Companies work on various types of data shredding services, where they are asked to destroy the data that was required to be done so, for various privacy and security issues. These type of destruction of data is to be done with extreme care and after the destruction has taken place, a proof is needed to be produced so that it can be verified that the task was completed efficiently while complying to all the rules and regulations. This ‘proof’ of the service is called a Certificate of Destruction (COD).
This document, therefore, is very important for the peace of your mind, that the data you required to be done with, has been destroyed following the proper privacy laws, and is no longer posing a threat to your company.
Why is a Certificate of Destruction required?
Many companies have sensitive information that can create a breach in their security, and it is useful for them to destroy this information safely, with the set protocols, so that their privacy and security isn’t at risk anymore. If your organization caters to companies which need their confidential information to be destroyed, you will be required to produce a Certificate of Destruction. This certificate is going to be working as an audit document to certify that all the sensitive data that the company needed to be destroyed, including various hard drives, media, components, has been done so by complying to the rules and laws. It ensures that the destruction was irreversible, and that the contents cannot be recovered even with forensic techniques.
What types of information is usually needed to be destroyed?
- Personal identifiable information (PII)
- Information protected by privacy laws
- Corporate trade secrets
- Financial details
- Information that can be easily overlooked (e.g. boarding passes, shipping labels, photos, etc.)
- Digital information (e.g. hard drives)
How to Get a Certificate of Destruction
The certificate is automatically generated as soon as the shredding is done and it is emailed to the organization requiring it.
What does a Certificate of Destruction contain?
- A unique serial number for use in an audit trail and other company records.
- Model and serial numbers of the devices destroyed.
- Dates of the service company assuming responsibility for the material and its ultimate disposal.
- If the destruction was off-site: details of the custody chain documenting the transfer from the client’s premises to the services company’s premises and details of the destruction process employed.
- If the material was destroyed on-site: dates and times of the service company assuming responsibility and details of the disposal process.
- The signature of a company official attesting to the fact that the information contained in the certificate is a full and accurate account of the process.
The companies that do the shredding services, thus provide this certificate as a guarantee that the destruction of data took place with the required laws, and if there is ever an audit which asks the company to show a proof, this certificate can be produced to certify that the confidential material was sufficiently destroyed and therefore would not pose a further security threat to the company.
Are all Certificates of Data Destruction the same?
There is no certifying authority for the data destruction industry so the reputation, reporting capability and legitimacy of your data destruction vendor is paramount. In other words, choose carefully.
Data destruction partners should automatically provide verification that will protect you, your client, and your client relationship in the unfortunate circumstance of either legal action, a data breach investigation or an audit of your data destruction process. Without the backup verification, the Certificate of Data Destruction doesn’t provide absolute proof of data privacy regulatory compliance and best practices.’
Sometimes, the organization seeking the shredding service might need to be ensured thoroughly that the destruction of data takes place securely and efficiently. They need to see the process to follow that the destruction was done while respecting and ensuring every step of the process and laws, and that no interception takes place to disrupt the destruction of data. Any type of interception can prove to be a glitch in the security and become a breach. To ensure that this trail remain unhindered, the organization can ask the process to be performed on their own site so as to ensure very rule is followed thoroughly.
There are multiple methods that can be utilized to ensure the physical destruction of data takes place efficiently. The electrical storage can be destroyed by using magnetic powerful forces, or even physically breaking the device with hammers and other heavy equipment. The best method however, is to destroy using a built-in purpose machine. These are similar as shredders, and are very powerful while ensuring the destruction of drives.
When you are selecting a data destruction services provider or partner, you have two critical objectives:
- prevent a data breach.
- gather verification that 100% of the data was destroyed.
To help you satisfy both goals (and rest easy), we’ve put together this handy “How to select a gold-standard data destruction provider” checklist. With this list in hand, your data destruction provider is providing you with the services you need and a supported, defensible Certificate of Data Destruction. Just in case you need it.
Checklist for selecting a gold-standard data destruction provider (and protecting your company)
NAID AAA Certification. Organizations with this certification have completed and complied with the rigor of data privacy laws and methods. They are trained and verified data destruction experts
Onsite data destruction. Eliminate the risk of data (and device) loss in-transit.
Reporting. This is a complete set of verification documenting each device, data destruction method, details resulting from the audit, item serial # scan, inventory validation and reconciliation, chain of custody and any specialized compliance reports.
Certificate of Data Destruction.
Same day certification. Before your vendor leaves the site (whether it’s a one-day or multi-day data destruction project), you should have a digital Certificate of Destruction in your hands. Full reporting and verification (including links to download video) should be in your possession within a week of the job completion. Review all documents to ensure that everything you’ve agreed to is included
Chain of Custody. Many regulations govern custodial history of assets and that includes the data. You’ll want full documentation of any transfer of materials for destruction (specific location and date), the date the information was collected, the date the information ceased to exist, and custodial names at each stage.
Erasure verification. The software used for data sanitization tracks and records the end-to-end process of each and every operation. The tracking and verification data should be included with the reporting and certificate of data destruction and contain the following details:
- Report ID
- Client name
- Equipment brand and model
- Equipment serial number
- HDD Size
- Model and serial numbers for the HDDs
- Disk sanitizing method
- Number of passes performed
- Number of bad sectors
Physical destruction verification. Shredding guarantees that your data (hard drives, SSD, magnetic tape) has been destroyed. The end result is plastic and metal fragments that range in size from ribbons to dust depending on the device and regulations. Additional options for verification include photography, video monitoring and before/after weight comparisons.
Trained, bonded, vetted technicians. The techs doing the shred, erasure, auditing and touching your equipment and have access to your data – even if it’s for a minute. Be sure that they’ve been securely screened and bonded for your protection.
Insurance Your data destruction provider should be insured properly to protect you in worst case scenarios.
Consistency. From both the legal perspective and the (deep sigh) hassle, a harmonized Certificate of Destruction with consistent verification reporting makes tracking end of life assets far easier to manage. For multi-facility, multi-country enterprises, a national provider of data destruction can work with you, your ITAD, VAR or service provider to ensure a consistent and high quality documentation approach — no matter where the data destruction services take place.
Packing, shipping and logistics. The last step in any data destruction process is the removal and transport of the asset of destroyed hardware. Be sure your vendor has the experience and knowledge to transport whatever it is — recycling or redeployment — properly, safely and securely to its next destination.
Destroying your drives in this manner also eliminates any possibility of them being cleaned and resold with the consequent possibility of data being recovered later and used with bad intent with potential ramifications for you and your company.
A digital data destruction certificate is only produced when the data is destroyed using accountable disk wiping software. While a highly reputable method of data destruction, physical destruction of hard drives via shredding, does not produce an actual data destruction certificate for the client. In these situations, a reputable data destruction company will provide the client with a DVD video of their equipment being destroyed. These recordings will typically show each individual hard drive as it is being physically destroyed so the client will know that their equipment was rendered completely unusable.