FAQs
This document reflects the real world questions that we receive from our customers every day. We will continue to add to it as new issues and questions emerge.
I understand there are different government standards for data eradication (other than the well-known Department of Defense 5220.22-M standard) such as one promulgated by the Department of Energy?
DOE M 205.1-2 is the DOE Manual which is fully titled: "Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware." The document can be found on the DOE website.
Does encryption provide satisfactory protection for disk drives and tape media that are taken out of service?
Encryption is a good idea for many types of devices and situations. However, it is not foolproof or fully adequate where enterprise level protection is required. Specifically, the very fact that data still exists on the disk drive causes it to fall short of the widely accepted DoD 5220.22 clearing standards. Moreover, it should be noted that encryption methodologies generally do not encrypt deleted data. That data is then relatively easily recoverable unless it is eradicated to the DoD standard.
Whose responsibility is it when a third party (e.g. archival storage company) loses my data?
The simple answer is that data is your responsibility, forever. Not only third party storage companies, but storage vendors and others who may take data offsite do not take custody of that data. Your only real protection is to keep that data under your control at all times. If the data is obsolete, eradicate it before allowing it to leave your premises.
What do disk vendors do with failed drives?
Make sure you carefully read your maintenance agreement. Typically, it will say that the customer is responsible for the eradication of drives before they are returned. Of course, they have to be returned in order to receive maintenance credit. Otherwise, the cost can be greater than $1,000 per drive. That is why proper eradication, done onsite, can be a very cost-effective solution.
What is the big risk if I allow my failed or off-lease drives to return to the vendor un-eradicated?
Very simply, the fact that there is data on these drives is the risk. It doesn’t matter whether the data is compromised or not. If the physical drives go missing your reporting and regulatory requirements are such that all that data has, in fact, been compromised. When data goes missing it is a very costly exercise to deal with the matter. Most of these costs, fines and notification expenses are calculable. The cost to a company’s reputation, while incalculable, is probably the greatest cost.
We shred and recycle drives in multiple locations. Would we be better off centralizing the process and, if so, what is the best method for transporting the drives?
The best and safest method is to destroy the disks onsite so as to avoid the risk inherent in transportation. Better yet, use a third party vendor who can perform the process for you and provide certification under your oversight. These vendors can also provide expert witness testimony should there ever be a question about your process.
Is a single pass eradication adequate for DASD?
The DOD 5220.22-M clearing standard stipulates three passes using a specific methodology. The DOD 5220.22-M ECE stipulates a seven pass approach. Anything less than the three pass standard would be inadequate.
There are lots of disk wiping utilities for sale these days. Can they do the job?
There are many available, but they are generally designed for consumer PCs. They are not adequate, or even generally useable, for enterprise disk and tape. Nor should they be considered adequate for desktop systems or servers that contain sensitive customer and employee data.
What is the standard for shredding drives?
The generally accepted standard is to shred to 1/225th of an inch rendering the pieces smaller than that which would contain a 512K block of data.
Are the disk shredding appliances that are commercially available good enough for the task?
They may be adequate for low-end ATA or SATA drives. They are not capable enough for enterprise Fibre Channel or SCSI drives.
What environmental standards and "Green" certifications does PeakData adhere to?
We are pleased that our environmental leadership has been recognized internationally by the U.S. Environmental Protection Agency and the European Community. The EPA launched WasteWise in January 1994 as a voluntary partnership program designed to help organizations implement practical methods for reducing municipal solid waste. WasteWise focuses on three key elements of waste reduction—waste prevention, recycling, and buying or manufacturing recycled content products.
Organizations joining WasteWise agree to develop goals in these areas, track their results, and share their accomplishments with the program. To facilitate the implementation of waste reduction programs, WasteWise provides partners with guidance for establishing goals and tips for monitoring progress. EPA commends partners for their achievements through the presentation of WasteWise awards and features in program articles and publications.
The European Union (EU) Directive on Waste from Electrical and Electronic Equipment (WEEE) is intended to protect the quality of the environment and human health through the prudent use of natural resources and the adoption of waste management strategies that focus on recycling and reuse. Since August 13, 2005, EU Member States’ WEEE laws have been enacted. Under these laws, producers of most electrical equipment are responsible for their products at the end of their useful lives. Producer responsibility includes meeting labeling requirements, providing information to end-users and treatment facilities, ensuring the availability of collection infrastructure, submitting sales and recovery data, and financing WEEE costs. In addition, PeakData is a member of the National Association for Information Destruction (NAID).