31Mar 2023
Your data is rarely completely safe, even when you think it is.
Cybersecurity breaches and data leaks are the kinds of things that you hear about happening to other people but you can never imagine happening to you until they do.
We all like to think that once we empty our Recycle Bin, our files are gone and we can leave them at that. In truth, deleting your files the conventional way is no more secure than throwing paper documents in the trash without running them through a paper shredder. They’re still accessible to hackers who know what they’re doing to rifle through and do as they please with them.
Deleting your files without wiping the data from your hard drive leaves both you and your customers vulnerable. The only way to delete old or sensitive files permanently is with data shredding – the process of deleting the data your digital files are encoded on.
This post will cover what data shredding is and how it works, go over the different types of data destruction, and Canadian digital privacy laws related to data shredding.
What is Data Shredding?
Data shredding is the process of removing or destroying digital and electronic data permanently so they cannot be retrieved or recovered. Shredding your data is analogous to running your documents through a paper shredder before throwing them out, and for a very similar reason.
Shredding means removing specific files, folders, or digital documents from a device permanently rather than merely deleting them or wiping the hard drive altogether.
Although data shredding is often used interchangeably with wiping or erasing, shredding is a term that refers to a specific type of data destruction. Shredding is different from deletion because deleted files can still be recovered if you really need them. It’s also different from wiping a hard drive, in which all the information on a device or hard drive is removed.
Why Old Data Needs to be Safely Deleted
Most modern businesses use electronic recordkeeping to store customer information and business records like invoices, contracts, and receipts.
A 2020 study by International Data Group showed that small businesses store about 47.81 terabytes of data, and that figure will grow 50% over the next 12-18 months.
If that information falls into the hands of hackers, scammers, or bad actors, it can really hurt your customers when they have their personal information or credit card info compromised.
Businesses that store sensitive information like classified government files, medical records, and legal records that can be used to identify individuals are under stronger regulatory scrutiny. In turn, they have to take extra measures to ensure their unused digital files are destroyed and cannot be recovered.
Data breaches hurt your business as well as your customers. When data breaches go public it damages your business’s reputation and brand trust, or can even get you involved in costly and drawn-out lawsuits in the worst cases.
Routinely shredding your old data is also in your best interest as a business owner. It’s best practice to stay within the limitations of data privacy compliance laws, and it saves you the money you would otherwise need to spend on document management services.
Deleting your files does not remove them permanently, but merely frees up space on your hard drive for new data. Throwing out your old devices and shredding hard drives is also bad for the environment and leaves them at risk of being stolen physically.
Types of Shredding Methods
Secure shredding of documents and disposing of data should be done routinely at the end of a device’s lifecycle, both to stay within legal requirements for data security, as well as to protect your customers from having their data exploited.
With that being the case, data shredding and hard drive shredding can be a time-consuming and costly process. There are different methods of force deleting old files. While none of them are foolproof, understanding how each one works can help you determine the best method of shredding for your business.
Deletion
This is the simplest form of data erasure. Deleting a file removes it from its folder without actually destroying the data itself, which remains on the hard drive. Deleted files can be easily recovered by unauthorized users using data recovery software. As such, deletion is not a recommended method for most small or medium-sized businesses.
Wiping
Wiping data takes it one step further by erasing data from the device itself so it can no longer be retrieved, keeping the device itself usable. While this method destroys data more effectively than deletion, data wiping is also time-consuming and can take hours to complete, making it impractical for many small business owners.
Overwriting
Data overwriting replaces the existing data with an incomprehensible string of 1’s and 0’s, effectively reducing the data to garbled gibberish.
Overwriting data once is usually enough to make it unrecoverable, but some cases involving highly-security information may require multiple passes to ensure the data is destroyed.
While still more effective than deletion and wiping, overwriting is not foolproof. The process can still leave bits of residual data, known as bit shadows, that can be viewed with an electron microscope. While this is a concern for organizations that deal with highly-secure material, operations that deal with lower-risk information shouldn’t need to worry.
Overwriting takes a lot of time to complete for each device, like wiping, and it only works if the device itself hasn’t been damaged or corrupted.
Degaussing
It’s one thing to overwrite data or wipe it off a hard drive altogether, but degaussing takes it further still by making the device itself unusable. Degaussing destroys the magnetic field in a hard drive that stores the data, neutralizing it and rendering it empty.
Businesses that degauss their hard drives can quickly and efficiently remove a large volume of data off of multiple devices, but the biggest drawback is that it renders the device itself unusable. It’s also impossible to verify if the data has been destroyed without an electron microscope.
The degaussing method may not be able to adapt to changes in technology as devices become denser and carry more storage space. They also don’t work on devices that use more advanced storage methods like solid-state drives (SSD) or hybrid drives.
Physical Destruction
When all else fails, you can destroy the physical device itself – USB flash drives, external hard drive disks, point-of-sale machines – breaking them into pieces by smashing them with a hammer, drilling them to shreds, or melting them. The device is gone for good, along with any data contained within.
While this method is effective, physical destruction has its own drawbacks. For one thing, it’s costly and wasteful, as it destroys expensive electronic equipment and is environmentally hazardous.
It’s also prone to human error. If the storage disk on a device itself isn’t properly destroyed, hackers and bad actors can still retrieve the data using forensic methods. The data is only lost if the disk is broken into pieces.
Shredding
Data shredding is the most secure and cost-effective method for destroying data that is fast, secure, and thorough. It’s a great way to destroy hard drives or SSD devices that have reached the end of their lifecycle.
This method involves shredding the storage device into tiny fragments as small as 2mm. It’s an effective way to destroy data if you need to delete a stockpile of obsolete hard drives. This should be the method of choice for any businesses that deal with high-security material.
Security and Regulatory Considerations for Data Shredding in Canada
Each country has its laws and regulations for proper storage and destruction of private consumer data.
Canadian lawmakers have put rules in place to ensure businesses remove data properly in a way that minimizes the chance of a security breach. Canadian businesses are required to implement protocols that protect their sensitive data from loss or theft.
Two major laws in Canada cover data shredding: PIPEDA and the Privacy Act.
The Privacy Act of 2019 outlines a citizen’s right to access and revise whatever personal information the Canadian Government has on them. This law relates more to Canadian government institutions and agencies.
Meanwhile, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the collection, use, and disclosure of private information for commercial purposes.
Principle 5 of PIPEDA places the responsibility on businesses to properly dispose of sensitive information:
“Personal information that is no longer required to fulfill the identified (business) purposes should be destroyed, erased or made anonymous”
Data Shredding Protects Your Customers – and Your Business
While no method of data destruction is foolproof, data shredding is the fastest, most efficient, and most cost-effective way for small and medium-sized businesses to remove all of their old data in a way that leaves no security risk.Until you’re ready to dispose of your data or hard drives, DOCUDavit offers a document storage service where you can store your sensitive data, and keep it from getting into the wrong hands. Contact us today to learn how we can wipe your security concerns clean.