Posted by: Ken Harthun
Data destruction, Data sanitization, Security
What do you do when a long-time client, a non-profit organization subject to HIPAA regulations, has been stockpiling old hard drives until they can afford the cost of shredding them? Professional data destruction services charge anywhere from $10 to $25 or more per hard drive in addition to the pick-up fee. Here’s a video that shows a hard drive shredder (scroll down to the middle of the page). My client was looking at almost $1200 and just couldn’t seem to find room in the budget. They needed a viable–and cheap–solution.
The least expensive option would have been to train a staff member on how to use an old PC to hook up the drives and run the HDDerase utility. (See How to Quickly & Securely Erase a Hard Drive.) For various reasons, the client wasn’t in favor of this; they wanted someone “in the know” to do it.
After determining that there was little likelihood of any truly sensitive data sitting on those hard drives, I suggested a brute force approach: Physically damage the drives, then take them to a community recycling center and dispose of them. The total cost of this approach would be around $100. The client agreed.
The photo above shows the result of 3-4 sharp blows with the root-cutter end of a cutter mattock applied to the platter end of the hard drive case. The photo below shows the resulting damage to the platters.
You could argue that this isn’t enough destruction to meet regulatory security standards and you would be right. My rebuttal would be this: 1. There probably isn’t anything of value on those drives; 2. The cost of trying to recover anything on those drives would be prohibitive; and, 3. Where they’re going tomorrow, no one will know who owned those drives and wouldn’t care anyway if they did. Bottom line: The drives will be shredded and recycled as originally planned at a fraction of the cost.
Sometimes, it just takes a little common sense to deal with these issues.