Shredding Security Levels

January 20, 2022 at 8:17 pm by Amanda Canale

When it comes to the destruction of end-of-life media in the US market, there are very strict guidelines and laws that address how classified, top secret, and controlled unclassified information (CUI) should be disposed and securely destroyed, determined by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). For example, the NSA mandates specific particle sizes for top secret and/or classified data that resides on all forms of media, and evaluates and lists end-of-life information destruction solutions for this purpose. For a list of media destructions solutions evaluated and listed by the NSA, click here.

However, most other guidelines and laws that apply to other types of government and commercial information do not provide specific destruction particle sizes to insure the most effective solution. Most simply indicate that media should be destroyed with the use of a shredder or other destruction solution. In industries like healthcare, finance, banking, education, and more, the importance of the proper disposal of end-of life media is better defined; however, the particle size specifics tend to be left open to interpretation. 

DIN Standards, otherwise known as Deutsches Institut für Normung, originated at the German Institute for Standardization, a non-government organization that serves as the national standard when it comes to improving the rationalization, safety, environmental protection, and quality assurance between the government and the public. While often not mandated, DIN guidelines serve as a widely accepted global standard that also provides clarity to vague end-of-life information destruction requirements.

Enter DIN 66399. These standards provide destruction particle size guidelines for information that resides on a wide range of media and that specifies protection categories. 

Q: What is the DIN Standard 66399?

A: DIN 66399 has become a globally accepted security standard for the shredding or destruction of all types of data media.

Q: Who is it for?

A: Sets out responsibilities regarding the protective security required for commercial organizations, government departments, and individuals to help make an informed choice of the correct equipment to guarantee all levels of secure destruction.

Introducing the Three Protection Categories

Class 1: for the normal protection required for internal data where disclosure would have a negative impact on a company or a risk of identity theft of an individual.

Class 2: for the higher protection of confidential data where disclosure would have a considerably negative effect or could breach legal obligations of a company; or offer a risk of adverse social or financial standing of an individual.

Class 3: for very high protection for confidential and top secret data which if disclosed could have terminal consequences for a company or government entity, and have a health and safety or personal freedom risk to individuals.

However, at the end of the day these regulations and protection categories are guidelines. Businesses and organizations should always err on the side of caution when it comes to the destruction of end-of-life data. It’s important to remember that a data breach is a data breach no matter the level of impact…and no matter when it takes place. There are no statute of limitations when it comes to compromised data: just because the information wasn’t misused then, doesn’t mean it won’t happen in the future. Therefore it is always best practice to adhere to the above regulations when it comes to your data destruction.

Six Media Categories

The DIN Association also defines six media format categories on where information may reside. They are as follows:

  • P: Paper based products
  • F: Film based products including micro-film, microfiche, slides, etc.
  • O: Optical media including CDs, DVDs, and Blu-ray Disks 
  • T: Magnetic data media like floppy discs, ID cards, magnetic tapes and cassettes, etc.
  • H: Hard drives from computers, laptops, and external devices
  • E: Electronic data media like memory sticks, cards, solid state drives, mobile phones

Seven Specific Security Levels 

Example: P = Paper media requirements

Protection Category

Media Paper

Security Level

Security Level Particle Size Requirement

Class 1

P

1

12mm strips or maximum particle surface area of 2,000mm²

Class 1

P

2

6mm strips or maximum particle surface area of 800mm²

Class 1

P

3

2mm strips or maximum particle surface area of 320mm²

Class 2

P

4

Maximum cross-cut particle surface area of 160mm² with a maximum strip width of 6mm = 6 x 25mm

Class 2

P

5

Maximum cross-cut particle surface area of 30mm² with a maximum strip width of 2mm = 2 x 15mm

Class 3

P

6

Maximum cross-cut particle surface area of 10mm² with a maximum strip width of 1mm = 1 x 10mm

Class 3

P

7

Maximum cross-cut particle surface area of 5mm² with a maximum strip width of 1mm = 1 x 5mm

Maximum Shred Size for Other Media

Class

Film

Max

Optical

Max

Tape

Max

Magnetic

Max

Electronic

Max

Class 1

F-1

160mm²

O-1

2000mm²

T-1

Inoperable

H-1

Inoperable

E-1

Inoperable

F-2

30mm²

O-2

800mm²

T-2

Split

H-2

Damaged

E-2

Split

F-3

10mm²

0-3

160mm²

T-3

2000mm²

H-3

Deformed

E-3

160mm²

Class 2

F-4

2.5mm²

0-4

30mm²

T-4

320mm²

H-4

2000mm²

E-4

30mm²

F-5

1mm²

0-5

10mm²

T-5

160mm²

H-5

320mm²

E-5

10mm²

Class 3

F-6

0.5mm²

O-6

5mm²

T-6

10mm²

H-6

160mm²

E-6

1mm²

F-7

0.2mm²

O-7

0.2mm²

T-7

2.5mm²

H-7

10mm²

E-7

0.5mm²

Q: How does SEM meet these requirements?

A: As a supplier of information destruction systems for the past 50 years, SEM is a leader in providing solutions to meet all destruction levels outlined in the DIN 66399 guidelines. From machines that can shred paper and optical disks to hard drives and data tapes (and more!), SEM has the answer.