Is In-House Data Destruction Really Necessary? The Answer is a Big YES!

October 29, 2019 at 8:19 am by Paul Falcone

As we get deeper and deeper into the digital age, the ever-growing demand for the creation, storage, dissemination and destruction of Big Data continues to drive the development of increasingly complex technology. Today the average consumer can create and store more data in more ways and at a faster rate than ever before; likewise, the capability of organizations to create, harvest and analyze head-spinning amounts of data—at speeds faster than the human eye can blink—is simply unprecedented.

While innovation has exponentially enhanced our ability to communicate, it also brings new challenges and risks that must be given serious consideration. With commerce, healthcare, education, finance, government, and municipal industries fully embracing digital technology to migrate and manage data flow across their entire scope of operations, the stakes arising from compromised, breached, and/or exposed data couldn’t be higher.

Since such data is of inestimable value, protecting it from unauthorized access through end-of-life is essential. Accordingly, legislation and regulations regarding data collection, storage, and destruction for any organizations handling personally identifiable information (PII), classified information, controlled unclassified information (CUI), sensitive but unclassified information (SBU), or information for official use only (FOUO) continuously get more stringent.

Unfortunately, egregious data breaches are becoming almost commonplace, with regular news coverage highlighting the dangers down to the consumer level. After a slight decrease in data breaches from 2017 to 2018, there has been a massive increase from 2018 to 2019. According to the 2019 MidYear QuickView Data Breach Report as of July 2019, 3,813 breaches have exposed over 4.1 billion records. The average cost of each breach is $3.86 million, which equates to an average cost of $148 per lost or stolen record.

Another alarming trend is the growing frequency of attacks on third-party vendors. Criminals have been targeting organizations that provide data management, control, and destruction services for multiple entities, thereby increasing the amount of data that can be harvested from one source. A recent survey found that 59% of companies experienced a third-party data breach in 2018.

So how does an organization protect itself?

Data encryption, management, transference, and destruction are increasingly robust tasks, which often prompts companies to rely on third-party solutions to help mitigate in-house workload. Doing so, however, represents the single largest cause of data security violations.

Using a third party for your data destruction puts your organization at high risk during multiple touchpoints within the destruction process. The first point of risk is immediate—the transfer of the data from your facility to the third-party destruction facility. To ensure maximum safety, classified data and sensitive data such as PII, CUI, SBU, and FOUO should be destroyed immediately and on site at end-of-life.

Several concrete examples serve to illustrate the severe risks inherent in using third-party, off-site sources for IT asset disposition (ITAD). Particularly concerning are real-life episodes in which third-party providers do not destroy the data as promised (which has been documented as occurring at all levels of commerce). In one such instance, a man went to a Best Buy in Cincinnati, OH, in 2005 to replace a hard drive and was assured that his old one would be destroyed. Six months later, however, he received a phone call from a complete stranger in Chicago who had purchased his hard drive for $25 at a local flea market. The stranger was able to contact the man because all his personal information was still stored on the hard drive.

In 2009, British telecom firm BT and the University of Glamorgan randomly purchased 300 hard disks from various fairs and auctions and discovered that 34% of them still housed personal data. In fact, in addition to banking and medical details, the research team even found Terminal High Altitude Area Defense (THAAD) data pertaining to missile defense systems.

In 2017, technology firm Kroll Ontrack purchased 64 used hard drives on eBay. The company discovered that more than 50% of the hard drives contained sensitive data, sometimes belonging to commercial organizations. It was determined that one of the drives originated at a company that reportedly used a service provider to erase and sell its old drives; the drive still contained sensitive information, including home addresses, phone numbers, user names, credit card details, and a database containing a host of employee-related information.

Just this year, Finnish company Blancco published the results of a study in which it purchased 159 used hard drives on eBay from American and European sellers who stated the data had been wiped clean prior to resale. Nonetheless, 42% of the hard drives housed data from the previous owner, and 15% contained PII, such as passports, birth certificates, financial records, internal FOUO emails, and files from a freight company that included vehicle registrations and records from a school containing student photos, names,, and grades.

Clearly, the solution is to thoroughly destroy personal and sensitive data—well past the point of possible reconstruction—when it reaches end-of-life. Although many companies claim to provide this service, the only way to guarantee the data is completely obliterated is to destroy it in-house with properly rated equipment. The National Security Agency (NSA) and the Central Security Service (CSS) maintain an updated list of evaluated and approved devices for data destruction—from paper and optical media to hard disks and solid state drives.

At SEM, we take data destruction seriously. We have destruction devices that meet and frequently exceed all current requirements for even the highest levels of security. An investment in in-house destruction equipment is more cost-effective than employing a third-party service long term—but, most importantly, such an investment eliminates potentially catastrophic risks associated with data breaches.