Data Destruction Standards: Industry Best Practice to Destroy Your Data Securely
Over one-third of the organizations in the US lack active policies for the destruction of confidential data and information. And according to a study by the Ponemon Institute, more than 51 percent of those organizations that do have a policy lack elaborate data destruction standards.
In recent years, the National Institute of Standards and Technology’s (NIST) 800-88 standard has become the industry guideline for data erasure compliance. The standard replaced the DOD standard in terms of regulatory and certification practice.
Now organizations, especially in the healthcare, banking, defense and government sectors, face stringent regulations and challenges in IT asset disposal.
Data Destruction Standards for Defense
The U.S. Department of Defense on the other hand no longer references the DoD 5220.22 as a method for secure data disposition. Most regulations and certification programs now cite the NIST SP 800-88 media erasure guidelines.
Data Destruction Standards for Bankers
Financial and banking organizations are also bound by legal and contractual obligations to safeguard client data, including Gramm-Leach-Bliley Act, FACTA Disposal Rule, Bank Secrecy Act, Sarbanes-Oxley Act, and the PCI Data Security Standard.
Securely Destroying Your Tax Records – What You Need to Know
Tax records are important until the period of limitation for a tax return runs out. Generally, the IRS stipulates that records be kept for three years from the date you file your original return or 2 years from the date you pay the tax. In case you file a claim for a loss from worthless securities or a bad debt deduction, you should keep the records for a period of 7 years.
Data Destruction Standards for Healthcare
Today, all healthcare industry facilities are required to adhere to the HIPAA Privacy Rule in protecting the privacy of confidential health information. The regulation touches on doctors, healthcare providers and business associates and all involved parties must follow the industry standards for data destruction.
Handling Your Healthcare Records Securely
Healthcare records must be maintained in such a way that the information is available for clinical reference upon request. The recommended time depends on a number of factors, including state regulations, the coverage program, and the statute of limitations.
Under the American Hospital Association and American Health Information Management Association, the retention period is at least 10 years. Medicare, on the other hand, recommends records be retained for five to seven years.
To ensure compliance, healthcare providers and practitioners should dispose of protected health information (PHI) in accordance with HIPAA regulations.
Destruction Methods That Comply With Data Destruction Standards
There are many data destructions methods that an organization can use. The right type of data sanitization, however, depends on a number of factors, including the type of media.
NIST 800-88 describes three methods for sanitizing hard disk drives, erasing, degaussing and shredding. The physical shredding of hard drives is considered the most secure form of data destruction and should be used for all confidential information.
The general methods of data destruction are:
- Clearing: Clearing makes use of programmatic software-based techniques to sanitize data and guard against data recovery techniques.
- Purging: A method of sanitization that applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques
- Destruction: A data destruction method that renders Target Data recovery infeasible and results in the subsequent inability to use the media for storage of data.
Among the most difficult challenges organizations face when disposing of their IT assets is figuring out when and what to destroy. These can vary depending on the industry and type of equipment.
Preventing Data Destruction Standards Non-Compliance With ITAD
To ensure that data and information are completely secure, organizations need to deploy IT asset disposition (ITAD) managers who develop a fully secure end-to-end process that meets all the regulations to ensure compliance and a secure chain of custody.
All data and information provided to a third party must be destroyed, including all available copies. The level of this destruction is usually governed by the sensitivity of data being disposed of. File deletion, disk formatting, and “one-way” encryption no longer cut it and all sensitive media should be pulverized and shredded.
Data sanitization should be addressed in a timely manner and all processes should be formalized and documented within your organization.
It’s important not to overlook proper disposal practices for your outdated electronic devices. This includes all hard drives, backup tapes and digital devices. If not handled properly, the release of these media could lead to an occurrence of unauthorized disclosure of information.