The Importance of Data Security
It’s no secret that we’re living in an information based economy, and that data collection has become a rather routine and ubiquitous part of our lives. Everything from medical files to financial transactions, corporate secrets and military records are stored electronically as data, with general public expectation that what is shared with businesses and organizations will be safely guarded and then destroyed when no longer in use. But what happens when sensitive information falls into the wrong hands, either due to theft or simple negligence?
Data security is not a topic that often graces the top of minds, and yet it can be one of the most damaging and costly issues affecting businesses today. In the wake of a credit and debit card breach at US retailer Target in late 2013, banks and credit unions were forced to spend an estimated $200 million to reissue 21.8 million cards to affected customers, in addition to the cost of fraud perpetrated with the stolen cards.¹ And while this particular example is high profile with far reaching consequences, it is by no means unique, with many more cases of sensitive information falling into the wrong hands due to everyday electronic devices (i.e. hard drives , SSDS, printers, photocopiers) not being properly data wiped prior to being resold or recycled.
But regardless of size and scope, the issues surrounding any data security breach have serious ramifications, including breach of privacy, liability for the companies responsible for safekeeping customer information, as well as erosion of that company’s brand and their customers’ trust.
Data Wiping: Fact vs. Myth
Data wiping - also known as data destruction - is one of the ways in which companies destroy electronic data on a hard disk drive or other digital device. It is the only method which allows the device to be reused, the other methods of data destruction being hard drive shredding (passing the drive into a machine that shreds it into metal slivers) and degaussing (passing drives, tape or disks through a powerful magnet, erasing the data so it can’t be recovered), which also destroys the device components along with the data permanently.
With data wiping, the removal of data is accomplished by using software to overwrite the information residing on the hard drive or device, erasing just the data while leaving the disk operable to enable the reuse of IT assets. (Permanent destruction of data goes beyond simple file deletion or formatting, as that removes only the pointers to the relevant data disk sectors, allowing for data recovery with common – and fairly easy to use – software tools readily available in the market). But the process of data wiping itself is not as straight forward as it sounds, due to the debate that exists around the number of times (or passes) that a hard drive or device must undergo to be properly overwritten.
The ‘Three Pass Overwrite’ requirement is a myth that is still prevalent in the IT industry and is referenced and used as a standard in processes for data wiping. Derived in 1996 following the publication of a paper by Dr. Peter Gutmann², it suggests that between three to five passes are necessary to prevent data from being reconstructed from a drive or electronic device. Though the findings in the paper were theoretical, with no testing conducted to verify the veracity of its claims, it was widely cited by experts and quickly adopted by the industry, spawning a multitude of data wiping standards including the most popular one ostensibly created by the US Department of Defense, named DoD 5220-33M.
The DoD 5220-22m is in fact, not an established standard for the Department of Defense; rather it is simply a reference to the National Industrial Security Program (NIST) Operating Manual. DoD 5220-33M was never approved by the Department of Defense for any type of data sanitization and was never meant to be taken as a standard by civilian organizations. The Department of Defense itself uses the NIST 800-88 standard as its reference for media sanitization, though that has not stopped the proliferation of the falsely credited ‘Department of Defense standard’ throughout the IT industry.
This is a classic example of Marketing positioning being promoted and adopted as fact, largely to facilitate a message of perceived quality by software companies and third party computer recyclers and refurbishers to their customers. The US Department of Defense itself maintains that claims of being ‘DoD compliant’ in terms of data sanitization are not only inaccurate but also misleading, since the drives referenced in Dr. Guttmann’s original multi-pass theory are largely extinct, and no longer apply to the type of technology that exists today.
Data Wiping: In Practice
Like the US government and the Department of Defense, TSC has adopted the standard as outlined in NIST 800-88, which states that disk drives manufactured after 2001 and over 15GB require only one complete overwrite to sufficiently sanitize all data and prevent its recovery. Though the ‘three-pass overwrite’ myth is still being perpetuated by some software and hardware vendors, it is nevertheless our goal at TSC to educate our customers and partners on the facts around data wiping, and help champion the proper – and true – standard within the IT industry.
¹ Pham, Thu, (Sep 17, 2014). After a Data Breach: Who’s Liable? Industry News. ² Gutmann, Peter, (July 1996) Secure Deletion of Data from Magnetic and Solid-State Memory