, audited by a third-party to ensure they are completely erased, not just making empty promises.

Wipe In-House or Outsource?

Many organizations believe they have the capability to completely destroy their hard drive data by wiping their drives in-house. At SEAM, we have many customers who do this first in accordance with their corporate standards before sending them to us without any requirements for further wiping or destruction, because “they handled it already”. It’s our job to educate our customers on why wiping in-house may not be the complete solution, even if it is a great first step.

• Risky Wiping Software: Not all disk-wiping software is created equal. Standards like HIPPA, Sarbanes-Oxley, SOX, GLB, PCI, NIST 800-88 all have the same requirement, that all drive data must be overwritten. Popular wiping software like Kill Disk or free drive deletion software falls short of this basic standard and leaves the company on the hook when it fails. Looking at text taken directly from Kill Disk’s Limitation of Liability language, they make it very clear that it’s basically a “use at your own risk” agreement.
• The Risk of Damaged Drives: Wiping-only as a data destruction method can also be dangerous if any hard drive or sector is damaged. According to NIST SP 800-88 R1, sectors on damaged drives cannot be overwritten during the wiping process, meaning data will remain and is relatively easy to recover. Using non-certified software that cannot detect damaged sectors can easily cause sensitive data to slip through the cracks. If a drive is known to be damaged, hard drive shredding needs to be used as a secure back-up option.
• The Cost of Time: Based on the age and size of the drive, wiping can also be very time consuming which can be an issue if there is a large quantity of hard drives to dispose of. To ensure it’s done correctly and completely, the wiping process cannot be rushed and takes patience, especially without the ability to wipe multiple drives at once.

The Best Data Destruction Solution

The best overall recommended data disposal solution is a combination of both in-house security practices and outsourcing with a capable vendor. Companies should secure unused hard drives immediately at their location. Whether performing wiping in-house to limit data from leaving their facilities, or sending the secured drives directly to a vendor who can audit each drive, wipe them, and shred any drives that cannot be properly wiped, the final step in a good data destruction plan should always end with a certified company who can report back a list of serial numbers that were wiped or destroyed. This protects the organization against human error if someone misses a step in the process.

Regardless of the method you choose for disposing hard drives, be weary of who you choose as your disposition provider. Find companies that go beyond legally mandated procedures who take security, resale value, and recycling equally serious. Remember, certificates of destruction do not free you from legal responsibility. If data somehow surfaces after sending it to a contractor who “certified” the destruction, you are still liable. So be diligent when asking about their procedures and look for voluntary certifications like R2 and e-Stewards verified by the standard’s official website directory (yes, this there have been some false claims). These certifications require annual third party audits to verify all equipment is handled securely and responsibly, and all drives that are being sold for reuse are in-fact 100% erased.

If you are in the South Dakota, Iowa or Nebraska area, contact SEAM for a free quote for your next hard drive wiping or equipment resale project.