Certificate of Data Destruction Form
A Certificate of Data Destruction form is used as a certified written record of evidence that a digital storage drive, digital storage media or paper records have been erased, wiped, shredded, burned or otherwise destroyed.
Data destruction is used to prevent a data breach, unauthorized access or use of confidential, non-public or restricted information, in compliance with federal and state data security and privacy laws and security guidelines.
Security Classifications of Records
When a digital storage drive or storage media has reached the end of its useful life, a decision is made to reuse, sell, donate, destroy or recycle it. The degree of reasonable care required during disposition depends on the security classification of the stored data.
The lowest degree of care is used to dispose of unclassified low-security public information such as website content, blog posts, advertising, press releases, flyers, newsletters, and brochures.
A medium degree of care is required to dispose of classified medium-security information such as company confidential documents, business plans, sales and marketing plans, product development schedules, and trade secrets.
The highest degree of care is required for classified high-security information such as confidential or restricted customer or client records, personally identifiable information (PII), and nonpublic personal information (NPPI) (consumer financial information defined under the Gramm-Leach-Bliley Act (GLBA) 15 U.S. Code § 6809 (4) (A)).
This personal data includes bank account and credit card numbers, customer account numbers, purchase history, payment history, credit reports, loan information, tax returns, investment accounts, social security numbers, driver’s license numbers, passport numbers, date and place of birth, mother’s maiden name, medical records (HIPAA), biometric data, user names, passwords, browsing history, and other information protected by privacy or information security laws.
NIST SP 800-88, Media Sanitization Guidelines
The National Institute of Standards and Technology NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization describes media sanitization methods for clearing, purging and destroying data, media and storage drives.
Data and records classified as low-security and medium-security may be destroyed using clearing or purging.
Data and records classified as high-security should be stored using 256-bit AES encryption and using destruction as the most secure method for preventing unauthorized access or data recovery by third parties.
If a storage device is operational, clearing or purging may be adequate to sanitize data and are applied when the media will be re-used. If a storage device is not operational, sanitization software cannot be used, so destruction is required.
Clearing applies logical techniques to sanitize Target Data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. It typically uses standard read and write commands to the storage device to overwrite the stored confidential data with useless fixed or random patterns.
Many free and paid software tools perform clearing, also known as sanitizing, wiping, erasing or shredding. NIST does not review or recommend specific tools. Each organization should research and select an appropriate media sanitization tool, including reading independent product reviews and comparisons. See this Lifewire article for a list of free data wiping tools. Some multi-purpose system tune-up utilities also include wiping and shredding tools.
Caution: Be very careful to back up important files and to select the correct drive and files before wiping, erasing or shredding.
Be aware that deleting files or formatting a drive does not overwrite data and is not sufficient for clearing. The stored data must be overwritten with different data. The obsolete 1995 Department of Defense (DoD) Media Sanitization Guidelines 5220.22-M recommended at least 3 write passes, usually all zeros, all ones, and then random data. But, since 2006, the newer NIST 800-88 guidelines recommend that only one pass of data overwriting is needed.
Additional wiping passes are optional for magnetic disks but may take many hours or days to complete for large-capacity drives.
Only one pass of overwriting is needed for solid-state drives (SSD). Two wiping passes are required by the guidelines for USB flash drives and SD flash memory cards. Additional wiping passes are optional but cause extra wear on flash memory devices.
Purging applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques. Purging relies on special device-specific built-in sanitize commands to securely erase, block erase or cryptographically erase all Target Data.
Newer PATA and SATA interface drives manufactured after 2001, with storage capacities greater than 15 GB, implement the Secure Erase (SE) firmware command to purge a hard disk drive in 30 to 120 minutes with a single pass overwrite.
Secure Erase done by drive firmware is about 8 times faster on a hard disk drive than DoD 5220 block-erase software. The U.S. National Security Agency (NSA) published an Information Assurance Approval that a single-pass overwrite provides secure sanitization.
Check the drive manufacturer website for Secure Erase software. Samsung Magician utility software includes the Secure Erase command function for quickly erasing Samsung SSDs.
A full or quick-sample verification should be performed after a clear or purge to confirm the operation completed correctly. For additional assurance, at least 20% of the sanitized items should also be verified with a second verification tool, from another vendor.
A low-level disk editor such as Active@ Disk Editor freeware can be used to view, browse and search the contents of files and drive raw data sectors in hexadecimal, ANSI or Unicode text modes for wipe verification, data inspection, and forensic analysis. Regular expressions (regex) may be used for searching. This tool requires technical knowledge to learn or tech support for assistance. It includes a built-in help section.
Destruction renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the destroyed media again for data storage.
Destruction includes incineration, melting, shredding, disintegrating (separating into component parts), degaussing (for magnetic media), and pulverizing (grinding to a powder). Bending, cutting or drilling holes in media cause partial damage but are not accepted forms of destruction.
The following decision-making flowchart from NIST 800-88 gives a media sanitization process overview.
The organization’s Chief Information Officer (CIO) is in charge of the Written Information Security Policy (WISP), including information disposition and media sanitization according to internal policy, NIST 800-88 guidelines and security and data privacy laws. Employees must be trained to follow proper security procedures.
Sample Certificate of Data Destruction Form
NIST 800-88 Appendix G includes a template example of the recommended elements to be included in a certificate of data destruction or media sanitization including:
Manufacturer, Model, Serial Number
Organizationally Assigned Media or Property Number (if applicable)
Media Type (i.e., magnetic, flash memory, hybrid, etc.), Media Source (i.e., user or computer the media came from)
Pre-Sanitization Confidentiality Categorization (optional), Sanitization Description (i.e., Clear, Purge, Destroy)
Method Used (i.e., degauss, overwrite, block erase, crypto erase, etc.), Tool Used (including version), Verification Method (i.e., full, quick sampling, etc.)
Post-Sanitization Confidentiality Categorization (optional), Post-Sanitization Destination (if known)
For Both Sanitization and Verification: Name of Person, Position/Title of Person, Date, Location, Phone or Other Contact Information, Signature
Optionally, an organization may choose to record the following (if known): Data Backup (i.e., if data was backed up, and if so, where)
Some organizations include a certificate number and the company logo.
Some media sanitization tools include a printable completion report or a data destruction certificate.
Here is a sample template form Certificate of Data Destruction Media Sanitization, based on NIST 800-88. Appendix G.
This sample template form includes blank spaces for describing two sanitized items. An optional list may be attached to identify more than two sanitized items.
An optional notarial certificate is included to use the completed form to make a notarized sworn statement (affidavit) of data destruction, signed before a notary public.
The Certificate of Data Destruction form should be completed promptly after media sanitization and stored securely with business records kept in the normal course of business.
Shredding Paper and Removable Disks
Confidential paper records may be destroyed by shredding or burning. For higher security, a crosscut shredder is used rather than a strip shredder.
Some paper shredders also include a media shredder designed to shred flexible floppy disks and CD and DVD optical disks. Remove the floppy disk and metal hub from the plastic case. Clearing and purging are not used for optical disks.
To prevent reconstruction, the shredded material should be mixed with unrelated shredded material, divided into several portions and disposed of separately in different locations.
Sanitizing Smartphones and Other Mobile Devices
Refer to the user’s guide or manufacturer’s website for instructions on sanitizing a mobile device before disposal. Many mobile devices only offer capabilities to clear or factory reset but not to purge. Destruction may be needed for secure disposal. Remove any micro SD memory card.
State Laws on Electronic Waste
To protect the environment from toxic material, be sure to follow federal, state and local laws and best practices regarding proper disposal of electronic waste (e-waste). Twenty-six states and the District of Columbia (DC) have laws that mandate e-waste recycling including CA, CO, CT, HI, IL, IN, ME, MD, MI, MN, MO, NC, NJ, NY, OK, OR, PA, RI, SC, TX, UT, VA, VT, WA, WI, WV.
E-waste laws may apply to households, small businesses, big businesses, schools, nonprofits or government agencies. They prohibit disposal of e-waste in a landfill and/or by incineration.
Use an e-Stewards Certified Recycler