Erasure or Destruction of Sensitive Electronic Data

Erasure or destruction of sensitive electronically recorded information from obsolete and excess IT assets can prevent data loss, expensive investigations, embarrassment, and other problematic events. Also, communications with other agencies, corporations, and contractors may also pose security risks. Check to determine if the agency you are with has a policy on suitable data erasure or destruction of media. If there is a policy, it is worthwhile following the expected guidelines. If no policy exists, feel welcome to discuss your needs with PLANITROI. Since 1991, we have been helping the public sector and corporations eradicate data from all types of media to DOD 5220.22-M standard compliancy. PLANITROI only recommends for both private as well as public sectors to use Department of Defense standards or total destruction.

Department of Defense Standard DOD 5220.22-M is the National Industrial Security Program Operating Manual (NISPOM) that the DOD, Department of Energy, Nuclear Regulatory Commission, and Central Intelligence Agency must use. The DOD 5220.22-M standard is the civilian term given to the terms and policies found in NISPOM. It prescribes methods and standards by which classified data needs to be secured. Regarding digital media, it requires that storage contain no residual data from the previously contained object before being assigned, allocated, or reallocated to another user. Specifically, the DOD 5220.22-M standard requires overwriting with a pattern, then its complement and, finally, with another pattern, such as overwriting first with 00110101, followed by 1100 1010, then 1001 0111. This standard requires a minimum of three overwrites. Some of PLANITROI's clients have asked for as many as seven overwrites.

Regulations Aimed at Data Privacy and Protection:

• The Health Insurance Portability & Accountability Act (HIPAA)
• The Gramm-Leach-Bliley Act
• The Electronic Communications Privacy Act
• The Computer Matching and Privacy Protection Act of 1988
• The Computer Security Act of 1987
• The Privacy Act of 1974

Heightened awareness of security issues has awakened both public agencies and corporations to the need for erasing all data from PC hard drives before disposal. With that comes the need for documenting the method of erasure or cleansing as it is sometimes called.

Disposing of computers without ensuring proper file deletion presents huge business risks as well as the danger of non-compliance with federal laws including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

The most common erasure technique involves simply "deleting" the data, which actually does not erase anything. This "clearing" process simply instructs the computer to forget about the data. Security professionals and hackers can recover that data with tools that are not hard to obtain.

"Sanitization" is the process of overwriting hard drives so that the data is harder to recover. The extent to which the process is implemented can make it almost impossible to recover any data whatsoever. PLANITROI offers various levels of secure data erasure, including the highest levels that meet requirements of the Department of Defense.

The following table describes secure data erasure options offered by PLANITROI: