Jones Dykstra and Associates was recently asked to assist in the secure destruction of over 650 pieces of digital media containing Electronically Stored Information (ESI) for over 60 million individuals. Because a data destruction project of this scope doesn't come along every day we wanted to capture the entire process from beginning-to-end to help others contemplating a large destruction project.

All well-run projects start with careful planning. When dealing with large data projects involving sensitive data, prior planning is even more critical.

As I've discussed in other articles, the GLBA and the FTC's Safeguard and Disposal Rules are really intended to address the responsibilities of "financial institutions", but I believe they are excellent policies for almost every organization. The FTC has created clear and concise documentation that is designed with enough flexibility that even the smallest company could implement a safeguard and disposal program without great difficulty or expense. Under the Safeguard Rule the FTC defines personal data as:

• Names
• Addresses
• Phone numbers
• Bank and credit card account numbers
• Income and credit histories
• Social Security numbers

Once everyone had agreed that the digital media must be accounted for and destroyed we were able to move to the logistics of the project. We started the process by re-inventorying all of their computer systems and moving all non-critical computer systems to a secure area that was under 24-hour video surveillance.  We insisted upon inspecting all previously used offices for commonly overlooked portable digital media such as floppy disks, USB drives and CD and DVD media. Not only did the careful inspection result in the discovery of over 100 additional pieces of portable digital media, we also discovered several computer and hard disks that had gone unnoticed in boxes and closets.

Next we began a two-part process. Part one was the preservation of all data discovered on computers and portable digital media discovered during our inspection of the mothballed offices. Each of the items was fully inventoried and forensically duplicated, and the forensic images were written to backup tape for long term retention. The second part of the process was to remove hard disks from each of the computers carefully matching it to each of the previous inventories (to ensure we had a forensic image of the data) and then re-inventorying it for destruction. Due to the amount of personal information contained on the magnetic media and the quantity of magnetic media involved it was prudently decided that all of the magnetic media would be degaussed prior to leaving any of the facilities for physical destruction. While removing the hard disks and physically destroying them lowered the potential resale value of the computers involved, it ensured that no personal information would ever be accidentally disclosed or lost.

Certificates of destruction were created for each piece of magnetic and optical media. The certificate of destruction itself is not a complicated document. The following information should be recorded on a certificate of destruction:

• Item Number
• Description of the magnetic/optical media
• Manufacturer of the magnetic/optical media
• Model of the magnetic/optical media
• Serial number of the magnetic/optical media
• Date of inventory
• Date of destruction
• Method of destruction
• Location of destruction
• Printed name of the 1st witness
• Signature block for the 1st witness
• Printed name of the 2nd witness
• Signature block for the 2nd witness
• Comments (optional)

How you record the data for the certificates of destruction isn't really that important. We like spreadsheets with macros, but you could just as easily use a database with forms or text documents if you like. We do recommend having some sort of master summary sheet of all of the certificates of destruction for easier review.

The next thing to do is remove hard disks from computers. The hard disk removal process doesn't take as long as you would expect even on hundreds of computers. Don't forget to check CD-ROM, DVD-ROM and tape backup drive bays for portable media. The slow part of the process is the recording of all the information from the hard disks onto the certificates of destruction and item-numbering them. We recommend the use of a portable bar code scanner to make the inventory process faster and less prone to error. Almost all hard disks and computers have identifying manufacturer bar codes for serial numbers, model and part information. This data can be scanned right into your certificate of destruction, eliminating the need for lots of squinting at little serial numbers and the inevitable occasional typo. Each hard disk should be tagged and item-numbered to so that its status is easily tracked during the disposal process. We recommend using small, round, colorful adhesive labels that you can get at any office supply store to mark the media. By using differently colored stickers you can visually track the status of a piece of magnetic media and computers. For example:

• Red sticker - indicates the magnetic media is accounted for and ready to be degaussed
• Green sticker - indicates the magnetic media has been degaussed
• Blue sticker - indicates the magnetic media was not found on previous inventories and must be duplicated
• Yellow sticker - indicates that a computer has had all magnetic media removed

I cannot stress enough how important two-person control is during each part of the disposal process. Errors and mistakes creep into any system when people are performing repetitive tasks. The disposal process is very repetitive and there is a very human tendency to rush to finish an unpleasant task. To combat the tedium of the process we recommend allotting a reasonable number of computer systems and magnetic media to be inventoried and recorded each day. Personnel should take scheduled breaks to help ward off complacency due to boredom. Each computer should be checked by two personnel to ensure that all magnetic media has been removed before it is cleared to move on.

In next week's post, I'll cover the degaussing and physical destruction process (and fill you in on which degausser you should avoid at all costs).