Data destruction is a requirement, not an option. Schools, retailers, banks, government agencies, medical practices, and so many other organizations possess critical information that could cause financial or personal harm if stolen. Plus, you damage your reputation for being careless.
How you handle old, broken, or unused computers, printers, phones, scanners, etc., takes careful consideration. There are often strict laws you must follow, and failure to do so can lead to significant fines, legal fees, and damage to your organization’s reputation. All data must be destroyed properly.
Why Data Destruction Is a Requirement
Per IBM, the average cost of a data breach reached $4.9 million, a 10% increase from prior years. Data doesn’t have to be in one spot. Breaches of public clouds cost an average of $5.17 million.
No matter where your organization keeps personally identifiable information (PII) or sensitive personally identifiable information (SPII), data security is essential. That means you can’t shortcut data destruction.
Many sectors have regulations in place requiring data destruction to follow specific guidelines. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88 Revision 1, “Guidelines for Media Sanitization,” is widely recognized as the standard for secure data destruction in the United States. NIST 800-88 categorizes sanitization methods into three areas, all based on how easy it is to recover data.
- Clear – Protects against non-invasive recovery.
- Purge – Protects against attacks using physical destruction (shredding) or degaussing (demagnetizing).
- Destroy – Protects against attacks using physical destruction or incineration.
While NIST 800-88 is good enough for many, several other rules have to be followed by certain companies.
- General Data Protection Regulation (GDPR):
European Union regulation that requires PII of any EU member to be handled with care and allows consumers to opt out of companies collecting and storing that information. Organizations have to process data securely and take precautions to reduce the risk of breaches. Fines of 2% of your annual revenue or $10 million, whichever is higher, are possible.
- Health Insurance Portability and Accountability Act (HIPAA):
HIPAA protects a patient’s medical data from being shared without their consent. The regulations set standards on how protected health information (PHI) is handled, stored, and transmitted. Violations of the HIPAA rules can lead to fines as high as $1.5 million each.
- Payment Card Industry Data Security Standard (PCI DSS):
The PCI DSS is a set of rules that ensure any company that processes credit or debit card charges maintains security and protects data while processing, transmitting, or storing the information. The programs used to protect against vulnerabilities must be monitored and tested regularly.
PCI DSS standards have different levels. Level 1 is the most rigid and applies to companies handling more than 6 million transactions a year. Compliance is mandatory to prevent data breaches and cyberattacks.
Monthly fines for companies that do not follow these standards, yet should, can be as high as $100,000 per month for each month of violation. The minimum fine is $5,000 for the first three months the violation occurred.
Deleting Files and Restoring to Factory Settings Isn’t Enough
Despite what you may have been told or believe to be true, deleting files doesn’t rid your electronic device of items forever. Restoring an item to its factory settings also isn’t good enough.
When you delete a file or do a factory reset, you’re removing the path that connects your computer’s file name or icon and that file. If you put in the work to restore or find a new path, you will access those files again. You haven’t destroyed the data that was in your computer, tablet, phone, or other device.
You have two options for making data impossible to recover: shredding and degaussing. How can you tell which is best for your organization’s needs?
1. Shredding:Shredding is a form of physical destruction for papers, hard drives, and other storage devices. It’s like a gigantic paper shredder. The blades take that electronic item and cut it into dozens of small fragments in very little time. Shredding works on:
- CDs
- Cell phones
- DVDs
- Flash drives
- Laptops
- Memory cards
- SSDs
- Tablets
- USB drives
The National Security Agency (NSA) requires hard drives to be shredded into pieces of 2 millimeters or less if the data requires high-security handling, such as bank mortgage records or hospital patient databases.
Shredding does create e-waste. It’s harder to refurbish a device that’s been put through shredding blades. If you want to recapture any value to help offset the cost of ITAD services, it’s harder to do after it’s gone through shredders.
You end up with glass, metal, and plastic pieces that must be recycled correctly. This often means melting plastics and metals down for reuse, which does create fumes. You don’t want the small shards to end up in a landfill where it takes centuries for some of the components to degrade, so recycling is essential.
2. Degaussing:This form of data destruction is only useful on magnetic storage media like:
- Floppy or hard disks
- HDDs
- Magnetic tapes
- VHS tapes
High-powered magnets pass over the magnetic surface where data is stored in patterns. The magnets destroy those patterns, making them unreadable.
Because you’re not destroying the magnetic storage device, there’s no debris to dispose of. It increases the likelihood that the item could be refurbished and resold. Pollution from incineration or processing metals and plastics also impacts the air quality if an advanced filtration system isn’t used to clean the exhaust fumes.
E-waste in 2025: Finding the Best Data Destruction Method
How do you know which is best? If you still have any magnetic media kicking around your office or storeroom, degaussing is a helpful process, but you might end up with devices that have to go through shredders anyway to get a certificate that provides proof of destruction.
Most organizations have newer technology that requires shredders, but you might possess older magnetic media in storage units or supply rooms. It’s time to destroy that data and meet legal regulations.
Know the data destruction standards for your industry. If you’re a medical office that has to follow HIPAA laws, make sure you are deleting data from everything that stores it, including EKG machines, tablets, printers, and pagers.
When you no longer need an electronic device that stores data, it’s important to get a Certificate of Destruction (COD). This document is your proof that PII or SPII was properly destroyed. It’s what can keep you from being fined in cases where you did everything correctly, but a data destruction provider failed to follow the proper protocol.
A COD includes the following information:
- What sanitization method was used
- What verification steps were followed
- Who completed the processes to destroy data
- When the process was completed
- What was destroyed
Increased Threats Require Expert Data Destruction
We’re only halfway through the year, and already, the amount of data that’s been compromised is alarming.
- Apple and Google – Over 184 million passwords and usernames were stolen.
- Episource LLC – Over 5.4 million records from this healthcare tech company were stolen.
- Oracle Cloud SSO/LDAP – Over 6 million records were stolen.
- Yale New Haven Health System – Medical information impacting 5.5 million patients was breached.
When you’re keeping records that you no longer need, the amount you stand to lose in a breach is astounding. It’s important to follow laws regarding how long to retain PPI or SPPI. When you do need to delete data, do it correctly. Deleting files isn’t enough.
For comprehensive data security, a certified ITAD is essential. Degaussing may work in situations, but it won’t work for everything. With a professional’s help, data is destroyed properly following the appropriate laws.
ERI Holds Multiple Certifications and a Wealth of Expertise
ERI can come to your office if that makes you feel safer. Or, have one of our secure shippers bring your organization’s electronics to our facility for secure processing. Either way, you have a certificate proving you followed the required regulations. No worries of fines or damage to your company’s reputation.
Ask us about data destruction and electronics recycling. ERI helps you destroy data properly and ensures that the remaining metal, plastic, and glass are recycled correctly. We also hold every certification you should expect your ITAD provider to hold. We’ve accomplished many “firsts” to ensure that we have the expertise and measures in place to protect people’s data.