Regulations
Q&A and Regulations
What is End-of-Life Data Destruction?
Physical destruction is the preferred option for data destruction on magnetic media that will not be used any longer, even if the device is faulty. There are two methods: crushing and shredding. The PL Crusher uses powerful force applied to the drive chassis to buckle and/or pierce it. The internal platters and read/write heads are damaged beyond reasonable recovery methods, making the drive inoperable. Shredders use large cutting heads that rip drives to shreds as they enter the cutting machine.
Typically, Crushers are used in lower volume applications of less than a few hundred per day. Shredders are larger automated machines that can be operated continuously over a long period of time, making them ideal for very high volume destruction.
For most magnetic media, a crusher used on its own is acceptable. However, for highly classified information, or for extreme security requirements, storage devices may be subject to a two-step approach by also degaussing or shredding in addition to crushing.
Pure Leverage Hard Drive Crusher Compliance
By crushing the case and bending the platters in hard drives, the PL Crusher operation fits the Regulations definition of Destruction…
Many Standards and Regulations refer to “destruction”. Crushing fits the description of destruction. Circuit boards are cracked and wires are broken, disks are bent. As you know, there is no way that a HD platter could ever be flattened to the point that heads could fly over the surface and read the data. In addition, the recording surface micro-flakes on the bends, and surface areas get scratched.
PLC has sold many crushers to health organizations under HIPAA regulations, banking organizations subject to GLBA, and organizations that are certified by National Association of Information Destruction (NAID). You do not need to wipe the drives first. They are destroyed and no data is recoverable by any conventional means. It is by practical means that any reasonable judgement would deem them destroyed and unrecoverable.
Regulation Notes
NIST: Abstract 800-88… Media sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. In addition, the bulletin refers to these definitions for acceptable destruction:
Bend: The use of a mechanical process to physically transform the storage media to alter its shape and make reading the media difficult or infeasible using state of the art laboratory techniques.
Destroy: A method of sanitation that renders target data recovery (using state-of-the-art laboratory techniques) infeasible and results in the subsequent inability to use the media for storage of data.
Disintegration: A physically Destructive method of sanitizing media; the act of separating into component parts.
Deduction: Crushing the circuit board and disk(s) fits the description of “destroy”. We sell our crushers to many government and health organizations which are subject to the strict guidelines of HIPAA.
HIPAA Disposal Requirements
The HIPAA Privacy Rule requires organizations to follow certain guidelines when disposing of computer hard drives containing ePHI (electronic Personal Health Information). In general, healthcare providers and covered entities must implement “reasonable” safeguards to the limit the exposure of ePHI all the way through destruction.
Electronic media that contains ePHI should be rendered “unusable and/or inaccessible”. One method is to “physically damage it [hard drive] beyond repair, making the data inaccessible”.
NSA: Meeting Recommendations
PLC has submitted our Crusher to be on the list of approved crushers on the NSA list. Though we fit the NSA requirements and definition for destruction, they have left us off the list for now only because we do not ship the crusher with a shroud. We understand they must be extra cautious on what is on their list, but we are happy we fit the requirements for destruction, and are pondering a shroud, though it is not needed. It is effective in device destruction.
The Gramm-Leach-Bliley (GLB) Act for Financial Institutions
Many financial institutions collect personal information from their customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of this type of information.
As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) has issued the Safeguards Rule. This Rule requires financial institutions under FTC jurisdiction to secure customer records and information, and to train employees to take basic steps to maintain the security, confidentiality and integrity of customer information.
Here are some suggestions on how to maintain security throughout the life cycle of customer information that is, from data entry to data disposal: Shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up; Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain customer information; effectively destroy the hardware; and promptly dispose of outdated customer information.
ARGUMENTS FOR DESTRUCTION (Expound on these points in your next Security meeting!)
You may have several reasons for keeping a stockpile of old hard drives and backup tapes. Maybe procrastination has gotten the better of you. Perhaps you think you may need to access that expired data someday or you’re concerned about outsourcing the destruction of your media. Whatever your concerns, fear is no replacement for the facts, so here are five good reasons you should destroy your old data media.
1.Data Security
Old hard drives are a security liability. A single device can store hundreds of thousands of confidential data files, and electronic data can be compromised even when it’s out-of-date or the device it’s stored on is inoperable.
Deleting digital files from a device doesn’t completely obliterate the data. With the right tools and software, identity thieves and criminals bent on business fraud can still extract information from a hard drive. Physical destruction of your devices is the best way to lower your company’s data breach exposure.
2. Legal Compliance
Data breach consequences include fines and even criminal prosecution for failing to protect consumer information. Each of the following laws require organizations to safeguard personal, health and financial records from unauthorized access:
HIPAA
GLB
FACTA
Destroying your hard drives helps keep your business compliant with these privacy regulations.
3. Cost Savings
In addition to fines and other costs associated with a data breach, don’t overlook the cost of storing old backup media. Every square inch counts when you’re paying a premium for office space. Hoarding outdated computers and storage media means there’s less room for revenue-generating activities.
Some organizations may consider wiping data from the hard drives with special software, but paying for the employees to do that work, and setting up equipment to do so is expensive. The costs of wiping a hard drive (employee time, equipment and software), is actually more than the value of a new replacement device.
Incorporate regular hard drive destruction and recycling into your data security plan to maximize profitability.
4. Client Trust
You work hard to gain the trust of your customers and wouldn’t want to throw it away by compromising their data. Having your old hard drives securely destroyed helps ensure total information privacy for your customers and your business.
5. Brand and Reputation Protection
Besides creating a whirlwind of legal and financial problems for your business, stolen data can permanently damage your corporate brand and reputation. Some businesses never fully recover from a corporate data breach because of the punishing costs and destruction of the brand.
Media destruction keeps your information safe so consumers continue buy products and services from a company they know and respect. Don’t let excuses get in the way of protecting your information. Destroying your old hard drives makes too much sense.
