IS MY DATA TRULY GONE?

6.26.23 > Rebecca Duvick

I regularly get asked whether the data on equipment we receive as part of our electronics recycling program is truly gone after it’s wiped.  The answer, based on the processes we use, is yes!  Electronics recycling is an important but often overlooked aspect of cyber security.   With cyber risk around every corner, it’s an important to know what to look for and ask of your provider.

NIST, National Institute for Standards and Technology, is a government agency that provides guidance on cyber security topics and they have developed standards on erasing data from devices (also known as media sanitization).  NIST 800-88 provides a framework for media sanitization practices including a detailed chart by media type outlining recommended practices for media sanitization.

DoD 5220.22-M Is a government standard often referenced by providers; however, it is specific to magnetic media (HDD) and not as comprehensive as NIST 800-88.

In addition, selecting a provider who is certified to be compliant with NIST 800-88 such as NAID AAA offered by the National Association of Information Destruction, provides assurance that the processes and procedures of the provider will ensure the data is “truly gone.”

While we are on the topic of what to look for in a provider, you will also want to get a copy of their COI (Certificate of Insurance) and confirm they have Cyber Security Liability coverage – something that is becoming more difficult for providers to obtain with the increase in cyber risks.

Trust but verify

It’s important to do your due diligence when selecting a provider.  In a study conducted by Blancco and Ontrack titled Privacy for Sale 159 used drives were purchased randomly on eBay.  Each seller stated proper media sanitization methods had been used.  Analysis of the drives found that 66 contained data – 25 of which had PII (personally identifiable information) – an opportunity for cyber criminals to capitalize on what was left behind.  This could have been caused by a vendor reformatting the drives rather than wiping them.  When a drive is reformatted, the index is removed however the underlying data files remain until the further use of the drive naturally overwrites them.  A good analogy would be a book, formatting is like removing the table of contents without removing the actual chapters.  In wiping a drive, the entire drive is overwritten eliminating the underlying files as well.

We recently encountered this issue in my organization as well.  We frequently purchase used hard drives to enable us to provide refurbished computers to low-income families and we recently found data in purchased drives.  To ensure the equipment we provide does not contain data we now wipe all purchased drives as a precaution to ensure we are not inadvertently passing on data.

Ensuring your data is removed from equipment you dispose of may seem overwhelming.  The good news is that there are defined processes that will assure your data is securely and completely removed.

 

REBECCA DUVICK, BUSINESS DEVELOPMENT MANAGER, PCS FOR PEOPLE

Rebecca is the Business Development manager for PCs for People, a nonprofit which provides technology to low-income families.  In her role with PCs for People, Rebecca works with businesses interested in joining PCs for People’s certified and secure electronics recycling program.

You can Connect with Rebecca here at the Cyber Security Summit 

And on Linkedin