Around here, we pride ourselves on effective data sanitization. We are a member of NAID, and we built our own accredited data erasure software to make it happen. Sanitization is the bedrock of a strong ITAD strategy and the primary risk-mitigator on hardware that has aged out of regular use. Should you trust Certificates of Destruction to prove that a contract company has safely sanitized your data?
Do you know how easy it is to make up a Word Document that will act as a Certificate of Destruction? Google it. Go ahead…we’ll wait here. Certificates of destruction are remarkably easy to make and remarkably easy to fake. They offer no proof other than a signature (and raw hope) that the data has actually been sanitized from the device. Look, we don’t hate certificates of destruction – we provide them to our customers every day – they are just not good enough on their own1.
Certificates of Destruction can be a mitigating factor and can help prove due diligence, as they provide an important paper trail. Unfortunately, they will not allow you to transfer your responsibility for keeping the information confidential. If information were to leak out after a failed data sanitization, you and your company would still be legally liable. This underscores the importance of choosing a reputable vendor for your data sanitization needs and verifying that their processes will allow you to meet or exceed your legal requirements.
By now you’re thinking that they must be a better way to prove that the data has been sanitized — you’re right. Wipe logs – the reports generated by our sanitization tool as it securely wipes each hard-drive – allow you to verify the number and type of sanitization passes as well as the serial number of each drive. This allows you to directly verify whether or not the wipe has succeeded or not on each device. These logs provide more detail and offer far more verifiable proof than certificates of destruction alone.
The most important part of any data sanitization plan is the process that ensures there are no failures. Each step should be verifiable, and the final report should reflect a thorough erasure of all sensitive data. In this way, you can complete a safe data sanitization and protect yourself from additional legal exposure.
Oh, and one last thing… speed counts. Security remains number one, but when you can deliver the same level of security in less time, you save money. More on that one in a future post. Stay tuned!