Every company and person possessing computers, printers, copiers, and other electronics must ensure that they destroy the hardware following their country’s standards. Improperly destroying electronics can affect lives and potentially lead to hefty fines, lawsuits, and negative publicity.
Seven years ago, an NBC news affiliate purchased four computers from eBay and Craigslist. Two of the computers were from a police department, and the other two were private sellers. Someone had wiped one computer, but no one had wiped the two computers from the police department. The police computers had software installed to make it impossible to save files, however. The final laptop came from a private sale and that laptop contained five years of income tax returns, business files, family photos, and emails.
Before disposing of any old electronics, you must take steps to protect yourself, your employees, and any clients, patients, or customers who trust your company. Take a closer look at different international standards for secure hardware destruction and how to ensure your company handles data destruction legally and ethically.
Important International Standards
What are some of the standards used around the world? Many countries share the same methods for data destruction, but there are some standards and policies to keep in mind.
HMG Information Assurance Standard No. 5: Secure Sanitisation of Protectively Marked or Sensitive Information
The British government uses HMG Information Assurance Standard No. 5. (IS5), which requires both data destruction and proper recordkeeping. There are two main methods used to overwrite data, including one pass that sets every sector to a zero. Then, there is enhanced overwriting that changes the zeros to ones, then to zeros, and then randomly generated ones or zeros. This is completed multiple times.
Degaussing is also available for magnetic devices, and destruction is possible. The best option comes down to whether the hardware will be reused or not. If it’s not going to be reused, destruction is ideal.
IEEE P2883
The Institute of Electrical and Electronics Engineers (IEEE) established P2883 building upon NIST 800-88. It focuses on the differences between NIST Clear, NIST Purge, and NIST Destruct.
- Clear – Data is sanitized using Read and Write commands on a storage device.
- Purge – Data is rendered infeasible using modern lab techniques, such as cryptographic or block erase.
- Destroy – Data is destroyed using permanent destruction methods like incinerating or shredding.
A baseline standard for data sanitization is established to cover the Clear, Purge, and Destruct categories so that the right method is used. For example, degaussing is useless at destroying data on a solid-state drive (SSD). But, IEEE P2883 doesn’t address virtual storage.
ISO/IEC 27001
Around the world, ISO/IEC 27001 is a framework used to establish and manage information security. Businesses and organizations must continually analyze their company’s security risks for events like cyberattacks, data leaks, and theft of private information. It is essential to have plans in place to minimize and handle risks.
ISO/IEC 27040
While IEEE P2883 covers guidelines on sanitizing, ISO/IEC 27040 covers when to do it. It urges businesses and organizations to consider end-to-end asset management for data protection. Businesses and organizations need to have a plan in place for retiring or decommissioning hardware as it reaches its end of life.
ISO/IED 21964 (Formerly DIN 66399)
ISO/IED 21964 used to be Germany’s DIN 66399. It was established in 2013 and categorizes data destruction needs by the classification or category of data. With ISO/IED 21964, there are specific criteria for the destruction of different hardware types, depending on the required security level. Most companies don’t require top-secret/demilitarization destruction requirements.
- Electronic Data Carriers – Pieces as small as 0.5 mm to 160 mm
- Hard Drives – Pieces as small as 5mm to 2,000 mm
- Magnetic Data Carriers like magnetic tape cassettes, credit/debit cards, ID cards, and floppy disks) – Pieces as small as 2.5 mm to 2,000 mm
- Optical Media – Pieces as small as 0.2 mm to 2,000 mm
- Paperwork – Pieces as small as 5 mm to up to 320 mm
- Reduced Format (micro-films and foils) – Pieces as small as 0.2mm to 160 mm
If you think about how small this is, sometimes the pieces are no larger than the tip of a pencil. It’s tiny, and you can imagine the impossibility of reassembling pieces that small and still have a functioning device.
NIST Special Publication 800-88: Guidelines for Media Sanitation
For most businesses and organizations, NIST 800-88 is the right solution for data destruction. It meets government standards for rendering hardware useless and protecting personally identifiable information (PII).
While NIST 800-88 is one of the best, it’s important that you know the legal requirements of the industry you’re in. The destruction needs of a daycare differ from that of a medical center. If you’re uncertain, you need to work with a professional in data destruction.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Just over the northern border, Canada’s data destruction standard is known as PIPEDA. It requires businesses and organizations to “destroy, erase, or ensure data is made anonymous.” It requires companies and organizations to minimize retention of personal information and data for longer than necessary, though there is no specific timeline.
Once data is no longer needed, it must be destroyed using incineration, shredding, melting, pulverizing, or disintegration. Degaussing is appropriate for magnetic media. Canada does defer to NIST 800-88 guidelines for companies that need additional guidance.
What Are the Two Main Approaches for Hardware Destruction?
Hardware destruction comes down to two approaches. One is data erasure, and the other is physical destruction.
Data erasure involves using data wiping software to overwrite data repeatedly until no pathways to that data remain. Another option is degaussing, which uses magnets to damage magnetic fields and remove any possibility of restoring them., but degaussing is only effective if the hardware’s hard drive is older or it uses magnetic tapes, such as cassettes. New SSD hard drives do not use magnetic fields for storage, so degaussing isn’t effective.
Physical destruction is better. If you take a sledgehammer and smash a hard drive into pieces, there’s no way to restore it. This is why one of the best ways to destroy hardware is by having it go to ERI where we have giant shredders that shred hardware to pieces as small as 2 millimeters.
Whether you’d prefer to have us come to you or you’re ready to ship unneeded or damaged hardware to us, we have eight secure facilities across the U.S. Plus, ERI offers a reporting and services management portal that allows you to access real-time information on where your items are in the ITAD process.