Inside TDV - The Data Vault Blog
Is the data really deleted?
You’ve overwritten or ‘wiped’ the old data on that hard drive, so it is safe to use. Or is it? Is the old data really gone?
Glyn Dodd, managing director at Centrex Services in the U.K., isn’t so sure.
In a recent post, he considers those disks to be security issues that consistently fall through the cracks, because as he puts it, “Data 0 and the hard drives that store it – are more resilient than you think.”
A software wipe, Dodd says, does not erase old data so much as cover it up with code. He cites a study by Kroll Ontrack that found that 60 percent of hard drives processed by data removal specialists still contained data from the previous owner when they reached the second-hand market. Kroll Ontrack, Dodd says, was even able to recover data from a cracked and singed hard drive that fell to Earth from the Space Shuttle Columbia.
Think about that for a moment.
So, if you think your data is gone forever when you wipe that old hard drive and send it for recycling, you’ve only got about a 40 percent chance of being right about that. And if you’re a business whose disks include important or even federally regulated data, you could be looking at fines, lawsuits or worse.
What’s the sure-fire solution? Buy a new hard disk and have that old one securely destroyed. And we’re not talking about drilling holes in it, smashing it with a hammer or dropping it from a space shuttle, either. Even when a hard drive is shattered, Dodd says, a piece of it the size of a fingernail can still hold more than 100Gb of readable info. Hackers won’t have any problem getting to that data.
One solution is degaussing, Dodd says, which is the process eliminating a magnetic field. But we recommend a more permanent physical solution which involves completely shredding the media in question and then responsibly recycling it – NOT sending it into the second-hand market. We’re talking about hard drive confetti.
But it doesn’t end there: Find a records management company with a media destruction solution that meets: NIST standards; DoD regulations; HIPAA; Sarbanes-Oxley Act; Gramm-Leach-Bliley Act; FACTA Disposal Rule; Bank Secrecy Act; Patriot Act of 2002; Identity Theft and Assumption Deterrence Act; US Safe Harbor Provisions; PCI Data Security Standard; and applicable state laws. Also, choose a provider that offers a nationally recognized Certificate of Destruction will suffice for all compliance purposes.
Then, and only then, will you be able to sleep the sleep of the truly secure.