Before getting rid of an old computer, you need to make sure that all the personal and sensitive data on the hard drive is irretrievable. If personal or sensitive data falls into the wrong hands, your business could incur staggering direct and indirect expenses. The average total cost of a data breach in 2015 was $3.8 million, according to the Ponemon Institute's report, "2015 Cost of Data Breach Study: Global Analysis".
A company does not even need to experience a data breach to incur expenses due to the improper disposal of data on hard drives. In 2014, Visionworks failed to secure the personal information of more than 72,000 Maryland residents after it misplaced two old unsecured servers. They might have been accidentally taken to landfills. Both servers contained encrypted credit card data. They also contained customers' names, addresses, birthdays, and purchase histories.
Even though there was no evidence that any of the data had been compromised, the Consumer Protection Division of Maryland's Office of the Attorney General sued Visionworks. The company agreed to pay Maryland $100,000. It also agreed to provide identity theft insurance and an additional year of credit monitoring to Maryland customers requesting these coverages. Visionworks had already offered all affected customers a year of free credit monitoring immediately after the incident.
How to Make Sure the Data on an Old Hard Drive Is Irretrievable
When getting rid of an old computer, you might be tempted to simply reformat the hard drive. However, formatting a hard drive does not destroy the files on the drive. It only destroys the information that the operating system uses to find those files. Anyone can easily retrieve the files using a data recovery tool.
There are several proper ways to make sure the data on a hard drive is irretrievable. Common methods include:
- Overwriting: You can use data destruction software to overwrite a hard drive's data with a pattern of meaningless characters. You may need to run the software multiple times to fully overwrite a drive's data.
- Degaussing: You can erase data using a magnetic field. There are different types of degaussers, so you need to make sure you pick the right one for the job. The National Security Agency/Central Security Service (NSA/CSS) discusses the different types of degaussers in its Degausser Evaluated Products List. This document also lists the degaussers that meet the NSA/CSS requirements for erasing magnetic storage devices containing classified or sensitive data.
- Crushing: You can use a hard drive crusher to pierce, bend, and mangle hard drives beyond physical repair. The data on the crushed hard drive is still intact, but it is difficult to retrieve.
- Shredding: Similar to paper shredders, hard drive shredders cut hard drives into randomly sized strips. The data is still intact, but it is even more difficult to retrieve than the data on crushed drives.
- Disintegrating: Disintegrators cut hard drives into smaller and smaller pieces until they are unrecognizable and not reconstructible. Disintegrating is usually done after shredding.
For even better protection, you can use more than one method. You might first degauss or overwrite the data. Afterward, you can crush, shred, or disintegrate the hard drive.
Factors to Consider When Deciding on a Method
There are several factors to consider when deciding how to make sure the data on your old hard drives is irretrievable. Two important considerations are cost and how many hard drives you need to get rid of.
Data destruction software is cheap. Some programs are even free. However, using this software can be time-consuming because you need to run the program several times to be effective. It is not uncommon for a single pass to take eight hours. So, if you have many drives to get rid of, this might not be the best option.
You can get the job done much quicker with a machine that degausses, crushes, shreds, or disintegrates hard drives. These machines, though, can be expensive. If you do not want to buy one, there are firms that offer hard drive destruction services. Some firms will transport a client's hard drives to their facilities, where the drives are destroyed. Other firms will destroy a client's hard drives at the client's site.
Another important consideration is whether your business falls under any industry or government regulations. Some laws call for the proper disposal of protected health information, such as names, addresses, social security numbers, and medical histories. Depending on the regulation, you may or may not be able to select who will dispose of the data — your employees or a hard drive destruction firm. If done in-house, the employees tasked with this job must receive training on the proper way to dispose of the data. Their supervisors must also receive this same training. If you hire a firm, you need to enter into a contract that requires the firm to safeguard the data during its disposal.
Other industry and government regulations may require you to properly dispose of data on old hard drives. Each regulation has its own requirements. Qualified IT professionals and lawyers can help you determine the best way to meet all applicable requirements.