After Hours

Implement a data destruction policy to keep corporate secrets safe

The Sarbanes-Oxley Act and other legislation have made data retention a hot topic. But about the flip side of the coin—what happens when your data has finally served its purpose? Mike Mullins explains the importance of a data destruction policy and discusses steps you can take to prevent unauthorized access to corporate data.

Over the past few years, data retention has become a critical issue for corporations as they take steps to comply with complicated legislation—particularly, the Sarbanes-Oxley Act. While companies obsess over the retention requirements and boost their storage capabilities, there seems to be a tendency to ignore the flip side of the coin: data destruction.

What happens when your data has finally served its purpose? Sooner or later, you'll need to clean out those storage devices and free up some space. In previous articles, I've discussed how to erase old hardware and wipe data from Cisco routers and switches before discarding them. But these aren't the only devices on which data resides.

How much data do you think your organization has lying around in old file cabinets or long-forgotten CDs? When it comes to old media, don't throw it away—destroy it! By destroying any media that the organization no longer needs, you deny data thieves access to corporate secrets.

In June, the U.S. Federal Trade Commission enacted legislation called the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA targets consumer information, such as the type that credit agencies and lenders collect—in hopes of fighting the growing epidemic of identity theft. However, it's a good idea to incorporate the principles of this law throughout your company as a best practice for media destruction.

FACTA requires "disposal practices that are reasonable and appropriate to prevent the unauthorized access to—or use of—information in a consumer report." But think about this in broader terms: The end result of all data destruction should be to deny unauthorized access to any information.

Of course, the method of destruction varies depending on the type of media in question. Let's look at some of the most common media types and the destruction method for each.


When it comes to policy and practice, companies often overlook paper as a form of media. However, it's vital to include this category in your overall data destruction strategy.

Stop throwing away reports and sticky notes, and start destroying them. Take steps to destroy all documents and handwritten notes produced as a part of your business as soon as they are no longer necessary to your business. The most common approach for complying with HIPAA and FACTA regulations is cross-cut shredding that yields a paper fragment of 1mm by 5mm.

CD-ROMs and DVDs

Almost every business produces CD-ROMs or DVDs, either for distribution to its clients or for internal data storage and portability. If you no longer need the information stored on that media or if you move the information to a different form of storage media, make sure you destroy the CD-ROMs or DVDs.

Several acceptable methods exist for the destruction of this type of media. Options include breaking the disks, cutting them up with scissors, and even a specialized machine that shreds CD-ROMs and DVDs.

Floppy disks and tape

By design, magnetic media such as floppy disks and tapes are easy to erase and write to many times. Erase the media with one of the freely available programs that formats and writes 0s and 1s in a random pattern. When you're finished with formatting and overwriting, use scissors to cut the media and render it useless to prying eyes.

USB drives

These days, almost everyone has a USB drive that holds anywhere from 32 MB to a GB or more. These devices are reusable, and many keep using them until they no longer function. If you do need to destroy one of these devices and can't reformat it, just break the device in half. That will render the device unusable to someone who finds it in the trash.

Final thoughts

When implementing a data destruction policy for your organization, keep in mind that you need to balance the risk of disclosure with the cost of destruction. (I intentionally didn't cover hard drives in this article, because hard drive destruction and destroying information on a hard drive is a totally different issue from portable media.)

In addition, remember that if the data is valuable enough, someone might go to extraordinary lengths to recover that information. Regardless of the value of the data or the method you use to destroy your media, the end result should be to completely deny unauthorized access to the data.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks

Free Newsletters, In your Inbox