By Gary Scott, President, E-Waste Security
When removing or decommissioning your legacy equipment from data centers, it’s common to ask the question of whether your hard drives and SSDs should be included in your asset recovery strategy.
Historically, the IT budget has been dictated by the CFO. The calculations consisted of CapEx for the acquisition of IT equipment and a significant add-back component for asset recovery. Hence, data center decommissioning projects centered around recapturing as much residual value as possible from excess equipment, including hard drives.
Data privacy and the considerable liability associated with a data breach has changed the data center decommissioning landscape for the foreseeable future. Asset recovery and overall IT budgets now go far beyond simple capital expenditure calculations. The decision about what gets sold, recycled, and physically destroyed has become a matter of liability protection instead of maximizing the return on the initial investment.
The Risk/Return of Asset Recovery
A properly planned and managed disposition process has many enticing rewards, including recouping initial capital from legacy equipment, donating to charitable organizations, and supporting your reputation for environmental awareness. However, when it comes to hard drives and SSDs, the risks of a data breach likely outweigh these benefits.
Hard drives and SSDs most often contain significant liability in the form of sensitive information. Whether it’s proprietary product details, financial statements, or customer data, the information you’ve stored on your drives are your responsibility long after the drives leave the data center. In fact, the only way to eliminate the possibility of a breach is to use a reputable and certified hard drive destruction vendor who provides a Certificate of Destruction that the hard drive was physically destroyed, not erased.
Erasing the drives and selling them along with the decommissioned equipment will allow you to recover some capital from your initial investment, but often times, a significant amount of data remains recoverable after a drive is erased. In fact, some studies suggest that up to 78 percent of “wiped” hard drives still contain recoverable data. According to the 2017 Ponemon Cost of Data Breach Study, the average cost of a data breach in America is $7.35 million, which breaks down to an average of $225 per lost or stolen record. Imagine how many records you have stored on each hard drive, server, and rack in your cage. Is attempting to maximize the return on your initial investment by reselling or recycling your drives worth the risk?
Understanding Your Options with Data Center Decommissioning Projects
In today’s digital security climate, cyberattacks get much of the attention. While it may not be the first thing that comes to mind, a key element of your overall digital security strategy is your plan for what you do with information when it’s no longer needed.
There are three options for clearing sensitive information from your hard drives and SSDs during a data center decommissioning project:
- Erasing or wiping
- Degaussing
- Shredding or Destroying
According to NIST 800-88, erasing hard drives is the least secure form of hard drive data destruction, but it may be the only choice for those who have leased equipment. If you choose to erase the drives, risks can be minimized by partnering with a company that is NAID Certified and is committed to the time-consuming process of completely erasing the hard drive, providing documented and verifiable proof.
In the end, the best way to ensure your data is completely and securely destroyed is to have hard drives shredded on-site before they leave your custody. Physical destruction is the most compliant form of data destruction on hard drives, and it protects your company from the liability associated with data on retired equipment.
For a deeper look into the pros and cons of each option, read. “Hard Drive Data Destruction: Understanding Your Options.”
About the Author
Gary Scott founded E-Waste Security in 2012 with the goal of minimizing his clients’ liability when it came to data disposal. Since then, the company has become a leader in Certified Hard Drive Destruction and IT Asset Disposition throughout Southern California. E-Waste Security’s onsite data destruction and hard drive shredding service is NAID Certified and compliant with PCI DSS, HIPAA, and GLBA. The company provides full-service IT Asset Disposition (ITAD) services, including the purchase, removal, and recycling of computer equipment to provide our clients with a convenient solution for their decommissioning projects.