Certificates of Destruction Don't Matter for Data Sanitization - Here’s Why

Around here, we pride ourselves on effective data sanitization. We are a member of NAID, and we built our own accredited data erasure software to make it happen. Sanitization is the bedrock of a strong ITAD strategy and the primary risk-mitigator on hardware that has aged out of regular use. Should you trust Certificates of Destruction to prove that a contract company has safely sanitized your data?

Don’t Fake It – You’ll Fail to Make It

Do you know how easy it is to make up a Word Document that will act as a Certificate of Destruction? Google it. Go ahead…we’ll wait here. Certificates of destruction are remarkably easy to make and remarkably easy to fake. They offer no proof other than a signature (and raw hope) that the data has actually been sanitized from the device. Look, we don’t hate certificates of destruction – we provide them to our customers every day – they are just not good enough on their own1.

Certificates of Destruction Don’t Remove Legal Responsibility

Certificates of Destruction can be a mitigating factor and can help prove due diligence, as they provide an important paper trail. Unfortunately, they will not allow you to transfer your responsibility for keeping the information confidential. If information were to leak out after a failed data sanitization, you and your company would still be legally liable. This underscores the importance of choosing a reputable vendor for your data sanitization needs and verifying that their processes will allow you to meet or exceed your legal requirements.

Use Logs to Verify Data Sanitization

By now you’re thinking that they must be a better way to prove that the data has been sanitized — you’re right. Wipe logs – the reports generated by our sanitization tool as it securely wipes each harddrive – allow you to verify the number and type of sanitization passes as well as the serial number of each drive. This allows you to directly verify whether or not the wipe has succeeded or not on each device. These logs provide more detail and offer far more verifiable proof than certificates of destruction alone.

Remember: The Process is King

The most important part of any data sanitization plan is the process that ensures there are no failures. Each step should be verifiable, and the final report should reflect a thorough erasure of all sensitive data. In this way you can complete a safe data sanitization and protect yourself from additional legal exposure.

Oh, and one last thing… speed counts. Security remains number one, but when you can deliver the same level of security in less time, you save money. More on that one in a future post. Stay tuned!

  1. But if you hang a WHOLE BUNCH of them on the wall, people might think you’re a big deal. ↩︎
About the Author