It’s Time to Get Serious About Data Sanitization

Jul 13, 2017 Blog Article

While many data privacy and protection guidelines and regulations address data sanitization in some form, none of them address it at a comprehensive level, and many send mixed messages by using varying terminology. To clear confusion throughout the data sanitization industry, streamlined terminology must be presented by an unbiased group of data sanitization hardware and software vendors, analysts, educators, ITADs and enterprises.

Richard Stiennon - Blancco Contributor

Richard Stiennon Security executive Richard Stiennon has previously held roles such as Chief Strategy Officer of Blancco Technology Group from 2016-2017 and Vice President of Research at Gartner Inc. from 2000 to 2004. Currently, Richard is a cyber security lecturer at Charles Sturt University in Australia and a strategic advisory member of the International Data Sanitization Consortium. His book, There Will Be Cyberwar, was named a Washington Post bestseller in April 2016. Richard is regularly featured in news publications such as Forbes, Dark Reading, Infosecurity Magazine, Network World and BetaNews, where he comments on data governance, data management, and cyber security.

Data Protection and Privacy Regulations

It’s a well-known fact that the United States is lacking an overall data privacy regulation like the EU’s upcoming General Data Protection Regulation, the German Standard Data Protection Model or the Saudi Arabian Monetary Authority (SAMA)’s Cyber Security Framework. But even with the wealth of data privacy and protection regulation in other countries, there’s a key aspect that continues to be glossed over, hazily referenced or simply ignored altogether: data sanitization.

What is Data Sanitization?

Data sanitization is the process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. A device that has been sanitized has no usable residual data. The data can never be recovered—even with the aid of forensic tools. There are three methods to achieve data sanitization: physical destructioncryptographic erasure and data erasure.

While many data privacy and protection guidelines and regulations address data sanitization in some form, none of them address it at a comprehensive level, and many send mixed messages by using varying terminology. There is currently no set of defined data sanitization terminology upon which everyone in the industry agrees.

What Do Existing Regulations & Guidelines Say on the Topic?

Here are a few excerpts from various texts to show how data sanitization has been talked about in the past and currently.

  1. EU GDPR: Article 1, Section 17

Right to erasure (‘right to be forgotten’)

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay….”

Article 39

“…Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.”

  1. Saudi Arabian Monetary Authority (SAMA)

“Information assets should be disposed in accordance with legal and regulatory requirements, when no longer required (i.e. meeting data privacy regulations to avoid unauthorized access and avoid (un)intended data leakage).”

“Sensitive information should be destroyed using techniques to make the information non-retrievable (e.g., secure erase, secure wiping, incineration, double crosscut, shredding).”

  1. PCI DSS, Article 3.1

Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:

A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention…”

4. ISO 27001

A.11.2.7 Secure disposal or reuse of equipment

Control

“All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.”

  1. R2 Standard

Tested for Key Functions, R2/Ready for Resale

“Data Destruction General Principle – An R2:2013 electronics recycler shall be responsible for data destruction of all media it handles using generally-accepted data destruction procedures.”

  1. Gramm-Leach-Billey Act (GLBA)

Article 682.3

“Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” In this instance, “disposal” refers to the “discarding or abandonment of consumer information” or “The sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.”

  1. NIST

Even the commonly-cited NIST 800-88 Guidelines for Media Sanitization provide confusing data sanitization terminology, using terms like “clear,” “destroy” and “purge” in different ways than other such documents do. However, these guidelines do define “sanitization” in the following way: “Sanitization is a process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort.”

These are just a few examples of the many times data sanitization is referred to in data privacy and data sanitization regulations and guidelines. As you can see, different terminology is used throughout each document.

Moving Forward

To clear confusion throughout the data sanitization industry, streamlined terminology must be presented by an unbiased group of data sanitization hardware and software vendors, analysts, educators, ITADs and enterprises. Then, a data sanitization best practices matrix must be created to provide all industries with guidance on how to best protect data throughout its lifecycle.

Stay tuned for an announcement in the coming weeks on how Blancco and our partners plan to make this goal a reality.