What is Data Destruction?

Data destruction has been defined in a variety of ways by technical publications and industry leaders. However, the term data destruction is often used interchangeably with data sanitization, and it can be difficult to determine which definition is correct.

Throw in phrases like physical destruction and data erasure, and the simple act of making sure your data is irrecoverable quickly becomes a matter of clarifying terms.

Data Destruction: A Definition

TechTarget defines data destruction as “the process of destroying data stored on tapes, hard disks and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes.”

But to confirm that data is truly gone, and to comply with most data protection standards, you need more. This is where data sanitization and data erasure (a form of data sanitization) come in.

What Data Destruction is Not

Data Destruction is Not the Same as Data Sanitization

Unlike data sanitization, data destruction does not include verification. This means that the data destruction method used has not been proven to remove the targeted information—whether a single file or an entire drive—completely.

Here are two examples that show why this matters:

• When attempting to remove individual files, many data destruction methods simply remove the pointers to a given file, rather than the file itself. The data is still on the machine, though not easily available to the operating system or the apps that created it. In other cases, “file shredding” may overwrite the file, but it’s unclear whether the overwriting process has been successful.
• When attempting to remove all data on a device (in case you might want to reuse, resell or donate that device), even a full reformat can leave data behind. This information typically can be recovered through keyboard methods or the assistance of forensic tools.

How much of the data remains, and how easy it is to access it, depends on the media and data destruction methods used. In both cases, unverified data destruction makes your data vulnerable. The level of risk you take should depend on the value or confidentiality of your data, as well as the level of data protection your industry regulations require.

Data Destruction Is Not the Same as Physical Destruction

It’s also important to note that destroying data (data destruction), is not the same as destroying the media on which data is stored (physical destruction).

Physical destruction is the process of rendering a device completely unusable. Physical destruction can involve shredding hard drives, smartphones, printers, laptops and other storage media into tiny pieces by large mechanical shredders. It can also involve the process of rearranging the magnetic fields on hard disk drives (HDDs) using degaussers. There are other methods as well.

Physical destruction may indeed destroy much of the data. However, just because a device has been physically destroyed, that doesn’t guarantee that all data has been destroyed, too.

This is especially true when it comes to newer, flash-based technologies like solid-state drives (SSDs), where data is stored so densely that it can remain intact in shredded fragments (see “SSD Erasure: What Enterprises Need to Know” for more on this topic).

It also applies to hard disk drives (HDDs). With HDD degaussing, for example, proper procedures must be followed and the magnetic force of the degausser must be strong enough to handle the HDD you want to destroy (the National Security Administration lists approved degaussers for this reason). Otherwise, data may not be completely affected. Furthermore, if degaussing is applied to non-magnetic drives (SSDs), data is not affected at all.

These vulnerabilities mean that physical destruction alone is not enough to guarantee that data is irretrievable. The verification piece of any data destruction process cannot be ignored.

Going Beyond Data Destruction to Ensure Data is Gone Forever

So how do you make sure that data is completely removed from your IT assets? Your organization must go beyond data destruction and instead focus on data sanitization.

Data sanitization does more than data destruction; the data destruction process is confirmed using recognized verification methods and produces a certified, tamper-proof report. A device or file that has been sanitized has been proven to render the targeted data irrecoverable. For highly sensitive data, sanitization is critical to mitigate the risk of unauthorized data access. For highly regulated industries, data sanitization is often what’s required for data protection and data privacy compliance.

There are three methods to achieve data sanitization: physical destruction (with verification), cryptographic erasure and data erasure. Each of these methods is effective; the one(s) you choose should be based on the device you’re sanitizing, industry mandates, compliance with data protection regulations and your risk tolerance. Many organizations choose to utilize all three methods, either separately or in combination.

How to Move Forward

We invite you to learn more about data sanitization methods—starting with the IDSC’s full list of data sanitization terms—and determine which is the best fit for your business. Always remember, that to truly destroy data forever and render it unrecoverable, verification and certification is required to achieve data sanitization.

You may be interested in:

What is Common Criteria Certification, and Why Is It Important?

Understanding the financial risks of cybersecurity complacency

The New Jersey Privacy Act: What You Need to Know

The newly signed New Jersey Privacy Act impose new obligations on businesses when it comes to handling consumer data. Here is what you need to know to stay in compliance.

IBM® Launches Infrastructure Data Erasure—And These 5 Storage Network Benefits Come With It