Home > Publications > Technical > Information Disposal

Information Disposal


Storage devices (computers, CD’s/DVD’s, USB’s, etc) contain an exuberant amount of data (passwords, account numbers, names, addresses, etc.) that can easily be retrieved if not disposed of properly.  Before disposing of the storage device it is a good idea to wipe (erase not just delete) all information on it with an approved program.  Wiping data from storage devices before disposal is a critical component that prevents criminals from using the data for identity theft, company breaches, and leverage for ransom. The disposal method is determined on the value of the information, a company’s policy, and requirements from the government.  The most common types of disposal methods are shredding, degaussing and in some cases, incinerating. If information is not properly wiped the end result can be catastrophic to an individual/ company/organization because criminals have special programs that piece together the improperly erased information.  
 

What is Information Disposal?

Information disposal is the process of wiping (erasing) data from storage devices before reusing or destroying the device. The benefits of wiping data before disposal are: prevention of identity theft, a decrease in accidental information disclosures, and security breaches. Information disposal is also applied to printed documentation because printed documentation contains just as much information as the electronic data. Wiping data from storage devices is very important for one major reason: criminals will use devices that have not been properly wiped and disposed of, for stealing identities, breaching company security, or leverage of one sort or another.

Use the following steps as a guide for determining the proper disposal method:

  1. Determine the value of the information:  Can the information be used to gain access to any account information, classified documentation, or personal information, etc.
  2. Wipe the information from the storage device using an approved program.
  3. Choose the proper disposal method according to policies, procedures, or standards: shred, degauss, or incinerate.
  4. Dispose of or reuse the device according to policies, procedures, or standards.

Determining Value

Determining the value of information depends on the type of information it is (classified or unclassified), company policies/procedures/standards, and government laws/practices. Items to consider when determining the value of information are: identifiable factors (names, address, social security #, bank/credit account #, etc), is the information secured, and who has access to the information, etc. If these items are not considered, the information can be compromised very easily and the effect it has on an individual/company/organization could be devastating. Customers will lose respect for a company, possibly forcing it out of business. The individual will be forced to spend countless hours resolving identity issues, and policies need to be developed or modified, and strictly enforced.

Disposal Method

Once the value of the information is determined and the device has been wiped, a disposal method can be chosen. Three of the most popular methods of disposal are shredding, degaussing, and incinerating. Shredding is the most popular because it is the easiest to do, incinerating is used when shredding is unavailable, and degaussing is used in extreme cases.  If documents are being shredded ensure the pieces are micro shred; if it is a strip cut, the paper can be taped back together and read.  Be careful of fumes and debris when incinerating, they can be toxic. Degaussing takes a magnet to the device and wipes the information permanently. Remember to dispose or reuse the storage device according to the company’s policy. Also, before disposing of any storage device, ensure the information is fully wiped.  Programs are readily available on the Internet that can read partially destroyed data.  
Remember properly erasing information significantly reduces the threat of criminals selling, blackmailing, displaying, and transmitting the information to dishonest persons/companies. It also, reduces the risk of data loss by ensuring that the information was destroyed within policies/standards/procedures and prevents unauthorized personnel from destroying data they are not entitled to view. Understanding the value of the information is a vital key in determining how the information will be disposed. Policies are then enforced to provide a basic understanding of what is required when disposing of information and to protect individuals, companies, and/or organizations in legal proceedings. Preventing information disclosure is everyone’s responsibility because identity thieves love when information is found on a device that was thrown out; it makes their job of stealing identities or classified information 10 times easier.