While most businesses hold information on their customers, clients and partners, financial institutions are in an unenviable position of holding much more sensitive information. They will not only store communication details such as names and e-mail addresses but also bank account information, social security numbers, physical addresses and in some cases photo IDs of their customers. Even more worrying is that these accounts will often be connected to other accounts for the purposes of taxes, paying bills and any number of other connections.
The importance of data security for this industry cannot be overstated; a data breach doesn't just open a financial institution up to very large government and regulatory fines, but also damage to the company's reputation. The threat doesn't just come from obvious sources either, such as hackers or rival companies - a mid-level manager could forget his phone or laptop on a train, opening the possibility of enquiring eyes looking through the device.
All this means that financial institutions and banks must keep rigorous data security and destruction processes, systems and audits in place, or run afoul of rightfully stringent government policy and Compliance . These companies must keep customer information for a set amount of time, then destroy this data in a responsible manner.
The following are the only secure ways in which this data can be destroyed.
1) Degaussing
Degaussing uses an electromagnetic field to erase the data on a hard drive disk completely, as well as destroy the core components of a hard drive, and deleting the servo firmware, rendering it useless even if recovered.
The basic explanation of how this works is that a disk drive uses a platter that contains a thin layer of magnetic material, usually iron oxide. A read/write head passes small currents of electricity onto this platter and turns individual pieces into a positive or negative charge, which provides the binary 1's and 0's that make up the data on the drive.
A degausser generates magnetic fields powerful enough to destroy the magnetic properties of the platter as well as randomize all the data pieces, therefore, shredding the data. One thing to bear in mind is generally, the larger the disk space on a hard drive, the more powerful the magnetic field it will require to be degaussed. Degaussing is always best left to specialist companies that know the requirements needed for each type of hard drive; ensuring you do your due diligence with destroying your held data.
2) Erasure
Data erasure is not the same as deleting data. It's important to bear in mind, while using a PC or device, when a file is deleted through the operating system, it isn't deleted. Instead it is marked for re-writing by the hard drive. If this drive is then lost or accessed by a hacker before the data is overwritten, the data will still be recoverable.
How erasure differs is that it uses specialised software to overwrite the data on a disc. It does this by manually writing a 1 or 0 onto every bit of data on the hard drive, which effectively destroys any data the hard drive once held. Almost all data destruction specialist companies can also provide a certificate of erasure, which we will go into more later.
There is a benefit and a major drawback to this technique. The benefit is that hard drives cleared in this way are still operable and usable after erasure. The drawback is that this technique doesn't have a 100% success rate on flash drives and new solid state drives. However, the minority of failed drives are listed as failed on any certificate of erasure provided after completion. Each drive can be identified by serial number and erasure status.
3) Secure Transportation
Of course, an important part of data destruction is ensuring that the data to be destroyed is transported to a destruction facility securely. The worst-case scenario for a financial institution is that they send a large shipment of hard drives to a destruction facility, only for that truck to be hijacked and the contents sold to the highest bidder.
That’s a fairly extreme scenario. More likely though, is poorly planned logistics companies misplacing the equipment in transit.
Due to this, responsible data destruction facilities will have regular, scheduled and protected pick-up and delivery, often with a fleet of their own trucks. These occurrences should be confirmed, scanned and logged for future reference.
4) Certificate of Destruction & Video
A good way to keep a financial institution protected during data destruction audits is to have a paper trail of due diligence. Having a certificate of destruction will allow you to show that you've done your part in making sure the data cannot be found by unauthorised persons. However, the safest way is to have video evidence of the destruction taking place, with the serial number you have on record in view.
Conclusion
While the threat and penalties of data theft or dereliction can be great, financial institutions and banks can keep themselves safe by taking a few main steps.
- Have records of all hardware that sensitive data is stored on
- Log the type and model of each hard disk
- Keep this hardware and data decentralized and off the main network when not needed
- Place the hardware in secure storage when being deprecated and/or replaced
- Have it transported and destroyed by a reputable company
- Gain evidence of the destruction taking place
Following these steps ensure a company is doing everything in its power to keep sensitive data safe and secure, while also keeping itself safe from any government or consumer watchdog auditing that may occur.
Daniel Santry is US Business Development Executive for Wisetek, global leaders in IT Asset Disposition, Data Destruction, & IT Reuse.