The consequences of inadequate data destruction

Understanding data destruction (And how to avoid later nightmares from not doing it right)

Kayla Matthews
© Shutterstock / Tim Masters

Some companies might not ponder what could happen if they neglect to engage in the correct forms of data destruction. Improperly destroyed information could contribute to the rising issue of breaches. In this article, Kayla Matthews talks about data destruction and how to do it right.

Data destruction is a method of destroying the content so that it’s no longer readable through any technique. There are many ways to destroy data, and none of them guarantees success.

People need to keep several things in mind to steer clear of potential nightmares that could happen due to data destruction attempts that don’t give the desired results.

1. Abide by company policies for data destruction

Many workplaces have data destruction policies in place. People should consult the IT leaders at their company as a first step and inquire if such rules exist.

If they do, following them maintains uniform procedures and lets individuals avoid potential reprimands for not disposing of data as their companies intend.

2. Find out about industry-specific rules

A businesses’ industry could also determine how people must dispose of data. For example, there are particular rules for dealing with devices that stored health information. Similar regulations exist for securely getting rid of customers’ financial data.

Failing to follow industry standards for file handling could result in hefty fines. Damage to one’s reputation could also come up.

SEE ALSO: New JAX Mag issue: Technology nightmares – Horror stories for the brave

3. Remember GDPR regulations

In May 2018, the General Data Protection Regulation (GDPR) came into effect. It involves data related to all residents of the European Union. Moreover, businesses operating elsewhere that market to people in the European Union or could otherwise collect their data also have to follow the GDPR.

Concerning data deletion, companies must get rid of data when provided services cease or a contract expires. However, customers can also exercise the right to be forgotten. In the situations where it applies, companies have to accommodate customers that write or contact them by phone and request that their data gets deleted.

Additionally, GDPR regulations apply to physical data, such as forms, but there are no specifications about the paper-shred size required. Companies also must be mindful that some content that initially existed only online may now also be in physical formats, especially if people printed things out for easier reference.

4. Become familiar with cloud providers’ file deletion practices

When companies delete data, they often forget about information stored in the cloud. Unfortunately, getting rid of that data is not as straightforward as it might seem. Depending on a cloud provider’s backup strategies, multiple versions of a file could exist. That means deleting the first one someone comes across is not necessarily sufficient.

Cloud service providers typically set standards for how often they keep stored data. Then, if people accidentally delete something, it can be restored. When companies use cloud technologies, they should also verify that the chosen provider has well-defined file deletion practices that meet their needs.

5. Understand the various data destruction methods

As mentioned earlier, there’s not just one way to handle data destruction requirements. The best approach to take is for companies and representatives to learn about the possible ways to destroy information, then pick the ones that are right for them.

Some options are more effective than others. For example, if a company deletes the data and then reformats the disk, it’s not getting rid of data but only replacing it with new content. Certain tools sometimes enable people to retrieve old data after reformatting, meaning this method likely won’t meet an organization’s data security needs.

Data wiping is another technique, and it typically involves connecting a data storage device to a tool used for bulk-wiping. However, this method is very time-consuming and not recommended for the data destruction needs of a whole organization.

A business might use other destruction techniques, depending on the task. For example, degaussing involves using a high-powered magnet to disrupt the magnetic field of a device used for storing information. It destroys the hard drive and does not allow using a computer for future purposes. Some companies also provide physical destruction services and typically use hammers to do the deed.

It’s ideal for companies to talk to experienced companies about which techniques to use instead of quickly concluding which way to destroy the data without consulting experts. Otherwise, the chosen method might not be maximally effective.

SEE ALSO: Data science applications: Containers or serverless?

6. Consider choosing a certified provider

The companies that handle data destruction for their clients undoubtedly recognized a need in the marketplace to fill. However, those providers may have variations in their practices. Fortunately, the National Association for Information Destruction (NAID) is a standards-setting body for the data destruction industry.

Companies can voluntarily receive NAID certification. They must pass unannounced audits to achieve that status. Additionally, if a data destruction provider operates in multiple locations, each one must pass an audit. Picking a NAID-certified provider could deliver the peace of mind a company needs to rest assured that the company follows best practices.

Many companies offer certificates of destruction too. Such documentation allows a company to check that the destruction was carried out in accordance with requests.

Think about the far-reaching effects of improper data destruction

The information above covers what data destruction is and how to do it right. However, companies might not ponder what could happen if they neglect to engage in the correct forms of data destruction. Improperly destroyed information could contribute to the rising issue of breaches.

Some people could go dumpster diving and obtain disposed hardware that way. Or, they might come across data on a device after buying a computer or smartphone on an auction site or from a third-party seller.

After those things happen, companies could spend precious time determining the consequences of the breached data and the precise kind of information the outside party received. As mentioned earlier, fines and damage to a company’s reputation are two of the things that could happen due to inadequate data destruction.

So, the ideal thing to do in every case is to follow the tips above when choosing a method and provider. Then, it’s possible to prevent pitfalls that could significantly impact a business.


Kayla Matthews

Kayla Matthews is a technology writer, contributing to publications like VentureBeat, TechnoBuffalo, Fast Company and The Week. To read more posts by Kayla, check out her personal tech blog.

Inline Feedbacks
View all comments