The fine art of data destruction

---

Slideshow: Take a closer look at creative methods used by IT workers

---

Her research led her to Data Killers, a media-destruction and computer-recycling firm in Maryland that could shred tapes and hard drives securely, and provide a certificate affirming their destruction. It would even let you stay and watch the shredding process, if you wanted. Then the media's "remains" would be delivered to a smelter for melting and recycling its various metals.

With its 6,600-pound shredder, Data Killers is able to take just about any storage medium, such as the college's tapes, and turn it into particles the size of a thumbnail, owner Elizabeth Wilmot says.

Jones and a co-worker soon found themselves loading the tapes into the back of one of the college's vehicles and driving to Data Killers. After spending what Jones recalls was "a little more than an hour" watching the shredding, they were able to report back that the deed had been done.

Experts maintain that, just as it is developed for data in flight and data at rest, policy should be developed for end-stage data disposal or data destruction. Randy Kahn, owner of Kahn Consulting, says data destruction and disposal can be viewed as part of a larger corporate-governance commitment to proper information management.

Kahn, a lawyer and author of Privacy Nation and Information Nation, advises companies about issues related to information management, compliance and technology.

"Proper information management impacts the entire life cycle of information, from making sure employees understand policy surrounding how to manage the creation and storage of that information to how to properly dispose of it at the end of its useful life."

Steps in the right direction are developing a media-sanitization or data-destruction policy, making an effort to educate users about it and selectively testing or auditing the policy's effectiveness.

Policies about data destruction often deal with organizations' decisions about how best to dispose of IT assets they are replacing or retiring, according to Jon Oltsik, an analyst at Enterprise Strategy Group (ESG). He also sees this type of policy applied to archived data that has passed its required retention date.

"As it stands right now, in many corporations, data destruction is on an ad-hoc and as-needed basis," says Robert J. Hansen, a voting systems security expert and security researcher at the University of Iowa. "That just doesn't cut it. You need to think about this in advance before it becomes an issue." Hansen maintains a blog on software engineering topics that includes his own "Ten Commandments of Data Destruction." Creating a policy for data destruction ranks high on his list.

Click to see: Deciding when to clear/purge or destroy

Yet many IT organizations wait until they need to do their own spring cleaning before they decide what to do with data on older storage media that usually have been sitting around a while gathering dust, Data Killers' Wilmot says. "A lot of times, the first call we get is that they have several thousand tapes, and they don't know what to do with them," she says. "It's a lot like spring cleaning at first . . . then they tell us they'll be better about this in the future, destroying the media on more of a regular basis like quarterly or biannually."

Already accustomed to the bank's use of a weekly, on-site document-shredding service, Brown liked the idea of reformatting the hard drives, then driving to a local company himself to have them shredded. That way, he could ensure a solid chain of custody between leaving the building and getting the drives shredded. "Now, when it leaves here, it's pulverized, then it's liquefied," he explained, noting that as a bank, he thinks it makes sense to take a few extra steps.

Data-destruction services also offer customers the option to view their media's destruction remotely, and ship double-locked "storm cases" to protect remote customers' media in transit to their facility. Wilmot says this is a popular option, but the local bank and college both preferred to deliver the media themselves.