Image by Ujesh Kreshnan on unsplash.com
Written by
A cybersecurity column by Kate Fazzini and John Shegerian
To protect personal or business information, many people and individuals simply delete old files. It’s the step most take and think that’s good enough.
Say, for example, you deleted the scan of a customer’s driver’s license taken before selling a new car. Or maybe at home, you scanned your passport application so that you had a copy until your passport arrived. You have your passport now and delete the file.
Unfortunately, this isn’t enough. Those who think deleting files permanently destroys data are wrong. It’s a myth.
All file deletion does is remove the pathway that your operating system takes to retrieve a file. Think of it as the road between a hidden area of your hard drive and your documents folder. You think it’s gone, but the truth is that the file is still hidden somewhere in your hard drive. Anyone with the right skills or knowledge can easily retrieve that information.
What Can You Delete vs. Destroy?
How do you know what to delete and what to destroy? The most important rule is to look at the file itself. The invitation to a summer BBQ isn’t going to pose problems deleting it. It’s not something that will be of value to a hacker. The tax and benefits forms you had to fill out and submit to headquarters after you land a new job is different. Information like your SSN, date of birth, and driver’s license would be very valuable. These are items you do not want to get into the wrong hands.
How can you decide if some files are okay to destroy? Ask yourself a few questions before making the decision. Ask yourself:
1. Is there anything in this file that could be used against me or to cause me financial or legal harm? This includes photos, photocopies/scans, and new documents you created.
2. Is there any point when this file would help me months or years down the road?
3. Would I be comfortable printing this letter/form/photo out and handing it to a stranger?
4. Would the information in the file cause someone else distress or financial harm?
5. Is anything in the file bound by confidentiality protections, such as HIPAA and a patient’s medical notes?
If you answer yes to any of those questions, data destruction is a much better option. It’s the only way to be sure that the data cannot be retrieved.
When it comes to destroying the data, you should ask an ITAD (Information Technology Asset Disposition) company about data destruction. The method you use may be bound by privacy regulations. For example, a retailer will not have to follow the same rules as a hospital. With different levels of data destruction, you need to carefully choose the right one.
How Do You Make Sure Your Data is Destroyed?
How do you know if your data is being destroyed properly? You could try to do it yourself, but it may be a task you’re more comfortable leaving for an expert. If that’s the case, you need to carefully choose your ITAD company.
Some say they process everything, but they send it overseas. In 2018, a Washington e-recycling company was found guilty of sending electronics overseas to Chinese laborers.
You do have to be careful. Before entrusting your recycled electronics with any company, check their certifications. You want to choose a company that goes through random audits to ensure they keep their promises to destroy data and recycle electronics within the U.S. in their facilities. Look for these certifications:
1. e-Stewards: Ensures companies do not illegally dispose of electronics by shipping them overseas to developing nations.
2. NAID AAA: Ensures that companies comply with data protection laws.
3. R2: Ensures safety measures are followed to keep workers protected from any safety or health issues while recycling and refurbishing electronics. Also protects the environment from hazardous materials being improperly disposed of.
4. Soc 2 Certification: Globally-recognized data security and controls certification, awarded following a rigorous audit of standards for security and data protection.
Kate Fazzini is Director of Security Operations and Engineering at Ziff Davis; an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.
John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s book, The Insecurity of Everything.