Confidently erase data in active environments and from used IT assets.
Boost services throughout the device lifecycle—from first sale to end-of-life.
Expedite processes, recover more marketable product, and increase services.
Home » Resources » New Government IT Disposal Procedures Improve Data Security
Following the loss of 18 hard drives destined for scrap, one local government revised its IT asset disposal procedures to protect against future data leaks. In doing so, they overcame several drawbacks to relying only on physical destruction methods to achieve data sanitization.
Vivian is a career writer and editor, having covered technology-related topics for government and B2B organizations since before LinkedIn and the iPhone. As Blancco’s communications and content manager, she supports the development of thought-leadership-based copy for web, social media, and other Blancco communication channels.
Government agencies are constant targets of data breaches, including when storage devices reach the end of their useful life. But in some instances, a breach leads to much stronger data protection policies.
That’s the case in Japan, where one local government is leading the way in how it protects information on no-longer-needed data storage equipment. The government’s approach requires software-based data erasure whenever devices are to be retired, whether the devices are being returned to a lessor, reused internally or externally or slated for physical destruction.
Many government entities physically shred or mutilate used data storage drives and devices (such as PCs or laptops) to keep data from being accessed by unauthorized users. Depending on the device type and degree of physical destruction, this can be effective. But there are several potential areas of concern along the way, all of which put government data at risk of being leaked to unauthorized parties.
Organizations often attempt to eliminate data from their end-of-life hardware before sending it to an IT asset disposition (ITAD) provider or recycler for physical destruction. Unfortunately, our research shows that over a third of all organizations use inappropriate methods such as formatting, overwriting with free tools or other ineffective data removal methods.
This often means data remains on the devices without the government agency knowing. This data can be easily recovered with forensic tools after it leaves the agency’s protected environment.
While there are highly reputable vendors that provide drive and device destruction services, the physical destruction process has vulnerabilities. Equipment must be accounted for at every step, starting with an organization’s precise inventory of the units to be destroyed. After that, the vendor must provide careful oversight during transport, 24/7 secure storage and destruction confirmation for every data storage device.
That can be harder than it seems:
Physical destruction can leave confidential data intact.
Physical destruction methods must match the drive type to ensure that data is irrecoverable. Some methods that may work for hard disk drives (HDDs) with magnetic platters could be completely inadequate for flash-based solid-state drives (SSDs).
To overcome this, organizations must either sort devices and apply different destruction methods to each type of device or use specialized equipment for more aggressive methods—such as shredding devices to no larger than 2 mm—on all IT assets. Otherwise, a larger shred size can leave whole SSD chips intact or, in the case of degaussing, completely unaffected.
In a decisive response to the loss of 18 hard drives intended for physical destruction, the Kanagawa Prefectural Government revisited its IT asset disposal procedures to overcome these challenges. In its “Measures to Prevent Information Leakage from IT Equipment Used to Store Prefectural Information (Japanese, PDF),” the prefecture included several important measures to protect its used storage assets:
In each case, neither free software nor non-certified products are an option. Instead, the data erasure software used must be tested and certified either internally or externally by a professional, third-party company.
Furthermore, effective software-based data erasure must:
By incorporating quality, software-based data erasure firmly into its disposal policies and keeping the processes onsite, the Kanagawa Prefectural Government prevents data from being recovered from retired devices whether they are used again or are destroyed. This adds a secure layer of data protection on behalf of its citizens: Even if a device is somehow misplaced or stolen, all data has already been removed.
In addition, by requiring government oversight at each step, the prefecture has virtually eliminated chain of custody issues that may lead to assets being lost or stolen. The prefecture also uses data erasure software that integrates with their internal IT asset management system. This enables the prefecture to easily track every device along the erasure process. The software automatically generates an audit-ready report, which is protected by a digital signature and provides a tamper-proof audit trail—something that’s just not fully possible in some areas with physical destruction.
Finally, because data erasure eliminates access to previously stored data without destroying the device, they now have the option of confidently reusing devices without accidentally sharing sensitive information.
In each of these areas, the prefecture has adopted a high standard for protecting citizen data.
Blancco offers highly secure and efficient software-based data erasure for government drives, PCs, servers, mobile devices and more. Our solutions comply with 25+ global industry data erasure standards and have been tested, certified, approved and recommended by 15+ governing bodies and leading organizations around the world. For end-to-end oversight of the erasure process, government agencies can also connect existing asset management solutions through our API integration for streamlined, tamper-proof reporting and equipment tracking.
All of this empowers public-sector organizations to ensure complete data protection.
Find out how we can help your government organization secure the data on end-of-life devices before reusing or physically destroying them. Request your free enterprise data erasure trial today.