Every few years, often on a schedule, businesses will replace their computer equipment. This usually happens when an equipment lease has come due, or the equipment is no longer suitable (age or performance), or it could happen because equipment has become more costly to maintain. Take steps to ensure you protect old data stored on old equipment before disposal.
In some circumstances, if you have a HaaS (Hardware as a Service) provider or Managed Services provider with provided hardware, they will perform a refresh under the conditions of your contract for you.
Individuals will also want to protect their old data when it’s time to replace their smartphone or laptop with a new model. While this article is focused on businesses, it applies equally to personal information stored on home computers.
Whether you are replacing the equipment yourself or have hired outside help to do so, here are a few things to consider to ensure that you protect old data that is stored on that equipment.
Question 1:
What happens with old equipment?
Many leasing companies will re-sell the old (but still usable) equipment to authorized refirbishers. These refirbishers will evaluate the equipment, fix any deficiencies and then sell that equipment to retailers. At that point the equipment is considered “refirbished” and ready for a new home.
When the equipment cannot be fixed, it is often sold to or disposed of by an electronics recycling company. This equipment is usually damaged, too old, or in a cosmetic condition that would render it’s repaired value less than the cost required to repair it.
If it’s your equipment, consider donating the equipment to a local charity. In return they will often issue a tax receipt. Organizations like the Food Bank, Boy Scouts or even a community league can benefit and they will often use it for education for their members or even in some cases it’ll replace their old operational equipment.
Some companies will give their staff the old equipment. It’s usually not cost effective for a company to prep and sell the equipment so it can be a win-win situation.
Whatever the situation, your decisions on the method you use to protect your old data can be influenced by where the equipment is going, it’s age and it’s condition.
Question 2:
How do I prepare old equipment?
It is important to review the equipment you are replacing for the sensitivity of the data that was stored on it. Was it a kiosk computer? or perhaps it was a salespersons’ laptop. Is it a home computer? Did it have financial information on it or trade secrets? Was there private or sensitive data stored on it?
Once you are aware of what data was stored on it, then you can determine what is the exposure and potential damage to the company (or you personally) if that data were to be disclosed. If you are not sure what might have been stored on the equipment, we recommend that you assume it stored the most sensitive information you or your company has.
Regardless of what data was stored on it, we recommend you take a valid, tested, final backup of that device. We recommend this for two reasons. 1) The device may contain data that you did not notice and 2) if for some reason you have to restore that device, you’ll be able to.
We do not recommend removing the original drive from the equipment and storing that as a backup. This is problematic because the drive will be the same age as the equipment it was installed in and secondly you may need the original equipment to access the data on it.
This backup should be a full block level backup (an image). An image is a snapshot of all the data on the drive and it will capture all data on the drive as it was written. A standard file level backup only captures the data in each file that is selected. The biggest differences between backing up as an image or backing up a list of files: 1) backup size is larger 2) Images can be used to write an exact copy of the equipment to replacement media of the same capacity (or larger). This is basically your “undo” button.
Ensure your backup software supports encryption at rest and take steps to protect the data backup to the same degree as you did the equipment it came from.
The final consideration is to ensure that at some point you destroy this backup in accordance to your company’s data retention policies. Storing the media in a locked cage with a destruction date written on it is a simple way to ensure this happens.
Once you’ve classified your equipment’s data, taken a backup, tested the backup, and finally secured the backup, we can move on to securely protecting the old data on the old media.
Question 3:
How do I protect old data?
We recommend you review your security policies (threat assessment, data/asset classification) to determine the level of data destruction your company requires for the data on that storage media before moving forward. Your company may require absolute destruction or a level somewhat below that. Remember it’s not about the media replacement cost, it’s about the exposure of the company if the data that were stored on that media were disclosed.
If you do not have these policies or procedures in place, the most secure, easiest, and most cost effective method of ensuring the data on the old media is protected, is simply to destroy the media. In most cases, it is not practical to wipe the drive to a standard that you can be 100% sure the data is irretrievable.
So to answer the question, protecting old data on old media is as easy as destroying that media.
Securely erasing media
It is possible to securely erase the media. However, there are two major caveats that need to be considered.
Firstly, technology is evolving. While today’s standards and methods are very good and very strong, tomorrow’s are unknown. It is highly likely that tomorrow’s quantum computers are magnitudes more efficient, faster and more powerful and that they will be able to render our secure methods vulnerable. The goalposts when it comes to data security are always moving.
Secondly, how much time and effort are you willing to spend on this? To fully encrypt or wipe a 2TB hard drive requires time. A mechanical drive can take days to encrypt and even longer for a secure wipe. The costs in time is often not worth it.
Check out Wikipedia’s article for secure erasure standards and for more information on this topic.
Summary
Ultimately when considering whether to wipe the data or destroy the media, ask yourself how long would the data that was stored on that media need to stay protected for? 1 year? 5 years? indefinitely? The further out that time period goes, the higher strength your data protection procedures must be.
Before you run off and start destroying your media, review your security policies, asset and data classifications and operating procedures. Destroying the media may not be required to protect old data that was stored on the drive. However, when you don’t know what data was stored on it, or you’re looking for the fastest, most assured method, media destruction is a great option.
Question 4:
How do I destroy my media?
So you’ve decided to destroy the media. The next step is to ask yourself what level of risk you are trying to mitigate. If you simply do not want the data to be recoverable without a forensic effort, physically damaging the device may be sufficient to protect old data. If you are trying to protect old data from a state actor, absolute destruction will be required. Ultimately it is your decision as to how far you want to go in destroying the data.
Businesses will often use a company that offers hard drive/media destruction services, while being registered, inspected and certified. You’ll want to ensure they offer verification of destruction in the form of a photo and certificate, and that they guarantee their work. This allows you to practice your duty of due care and due diligence for the confidential data and is the safest, most cost-effective and efficient way to deal with this challenge.
It is possible to securely destroy the media yourself. Our disclaimer: These methods can result in injury. If you choose to do this you undertake these activities at your own risk. We strongly advise you wear PPE (personal protective equipment) such as gloves, boots, eye protection, hearing protection, long sleeved shirts, pants etc. while destroying your storage media.
For flash based devices (M.2, SATA SSD, thumb drives, tablets and smartphones) physical damage such as from a hammer can be sufficient to render the media inaccessible.
For tablets, smartphones, drones, and cameras (dslr, security etc.) you’ll want to check for removable storage media. Many devices do not have built in storage, but rely on SD cards.
Unfortunately on devices where storage is built-in (phones/tablets and some consumer laptops), it isn’t possible to only physically damage the storage media (without a lot of effort). In these cases, the device will need to be destroyed as well.
Magnetic tape/floppy disks should be exposed to a strong rare earth magnet before destruction (degaussing). The tape itself can be removed from the plastic case and run through your paper shredder before being disposed of.
CDs/BluRay discs can be run through most cross cut paper shredders (those large enough to allow shredding of credit cards), but be sure not to include the CDs shredded remains in your paper waste.
Magnetic hard drives can be slightly more time consuming to destroy compared to flash devices. Drilling through the drive at several spots will unbalance the platters and add shards of metal into the drive. It will also expose the platters to heat which may be sufficient to warp them. At a minimum it will prevent refirbishers from reselling the hard drive and is sufficient to ensure that most people would not attempt to reconstitute the drive. To be sure that the data is irretrievable platter exposure to high heat, shredding, or degaussing of the platters is required.
After drilling many people recommend submerging the drives in water as a sufficient method of destruction. Unfortunately water doesn’t affect the data layer on the drive. It surely will damage the metal components, motors, bearings etc. but it does not damage the data storage layer on the platters. It is not sufficient to render the drive data unrecoverable.
Note: recycling old media
It is important to recycle the media after destroying it. The materials that make up the devices are almost completely recyclable. Check with your local electronics recycler, or municipal waste collection departments for a list of the products and materials that can be recycled.
Check out more of our How-To’s for additional great tips like this one.