Tech Guides :: Securing Confidential Information
Secure Destruction of Personally Identifiable and Confidentail Information
California Civil Code 1798.81 requires that “A business shall take all reasonable steps to destroy, or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.” 1
The key phrase here is “take all reasonable steps.” The purpose of this memorandum is to establish reasonable steps for Humboldt State University to comply with the code when disposing of media that contain unencrypted personally identifiable or confidential information: see Security Memo “Encryption”.
Computer Hard Drive Disks
Only two processes have been established that will make unencrypted records on a computer hard disk truely “unreadable or undecipherable through any means.” The first is to take the platters out of the hard drive and melt them. Note that the platters must be removed from the hard drive before heating them because simply burning the hard disk with the platters inside may not destroy the platters completely. The second process is to overwrite the disk for 35 passes using a different pattern for each overwrite. Neither of these approaches is reasonable for HSU. HSU does not have the staff or facilities for dismantling the disk drives and melting the platters. Further, a 35-pass overwrite requires about three hours per Gbyte of disk space to complete, or 240 hours for an 80 Gbyte disk, using some of the available disk-overwrite programs. The military standard, DoD 5330.22-M NISPOM (National Industrial Program Operating Manual), only recommends three passes, but even three passes require almost 24 hours to complete for an 80 Gbyte disk using one of the slower disk-overwrite programs.
A number of utilities are available for overwriting disks. Apple Computer's built-in disk utilities provide options to zero out data (one-pass overwrite) as well as seven-pass and 35-pass overwrite options. Secure Harddisk Eraser provides three-pass and 35-pass overwrite options for Intel-based and compatible computers. Academic Computing can provide it on a CD on request. DBAN (Derik's Boot and Nuke), also available free at http://dban.sourceforge.net, supports an unlimited number of passes, has a specific DoD 5330.22-M NISPOM option, and executes more quickly than some of the other programs.
The following processes are reasonable for HSU systems administrators to use for the secure destruction of unencrypted personally identifiable and confidential data on University computer hard disks:
1. If a computer is being reassigned from one University employee to another within the same administrative unit, a reformat of the hard drive is reasonable.
2. If a computer is being reassigned from one University employee to another University employee in a different administrative unit, a reformat of the hard drive is reasonable. The “giving” department should assess, based on the risk to and criticality of any unencrypted personally identifiable or other confidential information that may have been stored on the hard drive in the past, whether it should perform a one-pass overwrite (typically zeros) of the disk instead.
3. If a computer is being reassigned from a University office to a shared or open University facility, such as a computer laboratory, a one-pass overwrite is reasonable. Overwriting the disk by ghosting the lab image onto it is an acceptable alternative.
4. If a working computer is being surveyed to the University Property Office for disposal off-campus, and the hard drive is being included, a three-pass overwrite is reasonable. If the overwrite utility supports it, one of the passes should be a zeroing pass.
5. If a non-working computer (electronic junk) is being surveyed to the University Property Office for disposal, the hard drive must be removed. Hard drives are not to be remounted in different University computers unless the contents of the hard drive are destroyed in accordance with the appropriate method (1, 2, or 3) above.
6. The contents of hard drives being used for trade-ins must be destroyed (e.g., even an operating system cannot be left on the drive). A three-pass overwrite is reasonable. If the overwrite utility supports it, one of the passes should be a zeroing pass.
7. If a computer is being returned for maintenance service or warranty exchange to a vendor and the hard drive has contained unencrypted personally identifiable or confidential information at any time since a three-pass overwrite has been performed, the contents of the hard drive must be destroyed. A three-pass overwrite is reasonable. If the overwrite utility supports it, one of the passes should be a zeroing pass. Note that most computer manufacturers' warranty agreements makes the buyer responsible for removing all sensitive data from a computer before returning it for service. They do not take any responsibility for protecting that data.
8. A failed hard drive that has contained unencrypted personally identifiable or confidential information at any time since a three-pass overwrite has been performed cannot be returned to a vendor for maintenance service or warranty exchange. Some vendors at the time of sale, and for a price, allow the buyer the option to keep and destroy a failed hard drive instead of having to return it in order to get a replacement drive. Offices need to assess whether the cost of such service exceeds the losses that may be incurred by not being able to use the maintenance/warranty service to repair broken hard drives. The problem can be avoided by encrypting any personally identifiable or confidential information stored on the hard drive. If encryption is used, such drives can be returned for maintenance/warranty service.
9. Hard drives removed from computers will be made inoperable prior to disposal. This may be accomplished by denting the hard drive sufficiently with a hammer so that the platters are deformed and will not move or by drilling a hole through the hard drive and platters. The National Institute of Standards and Technology, in NIST Special Publication 800-88, Guidelines for Media Sanitization, recommends the hammer method and also recommends smashing the connectors on the drive. The systems administrator should take appropriate personal safety precautions, such as wearing safety glasses.
Floppy Disks/DVDs/CDs
Floppy disks, DVDs, and CDs that contain personally identifiable or confidential information must be “shredded” prior to disposal. Coarse shredding, such as breaking the disks by bending them or hitting them with a hammer, is acceptable. Platters removed from hard drives also may be destroyed in this manner. The systems administrator should take appropriate personal safety precautions, such as wearing safety glasses.
Magnetic Tapes
Magnetic tapes, as well as video tapes and older forms of film, that contain personally identifiable or confidential information, should be pulled out of their canisters or off their reels, randomly cut in several locations, and crumpled.
Paper
Even incineration may not make printed material completely unrecoverable. However, under Civil Code 1798, paper documents containing personally identifiable or confidential information can be shredded. Using standard office shredders is reasonable at HSU.
1 The Wayne Shredding Bill (State Civil Code 1798.80-82) applies to unencrypted “sensitive” data. For purposes of the Code, the California State University , and thereby Humboldt State University , is considered a “business.”
Contacting the Campus Information Security Officer
The Campus Information Security Officer can be reached at (707) 826-3815 or security@humboldt.edu.
Endorsed by the Information Technology Council, February 14, 2006
