Under a Microscope: Dissecting the Implications of DIN 66399
Covering everything from safeguards for children’s toys to design requirements for roller sports equipment, DIN Security Standards are also used to help define and standardize the different levels of security for international physical data destruction. Originating in Europe, these standards are continually making headway toward global acceptance as a benchmark to set the size and type of data that needs to be destroyed appropriately.
DIN 66399 specifically addresses standards for the destruction of data devices. This particular standard—which replaced DIN 32757—features over 40 variations based on protection classes, material/media and security levels. These three broad criteria are intended to drive the data device destruction process, guiding users so they can make informed end-of-life data disposal decisions.
Protection Classes
Companies or government entities must begin the destruction process by first determining what type of data needs to be destroyed. DIN 66399 has three protection classes that help you define the requirements and classification for your data:
- Class 1: Normal Protection: Sensitivity for internal data that’s accessible by fairly large groups of people. Unauthorized information disclosure or transfer at this level could have negative effects on a company or make individuals vulnerable to identity theft and besmirching of reputation.
- Class 2: Higher Protection: Sensitivity for confidential data that’s restricted to a small group of employees. Unauthorized information disclosure or transfer at Class 2 would have serious effects on a company and could lead to violation of laws or contractual obligations. Disclosure of personal data runs the risk of serious damage to an individual’s social standing or financial situation.
- Class 3: Very High Protection: Sensitivity for confidential and top-secret data that’s restricted to an extremely small group of named individuals. Any information disclosure here would pose catastrophic, existential threats to a company/government entity and/or lead to violation of trade secrets, contracts and laws. Disclosure of personal data runs the risk of jeopardizing an individual’s personal freedom, safety, or life.
Material/Media Classification and Security Levels
Having determined the applicable protection class, you should subsequently consult DIN-66399 to classify the material on which your data resides and identify the corresponding security level. Per DIN standards, this data destruction security level will dictate the appropriate final shredding size for your media or paper documents.
DIN 66399 requirements by data device material are as follows:
- Film:Â DIN 66399 Material Classification F refers to information in miniaturized form (e.g., microfilm), with security levels running (lowest to highest) from F-1 to F-7. For example, F-1 stipulates a maximum material particle size of 160 mm2, while F-7 stipulates a corresponding size of 0.2 mm2.
- Optical Media: DIN 66399 Material Classification O pertains to information on optical data carriers (e.g., CDs/DVDs). Security levels run from O-1 (max 2,000 mm2) to O-7 (max 0.2 mm2).
- Magnetic Media: DIN 66399 Material Classification T pertains to information on magnetic data carriers (e.g., ID-cards, floppy disks and diskettes). Security levels run from T-1 (media must be rendered mechanically inoperable) to T-7 (max 2.5 mm2).
- Hard Drives: DIN 66399 Material Classification H pertains to information on hard drives with magnetic data carriers. Security levels run from H-1 (media must be rendered mechanically/electrically inoperable) to H-7 (max 5 mm2).
- Electronic Media: DIN 66399 Material Classification E pertains to information on electronic data carriers (e.g., chip cards and memory sticks/flash drives). Security levels run from E-1 (media must be rendered mechanically/electrically inoperable) to E-7 (max 0.5 mm2).
- Paper: DIN 66399 Material Classification P pertains to information presentation in original size (e.g., paper, films and printing plates). Security levels run from P-1 (max strip width of 12 mm or max particle surface area of 2,000 mm²) to P-7 (1 mm x 5 mm).
The Relevance of DIN 66399 Regarding NSA Standards
In the U.S., of course, standards for classified data or otherwise protected information and data destruction device compliance are determined, implemented, and monitored by the NSA—not by DIN.
Nonetheless, DIN 66399 is increasingly gaining merit worldwide, including the U.S., as reflective of best practices within the data destruction industry, and DIN is frequently referenced in U.S. data destruction requirements. What’s more, despite the use of DIN Security Standards being voluntary, they can become mandatory in certain instances when they are referred to in contracts, laws, or regulations.
For these reasons, it’s important to stay current on the structure of DIN 66399 and its compliance requirements when you are beginning your data destruction process.