Software Solution Answers Multiple Security Challenges for Electronics Recycling Customers

The destruction of sensitive information on hard drives intended for disposal or refurbishment is an ongoing concern as too much data is stored in too many places and the proliferation of high-profile data breaches continues. According to the National Association of Information Destruction (NAID), top executives from 300 companies ranked the security of company records as one of their top five critical issues.

At the same time, more companies are also concerned about their environmental footprint, leading them to consider donation or reuse of IT assets they might once have considered obsolete. Still other organizations lease their computer equipment. Both of these scenarios require a way to securely remove confidential data that does not physically destroy drives.

For recyclers and refurbishers looking to attract customers that are security-minded or focused on going green, approved and certified data erasure presents a safe and easily administered option for disk sanitization that outperforms standard disk wiping utilities. When compared with other methods of data destruction, certified data erasure has many benefits, which are described here. Also discussed are some of the primary objections to data erasure.

Certified data erasure is a method of software-based and/or firmware-based overwriting that completely destroys all electronic data residing on a hard drive or other digital media. Unlike degaussing and physical destruction, data erasure removes all information while leaving the disk operable, preserving assets and the environment. It offers a number of advantages for both electronic recyclers and their customers.

For many companies and their stakeholders, green has become much more than a buzzword, and electronics recycling and refurbishing are a means for achieving corporate sustainability goals. Studies indicate that the life cycle energy use of a computer is dominated by production (81 percent) as opposed to operation (19 percent), meaning that extending its usable lifespan by reselling or upgrading is a valid approach to reducing energy impact, as well as other environmental burdens associated with manufacturing and disposal. ¹

Certified data erasure offers a secure alternative to physical destruction for companies looking to reduce their carbon footprint by extending the lifecycle of IT assets, or by selling them or donating them to worthy causes. Also, data erasure can provide information required to determine an asset’s fitness for reuse, leaving recyclers the more lucrative option of remarketing the asset as opposed to selling its materials as scrap.

Modern hard drives have hidden and locked areas that potentially include remapped sectors, which standard data wiping freeware and less sophisticated overwriting tools cannot access or erase. Unlike these less effective utilities, certified data erasure software does not rely on the computer operating system to define a disk, but instead communicates with a disk on the bit level so that all data is destroyed. In essence, other utilities may report full success although the entire disk has not been accessed, giving a false sense of security that all data is wiped.

Unlike physical destruction, certified data erasure software provides detailed reporting about a disk’s sanitization status. Reports contain information such as erasure date, hard drive serial number, specifics about the PC or disk, technician name and results/errors concerning the erasure process. This software also provides users with a validation certificate if the overwriting procedure was successfully completed.

While certified data erasure software accesses the entire drive, it may encounter bad sectors that it cannot overwrite. In this case, the software discloses the number of such sectors encountered and notes that the erasure was incomplete, allowing the administrator to take further action.

When erasing a number of disks, especially high-mileage ones, bad sectors are often encountered, resulting in an incomplete erasure. Depending on policy and risk tolerance, some organizations may want to refurbish a disk with only a few bad sectors, while others may choose physical destruction. For electronics recyclers, identifying the healthy disks offers potential revenue from remarketing, along with a reduction in e-waste.

Over the past few years, companies have become more sensitive to computer information security issues. Exposure of sensitive financial and medical data, as well as high-profile leaks of consumer credit and debit card data, have resulted in regulations like HIPAA, SOX and PCI, to name a few.

In addition, many government and industry standards exist for the software-based overwriting process itself. Key factors in meeting these standards are the overwriting pattern, number of times the data is overwritten and verification, all of which vary depending on the standard involved. For example, Department of Defense standards have in the past referred to seven or three overwriting rounds, while the current National Institute of Standards and Technology recommendation is a single pass. Also, many standards require a method to verify that all data has been removed from the entire drive, as well a view of the overwrite pattern. A data erasure tool should address as many of these standards as possible and provide a validation certificate indicating such.

The data erasure reports described earlier provide companies and recycling facilities with an audit trail that ensures compliance with all major government and industry standards. These records are important to recycling customers who must address such requirements.

Instead of erasing disks one by one as with some sanitization methods, data erasure can be easily deployed to target multiple networked PCs, raising personnel productivity. Linux-based data erasure tools are most effective because they work on a broader range of network hardware, such as high-end server and storage area network (SAN) environments with Serial ATA, SCSI Serial Attached SCSI (SAS) and Fiber Channel disks and remapped sectors. Also, with certified data erasure software, there is no need for personnel to reformat disks back to 512 size before erasing data, because this software operates directly with larger sector sizes.

The ability to verify healthy assets with data erasure appeals to cost-conscious organizations wishing to reuse or extend the lives of their IT investments. In addition, many companies tend to lose track of retired IT assets and more importantly, the data they contain. By using the reporting capability of data erasure software when a computer is retired, organizations can keep track of the disks they have sanitized. This also protects the disks on equipment slated for a recycling facility, should that be the next step.

Many companies, however, do not have data erasure software and so rely on their recycler for audit trails. However, many analysts advocate that disks are wiped both by the company and at the recycling facility.

By and large, the benefits of data erasure far outweigh any negative aspects. However, there are some companies who rely solely on physical destruction of their retired or damaged IT assets and are not receptive to any additional fees for a data erasure service or the cost of licensing data erasure software. Still, many companies, especially those concerned with regulatory compliance, find they want physical destruction only after obtaining the audit trail and report that certified data erasure provides.

Though fast compared with other disk wiping utilities, certified data erasure is slower than physical destruction, as it takes longer to overwrite the disks as opposed to degaussing and destroying them. Still, because multiple PCs can be wiped at once with data erasure software, disk sanitization processing efficiency is greatly improved.

Some companies who want complete data erasure may be concerned by the fact that not all disks can be completely overwritten due to bad sectors, as described previously. However, bytes residing on inaccessible bad sectors are, in practice, protected against all exposure except that posed by exclusive technologies found only at highly certified laboratories. Customers should therefore feel confident that their data is secure, if this is within their organization’s risk tolerance.

Ultimately, companies must choose their risk tolerance with regard to data exposure in today’s increasingly complicated security landscape. Recyclers must educate customers that the cost for data erasure is minimal, especially given that data breaches cost a company $5 million on average, not to mention damage to corporate reputation and failure to comply with the growing number of regulations.2 As companies become more aware of the benefits of data erasure, recyclers will capitalize on easily administered tools that can capture new revenue streams.  Markku Willgren.

The author is Vice President, Sales and Business Development, NA, for Blancco LTD. He can be reached at markku.willgren@blancco.com^.

1 "Energy intensity of computer manufacturing: hybrid analysis combining process and economic input-output methods", E. Williams, Environmental Science & Technology 38(22), 6166 - 6174 (2004). http://pubs.acs.org/journals/esthag/

2 "Average data breach costs companies $5 million," John Fontana, Network World, (2006-11-02). http://www.networkworld.com/news/2006/110206-data-breach-cost.html

If you would like to submit an article for an upcoming issue of our Electronics Recycling Newsletter, please submit a short synopsis of a proposed article to Dan Sandoval at dsandoval@gie.net.