What You Need To Know About Degaussing
Sep 24, 2014
Individuals and businesses alike should be acutely aware of the importance of protecting personal data, as well as extremely diligent in the process of destroying old or unneeded data on hard drives and magnetic computer tape. Until about five years ago it wasn't a priority. Identity theft is now a big business for thieves. We all remember the TV ad where a thief rummages through your garbage the night before pickup, ready to steal your identity and important documents.
There are rules and regulations today that outline how to protect and discard valuable information. The most recent recommendations are from The National Institute of Standards and Technology; NIST. You can view this on most search engines. NIST Special Publication 800-88.
Sarbanes-Oxley, FACTA, HIPAA, and a host of state rules and regulations all pontificate about the protection and disposal of recorded media, or what I will refer to as Stored Media. They all spell out the fact that individuals and business cannot discard anything that has, or relates to, private information without first eliminating the data. Although these regulations relate to personnel information, most public, private and governmental entities want to -- and demand -- protection of production processing information, tax returns, trade secrets, military and governmental data, product formulas, software codes, and the like. All the aforementioned regulations can be found on the Internet. If your firm is not in compliance with these regulations, it could face a hefty fine, sometimes to the tune of $250,000.
What is degaussing? How does degaussing work?
One of the most secure ways to eliminate information, Stored Media, on hard drives and magnetic computer tape media is to degauss\erase the information. A number of other devises that crush, bend, shred, and overwrite have arrived on the scene in the past few years and are rapidly gaining acceptance both in government and industry use.
Erasing/degaussing Stored Media isn't as simple as it used to be. To effectively degauss hard drives and computer tape one has to know the signal strength of the Stored Media and relate it to the signal, gauss strength of the devise one will use to erase/degauss. An example will help understand the concept. The magnetic signal strength on old round reel computer tape is 200 oersted. To erase/degauss this tape one will need a devise that has a greater signal strength of 600 oersted. This will change the orientation of the magnetic field and will render the data unreadable.
Simply put, degaussing is a magnetic field using an alternating field of sufficient intensity to saturate the media. The magnetic field is then slowly withdrawn or reduced and the magnetic media is left in a magnetic neutral state, or erased. Part of the hard drive has a software program called a servo, installed on the drive by the manufacturer, which also is erased. Degaussing the servo renders the drive useless. Today Stored Media is measured in gigabytes and terabytes so older degaussers are pretty much useless in the new environment.
A common misperception many first time potential degausser users have is their belief that they must have a degausser that is Department of Defense (DOD) or National Security Agency (NSA) approved. Usually, when I question this statement, folks tell me someone said that was a requirement. NSA and DOD have not exactly been keen on approving newer equipment in the field for various reasons. Others tell me it has to be Sarbanes-Oxley, FACTA, or HIPAA compliant. These regulations are guidelines and do not tell you specific equipment to use or indicate a specific way of eliminating proprietary data. They simply state that you have to do it.
Another misperception concerns DOD approval. The DOD does not approve of anything, but merely recommends. If a manufacturer presents a degausser to DOD and the specifications claim it will erase a 300 GB hard drive, then DOD may add it to their list of recommended products. The problem is DOD, as of this writing, has not tested or recommended very many products in several years. This means that many degaussers that degauss/erase high coercivity drives and tape made today have never been tested by a governmental agency. This does not mean newer degaussers will not work. In fact, they function quite well. There are a few degaussers that are approved by DOD and NSA, however, they have limited erase capabilities (megabyte capacity) and were blessed several years ago prior to the introduction of hard drives and magnetic computer tape holding gigabyte and terabytes.
Purchasing a degausser
There are two considerations when researching a potential purchase:
- Present hard drive and computer tape capacity and
- future capacity.
Why? In the last year or so most degausser manufacturers recognized the severe increase in gigabyte/terabyte capacity and have had to redesign degaussers to match or exceed the increase in degauss/erase capability and or strength.
Depending on how your company is structured, a degausser could be a capital expenditure and depreciated over several years. Degaussers are built to last for many years and are more expensive now than even a year ago. Often, I get requests for an inexpensive degausser to erase today's higher capacity drives and media. I equate this to someone seeking a heart transplant for the cost of an oil change. The truth is degaussers used to be inexpensive because hard drives and magnetic tapes were not very complicated. Diskettes, round reel tape, and tape cartridges are made of gamma ferric oxide and are somewhat easy to erase. Today, computer tape and hard drives are made of metal particle oxide allowing for increased capacity. This material, together with the higher capacity of smaller discs, makes them extremely hard to erase. Faster degauss time, continuous duty machines, and larger magnets all add to increased degausser costs.
It may be necessary to reallocate some of your IT budget for the purpose of purchasing the proper equipment to satisfy your security requirements. Remember this simple truth: The cost of a degausser is going to be much less than the cost of a security breach. Considering which degausser fills your present and future requirements should also include questions about the warranty and any other services provided by the manufacturer or reseller. DOD recommends testing each degausser at least once a year for continued use. It is in your best interest to look for a manufacturer or reseller that will recertify your degausser each year at little or no cost to you.
Using your existing degausser
If your firm is currently using a degausser, how do you know it is degaussing your hard drives and tape media? Has anyone in your company read the manual to see what its degauss capability is? Do you even have the manual? Have you ever had the degausser it tested? Do you have a security program that keeps track of old drives and tapes? If you don't, you could be guilty of "Avoidance of Tolerance Risk." This means you're probably taking a big risk that your firm's hard drives and media could be found and reused. Although DOD suggests that degaussers are tested at least once a year, I can tell you few firms follow this recommendation.
A large percentage of governmental agencies, small companies, and large industry would prefer to periodically rent a degausser, bender, shredder, and or overwrite for reuse. It is vital to understand the megabyte, gigabyte, or terabyte capacity of your firms media so you rent the proper degausser. Having a handle on how much Stored Media needs to be erased matched with the degaussers erasing time for each piece dictate the length of rental period. Renting can be as little as a week. Longer periods are obviously available.
Using an outside service
One way to dispose of IT equipment in an environmentally safe manner is to use a recycling facility or degaussing service firm. One important issue not known to man users, and even many of the recycling firms, is the concept of "Transfer of Liability." In regard to hard drives and magnetic computer tape, the liability of any information on said media does not transfer from the originator of said media to the recycler\service firm, or one that accepts the equipment. There are consequences which, unfortunately, can come back to haunt you if you are not careful in selecting the right recycling\service firm. To insure reliability from your recycler, you need to ask some pointed questions. As with purchasing a degausser, you want to be sure your stored media, hard drives and magnetic computer tapes are fully degaussed.
- What type of degausser is going to be used?
- How old is the degausser? What are the capabilities in megabytes, gigabytes, and terabytes?
- Has it ever been tested?
- Where was it tested?
- How do they know it works?
- What type of accountability program do they have? For example, do they log in your drives? Do they issue an RA (return authorization) so they can track your Stored Media? Will your firm get any documentation or Certificate of degauss.
- Are they going to overwrite or degauss, and then resell your hard drives and tapes?
These are a few suggestions for determining how secure and certain your stored media will be erased/degaussed.
Remember that the liability remains with you.
Returning a broken hard drive or magnetic computer tape to a manufacturer
When a drive malfunctions, most of the time it's either a board problem or head-to-disc interference has occurred. There are times when you can recover the cost of a drive under warranty by returning it to the manufacturer. In some instances, you may have to send the drive or tape to a reseller. They, in turn, do some paperwork and forward the hard drive to the manufacturer. In either case your information could be compromised.
If the heads crash on the surface it would be very difficult to recover any data. If there is a board failure, your information is available to anyone. Handing off the drive or tape to someone else will not let you off the hook. You can transfer assets but the liability of information on the drive or tape still rests with your firm. You really need to know how the product will be handled. As with any outside service, you need to ask the same questions I outlined above.
We all fall into one of the categories previously mentioned. I hope you have a better understanding of how to protect your company's information. Also, be aware of the consequences. When you consider your company's private data is on other firms devises, it brings a whole new understanding of the responsibility.
You can contact Ron Carboy at Periphman@periphman.com or call 1-800-468-6888.
Peripheral Manufacturing, Inc. sells and services degaussers. The company offers certification service (free of charge under some conditions) once a year for equipment they sell. Peripheral Manufacturing also offers a service to test all degaussers for a small fee. If you want to see how your degausser stacks up, call 1-800-468-6888 or email firstname.lastname@example.org for additional information.