With the end of Windows 10’s regular support cycle fast approaching, and a good five years since the COVID pandemic spurred a wave of hardware replacements to support remote work, many IT departments are in the process of refreshing their fleets. But what they do with decommissioned systems is just as important as the shiny new ones they buy.
If you dispose of your old corporate laptops without making sure – really sure – that their drives are erased, you could be liable for millions of dollars in fines or legal damages if sensitive data falls into the wrong hands.
For example, in 2022, the US Securities and Exchange Commission fined Morgan Stanley Smith Barney (MSSB) $35 million for failing to properly dispose of devices that contained personally identifiable information (PII) after the finance firm hired an unqualified moving and storage company to clear out some datacenters.
“According to the contract with MSSB, Moving Company would work with an e-waste management company (“IT Corp A”) to wipe or destroy any data present on the decommissioned devices,” the SEC wrote in a 2022 filing [PDF].”However, at some point during the engagement, Moving Company stopped working with IT Corp A and instead began selling unwiped devices removed from MSSB’s datacenters to another third party (“IT Corp B”).”
Because MSSB didn’t properly oversee its vendor, the moving company sold 4,900 different assets, which included unwiped hard drives that contained thousands of instances of PII on them. The Office of the Comptroller of Currency (OCC) fined Morgan Stanley an additional $60 million and the company settled a class action suit for another $60 million [PDF], bringing its total liability to $155 million. Simply offloading the problem to a third-party did not shield MSSB from responsibility.
These hard drives came from a datacenter, but they could just as easily have been inside laptops your company is replacing. Which is why it’s important not only to sanitize all data, but to trust whomever you’ve tasked with doing the job. Hiring a third party is a good idea, but remember that you get what you pay for, and anyone who offers to do the work for free in exchange for your old equipment may not take the time to do a proper wipe.
Sanitization as a service
“If I had to make a guess, I would say most data probably does not get wiped,” said Lou Ramondetta, president of Surplus Service, a company that sanitizes and recycles old computers from business and government clients. “It’s amazing the abuse that happens in the industry, because people just want to get the computers and, if they get the computers, they’re trying to resell the computers and often times things don’t get done to the level that they should be done.”
Ramondetta said that it takes his company several hours to properly wipe a drive, using hardware and software made for this purpose. Depending on how picky his customers are, he may wipe a drive as many as seven times, though he said that once should be good enough for most. For those who want even more certainty, he can physically destroy drives instead. There’s also a high-level security in the drive sanitization room.
“We only have one or two people who are certified so all of the hard drive wiping and destruction is in a separate area. It’s got cameras. It’s controlled. There’s only certain people who have the ability to be in there at any one time,” he noted. “We do audits, where after we do the wiping, one guy audits the other guy to make sure they got the same kind of information. It’s a pretty involved process.”
Depending on how you want your drive disposed of, Surplus Service charges from a few dollars to as much as $15 per unit. It also charges anywhere from $199 to $599 to pick up devices from your office, but if the equipment is high value and the company can make money by reselling it, it may lower or waive the pickup fee.
Why not just wipe the data yourself and save the money that you’d pay a service to do it for you? For one, most data destruction software doesn’t provide the level of certainty you need to be sure that sensitive information can never fall into the wrong hands.
“It’s also worth pointing out that just because a drive has been ‘erased’ doesn’t always mean the data is truly gone,” said Mike Cobb, director of engineering at DriveSavers, a company that does both data recovery and sanitization. “For example, commands like TRIM don’t work consistently across all devices. That’s why verification is so important.”
Guidelines for data or drive destruction
Any serious data destruction service will follow the NIST 800-88 guidelines Rev. 1 [PDF], first introduced by the US government in 2014. They don’t specify particular tools to use, but advise companies to make data sanitization decisions based on both the security categorization of the data and whether the media is leaving organizational control.
Orgs should first ask themselves what the consequences of a data leak would be both to the company itself and to any individuals whose PII might be stored on the at-risk media. Federal Information Processing Standard (FIPS) 199 [PDF] helps you look at the potential impact of data leakage on confidentiality (keeping data out of the wrong hands), integrity (keeping data authentic and correct), and availability (keeping it timely and reliable). You can then decide whether your security categorization is low, medium, or high.
NIST says that there are three main ways to sanitize data:
- Clear: Overwriting the data with garbage data or, where that’s not available, factory resetting. The drawback is that there are usually inaccessible sections of a disk that the OS can’t write to, which won’t get erased. These occur because of features such as wear-leveling and overprovisioning that give storage devices extra data blocks they rotate in and out of use to extend their useful lifetimes. Data recovery is possible in a lab environment.
- Purge: Using extra techniques such as secure erase that clear all sections of the device, making data recovery difficult, even in a lab environment. Drives can still be reused, however.
- Destroy: Physically damaging the drives beyond repair so that they can never be used again. Methods include drive shredding and incineration. If done properly, not even individual NAND Flash chips can be left intact. This method is the most costly and worst for the environment because the drive (and possibly the device it powered) cannot be reused.
The organization provides a helpful decision tree you can use to evaluate how to dispose of your corporate data.
NIST 800-88 decision tree
To wipe or to destroy?
Orgs should choose a method by weighing both the risks and costs involved. Some companies in very sensitive fields such as healthcare, finance, or government work may require that the drives be destroyed and they can be very specific about the kind of destruction.
“We have some clients who require us to shred stuff down to a fraction of an inch, and we have other clients who are okay with our shredding stuff to, you know, say, a quarter or half an inch,” Ramondetta said.
HDD shredding at a Dell facility – Image: Dell
Ramondetta told us that Google wants its storage devices shredded to a pulp and then incinerated afterwards. On the other hand, some government agencies he works with require drives to be wiped as many as seven times. He gives orgs advice but ultimately the client makes the call.
“We’re a sustainability company and a reuse company,” he said. “So, if I have a choice between shredding a drive versus wiping the drive, I’m always going to try to wipe it because that way I can resell it to the secondary market. Quite frankly, if you go through one to three wipes, there is very little reason to go above that.”
Drives that have been encrypted provide another layer of security because if you can erase the cryptographic keys, the information becomes pretty much impossible to read. However, many systems are only partially encrypted and some systems store their keys in the cloud. For example, Microsoft BitLocker keys are available in the cloud.
Validating and documenting
According to NIST, after performing the sanitization, the org or contractor needs to validate that the data is actually unavailable and then provide documentation in the form of a certificate, which shows that the specific drive(s) in question have been properly dealt with. Reputable sanitization services will do all of this for you. But if they fail, your company should have written proof that the data sanitization took place.
“Good-faith wiping does not automatically avoid liability if data is later recovered,” said Silvino Diaz, an attorney with EPGD Business Law. “Regulators and courts look at reasonableness and proof of effort. It is recommended that you have documented sanitization procedures, verifiable processes (logs, chain-of-custody, etc.), vendor monitoring, and encryption.”
Diaz also pointed out that there are a lot of laws on the books, particularly in the US, regarding the need to shield PII in particular industries. Under HIPAA (the Health Insurance Portability and Accountability Act), companies have to destroy patient records when they are no longer required or face fines. US Financial institutions are subject to the Safeguard Rule [PDF], which requires them to keep customer information secure. Other businesses are subject to the FTC Disposal Rule [PDF], which requires them to reasonably get rid of materials that contain consumer information. Violators can face government fines as well as lawsuits.
Laptop OEMs give you money back
When choosing a disposal company, orgs can opt to go with a third-party recycler like Surplus Service or work with major OEMs such as Dell and HP, both of whom have recycling programs that allow you to not only sanitize the data but get some money back for the value of the equipment you are disposing of.
Both companies are willing to accept laptops made by anyone, not just the OEM doing the disposal. They charge customers a fee to come to their office, collect end-of-life computers, and transport them back to be sanitized. Companies can pay extra to have the sanitization done on-site or to have their drives physically destroyed, which lowers the value of the laptops they were in.
However, orgs can actually get back more value than they pay for the disposal service, because both companies pay customers if the computers are new enough and in good enough shape to be refurbished or to have their parts reused.
“Obviously, if [customers] have a 15-year-old product, there may not be a lot of value in there, but most of these systems are fresh, are going to have value,” Dell Senior Director, Strategy and Global Modernization Gina Cano said, talking about her company’s Asset Recovery Services program. “And that’s where Asset Recovery Services helps them get that value to help offset some of that cost of the refresh that they have to do.”
Claudia Contreras, VP of HP’s Renew Solutions, that company’s asset disposal service, posited that the computers with the most value are in their first five years of service. She noted that, not only is the death of Windows 10 driving PC refreshes, but so is the fifth anniversary of COVID, when many companies had to buy new laptops that are now showing their age.
“It’s time for a refresh and all of it has been happening in the past few months,” she said. “And will continue to happen within the next six to 10 months.”
Contreras and Cano both said that the reason many companies use their disposition services is because they want to be environmentally responsible. Both companies strive to reuse the devices and their parts first and foremost, with recycling for materials a last option.
“The carbon footprint of a standard HP device is going to be roughly 200 kilograms of carbon overall and that’s usage included. So working on this device for four years, that’s roughly what it is,” Contreras said. “Extending the life of a product using a refurbished device could be 60 percent less impactful than a new device.”
Both HP and Dell told us that they follow NIST 800-88 data deletion standards and issue certificates to their customers showing that the devices have been properly sanitized.
DIY data destruction
But what if you don’t want to use an outside company? There are software vendors who offer solutions that could allow you to have your own IT department do NIST 800-88 compliant wipes.
Bitraser is one such application, as it performs secure erase (aka purges) of data on SSDs and hard drives. According to Namrata Sengupta, the company’s SVP of sales, the software is not only detail-oriented, but fast too, purging a 256GB SSD within five minutes. Better still, it keeps a record of its work so your organization can prove it did the erasure.
“Post-erasure, BitRaser automatically generates tamper-proof Certificates of Erasure and detailed reports that include details such as device serial number, erasure method used, date/time, and erasure status,” Sengupta said. “These certificates serve as verifiable proof for compliance audits and data privacy regulations like CCPA, GDPR, HIPAA, GLBA and SOX.”
The application doesn’t come cheap, however. You have to pay a license for between $4 and $20 per device, depending on the number of devices you want to sanitize. You’re also putting the burden on your internal IT department and counting on them to make sure everything is done properly.
And, after you’re done with BitRaser, you still have to find some way to dispose of the old laptops without throwing them in a dumpster. An enterprising enterprise could donate old machines to charity or start its own eBay store, but both of these efforts require some staff time.
Winston Wellington, CEO of cybersecurity firm WellTec Defense, told The Register that he suggests companies completely destroy their drives in-house and then look to a third-party to handle whatever pieces are left over.
“The best practice is for companies to manage hardware destruction themselves. Even when you work with a third-party vendor and you give them old hardware, it is better to destroy before handing it off,” Wellington said. “Now if you hand over the responsibility to the company, they will be liable if it is under a contract agreement. But I suggest you destroy it yourself and have them handle the e-waste.” ®