Compliance
Data Security Compliance: How to Dispose of Hard Drives Properly
Before you can dispose of or reuse storage media, you will need to ensure the information contained in it cannot be recovered in any way. This process of data destruction and end-of-life media handling is regulated by an increasing number of industry standards, risk mitigation policies, and government regulations.
This page will cover the most common industry and government standards for dealing with hard drives and magnetic tapes and explain which methods you can use to comply with each guideline or law.
Data Compliance Requirements for Hard Drives: Why They Exist
If you’re disposing of old IT equipment, you need to make sure you’re working within a data compliance framework that protects confidential information when it’s no longer needed.
To destroy a hard drive in accordance with regulations, it’s not enough to delete the data or overwrite it. In most cases, you will need to actually shred or crush the hard drive so you can ensure no personal or sensitive data will ever be recovered.
Hard drive or storage media destruction is part of the disposal process that many companies need to follow to guarantee data security and avoid potential data breaches. However, there isn’t a single general data protection regulation. Instead, various governments, industry standards, and internal policies will have their own rules to ensure data compliance.
How is Personal Data Deleted from Hard Drives?
Data compliance regulation requires all personal data to be destroyed. There are several ways in which you can attempt to do this, including:
- Deleting hard drives: You can delete personal data from a hard drive by erasing it. However, this does not make an irrevocable deletion and is insufficient to destroy it, as unauthorized actors can still recover this information.
- Overwriting hard drives: Overwriting data is also insufficient because the data is not truly destroyed, either.
- Destroying hard drives using other means: Many people try to destroy their hard drives by using tools such as hammers. This can also be insufficient to protect the data from others.
There is only one way to permanently destroy data in accordance with data protection laws:
- Shredding hard drives: The best way to ensure information is made permanently irretrievable is to actually destroy the hard drive mechanically through shredding, ideally at the point of origin. It’s important to mention, though, that the shredders themselves also need a certain security level.
HDD Destroyers, SSD Destroyers, Disintegrators, and Degaussers
You can use four main types of machines to destroy a hard drive: HDD destroyers, SSD destroyers, disintegrators, and degaussers. Each of these works slightly differently from the others:
- HDD destroyers: In hard disk drives (HDDs), the data is written on a cylindrical array in platters that rotate at speeds of 5,400 to 15,000 RPM. The read head never truly touches the platters, so damaging, abrading, or warping the surface of the magnetic media is usually enough to make it inaccessible. By using tools like sledgehammers, drills, and vices, you can physically deform the storage device. Machines that can deal with HDDs use methodologies like folding, piercing, and plunging.
- SSD destroyers: Solid state drives (SSDs) can also be destroyed using physical damage and/or shredded to make the data unusable. These machines typically use a hydraulic power unit and crushing plates with interlocking razor-shard-hardened steel teeth that can puncture, crush, serrate, and decimate SSD’s ceramic memory chips on both sides.
- Disintegrators: Many machines, called disintegrators, can destroy all types of media, including hard disks, circuit boards, tablets, laptops, flash drives, and switches. These are typically used within data center secure zones to achieve more throughput while producing e-waste that can be recycled.
- Degaussers: Degaussers are machines that disrupt and eliminate magnetic fields where data is stored, making it unreadable. Degaussers work on hard drives, VHS tapes, LTo and DLT tapes, and other storage devices.
What Are The Different Data Security Compliance Regulations?
There are several different standards and data privacy laws that determine how you have to destroy your media to ensure it’s unreadable. Let’s go through the most common ones and what they mean for dealing with data protection in hard drives and magnetic tapes.
California Consumer Privacy Act (CCPA) Data Compliance
The California Consumer Privacy Act (CCPA) is a state statute designed to enhance privacy rights and protect data belonging to consumers and residents of California. This regulation was first published in June 2018.
The CCPA defines privacy rights that include the right to know what personally identifiable information business operations collect and how it’s used and shared, the right to opt-out of the sale of this sensitive data, the right to non-discrimination for exercising CCPA rights, and (most relevant here) the right to have all collected personal information deleted.
The regulation allows for hefty fines for businesses that fail to adopt the law, especially for personal health information, addresses, phone numbers, and other sensitive data. You can use degaussers and destroyers to comply with CCPA’s data deletion regulations.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a data protection and privacy EU law that defines strict rules for personal data security compliance. GDPR was originally published in April 2016.
This data compliance regulation defines how information must be used fairly, lawfully, and transparently only for specific and explicit purposes. The data needs not just to be kept accurate and up to date but also be destroyed when it’s no longer needed. In terms of handling hard drives, GDPR mandates that all information is protected against unauthorized access.
To comply with General Data Protection Regulation mandates, you must destroy your hard drives. The destruction method depends on the sensitivity of the data, but degaussers and destroyers are recommended.
DoD Emergency Destruction Guidelines
The U.S. Department of Defense is charged with supervising and coordinating agencies and functions related to national security. The NSA’s Center for Storage Device Sanitization Research (CSDSR), specifically, requires the sanitization of information system storage devices, including hard drives.
The NSA regularly releases evaluated product lists for approved equipment and outlines all sanitizing requirements, too. These guidelines indicate that, in order to abide by their data protection compliance program, it’s not enough to delete the information.
Hence, you must physically destroy hard drives and devices by disintegrating, burning, melting, or pulverizing them. If you smash or shred the hard drive yourself, the pieces should be small enough to prevent the data from being reconstructed (1/125”).
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA, also known as the Financial Services Modernization Act of 1999) is a law passed in November 1999. Its goal was to remove specific barriers for banking, securities, and insurance companies and make mergers easier.
The GLBA has specific data retention and disposal requirements stating how financial institutions need to securely dispose of customer data. For example, it determines that no company can keep this customer information for more than two years after it was used.
Like CCPA, GDPR, and DoD guidelines, data covered by GLBA needs to be destroyed using degaussers or destroyers.
Health Information Portability and Accountability Act (HIPAA)
The Health Information Portability and Accountability Act (HIPAA) is a U.S. act signed into law in August 1996. It contains national standards to protect sensitive patient health information (protected health information or PHI) from being disclosed to non-covered entities.
HIPAA explicitly states that you must erase all health information in your possession when it’s no longer needed. The way this needs to be done is by completely and physically destroying your hard drives so they can no longer be used. HIPAA has a few other important considerations you should keep in mind. For instance, you need to ensure the PHI remains in your custody up until it is destroyed, and sending hard drives out for destruction can be considered a data breach. So, if you want to comply with this regulation, you will need to physically destroy your digital media within your organization.
IRS 1075
The IRS Publication 1075 contains tax information security guidelines for federal, state, and local agencies. This series of safeguards for protecting federal tax returns and return information was created in November 2016 and revised in November 2021.
The publication requires agencies to sanitize their information before they can dispose of or reuse media. No matter where the data is located (IRS 1075 doesn’t make a difference between it being at a state data center, an agency, or an outsourced location), the agency is ultimately responsible for enforcing sanitization requirements, including clearing, purging, and destroying. The type of sanitization required will depend on whether or not the media can be reused by the agency with FTI (for which clearing or purging might be sufficient) or if it will leave agency control (which requires destroying).
For clearing requirements, you can overwrite the data. For purging, you can use degaussing or firmware Secure Erase Command (only for ATA drives). Lastly, destroying media requires physical methods like incineration, disintegration, shredding, pulverizing, and melting.
NIST SP 800-88r1
NIST SP 800-88r1 is a series of guidelines for media sanitization created by the National Institute of Standards and Technology and initially published in 2014. Its objective is to ensure that all data that can be found on storage media s made irretrievable.
The guidelines contain robust methodological instructions for easing data that are widely adopted by governments and corporations. Similarly to IRS 1075, NIST 800-88 defines three techniques for erasing end-of-life data: clearing (by overwriting), purging (using overwrite, block erase, or cryptographic erase) and destroying (by shredding, pulverizing, smelting, or incinerating). The appropriate method will depend on how the media will be used in the future, how confidential the data is, and what storage media is used to store the information.
NSA/CSS SDDM 9-12
NSA/CSS SDDM 9-12 is a manual that provides guidance for sanitizing information system storage devices (for either recycling or disposal) in accordance with NSA/CSS policy. The manual was published on December 2020 and is designed to deal with unclassified to top-secret materials.
There are different recommended procedures depending on the type of storage media. For example, magnetic tapes need to be destroyed by using degaussing, disintegration, or incineration, and some hard drives require additional procedures such as separating the hard disk drive case and external circuit board and then using manual or automatic degaussers, a degaussing wand, disintegration, or incineration for the parts.
PCI DSS 3.2 (Payment Card Industry) Data Security Standard
The PCI DSS 3.2 Data Security Standard is an information security standard for dealing with credit card information. As part of the card-processing ecosystem, you might have to deal with data compliance requirements for sanitizing point-of-sale devices, mobile devices, personal computers, servers, and various storage systems.
This standard requires you to periodically review procedures to determine if their condition has changed and destroy media when it’s no longer needed for contractual, legal, or business reasons. PCI recommends using secure erase or physical destruction of media using security-accepted standards (for example, NIST SP 800-88).
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law. It was originally published in April 2000 and governs how organizations in the private sector collect, use, and disclose information as part of their business operations.
Principle 5 of PIPEDA states that all personal information must be destroyed, erased, or made anonymous when no longer needed. Each organization can develop and implement its own guidelines and procedures (in accordance with directives issued by the designated minister) as long as they prevent unauthorized parties from accessing the data.
Trade Agreements Act (TAA) Compliance
The Trade Agreements Act (TAA) offers a set of compliance regulations pertaining to trade agreements negotiated between the United States and other countries. The law was published in July 1979 and aimed to foster fair and open international exchange.
In order to comply with TAA regulations, your data needs to be both encrypted and destroyed when no longer needed. You can use degaussers or destroyers to do this.
How Phiston Can Help With Compliance Regulations
Phiston Technologies is an industry expert in all things related to data destruction and end-of-life media handling. Phiston’s innovative products are engineered to comply with data protection regulations established by governments and private entities. Our MediaVise® crushers and MediaDice® disintegrators, in particular, are designed to surpass any competing technologies while focusing on regulatory standards, operator health and safety, compactness and portability, ease of use, and safe waste containment and disposal.
You can install our destroyers at the point of origin and, in some cases, directly in your data center’s server rack, eliminating the risk of handing the media over to contractors or third parties.
Request a quote today to ensure your confidential information remains 100% unreadable.
