What's the difference between data deletion and data erasure?
Deletion and erasure may sound the same, but these are two terms not to be confused. Data deletion leaves data recoverable, while data erasure is permanent; this is especially important for businesses, as getting these two terms confused can present significant issues.
There is a lot of confusion around the definition of data erasure. Most of the trouble comes from the thinking that the likes of reformatting and 'the delete button' are secure methods of erasure – they aren't!
Still, the vast majority of users in organisations believe these methods are suitable, which can leave their sensitive data vulnerable to a potential data breach.
More data than ever before
Organisations are creating, storing and sending more data than ever before. In 2018, the global volume of data was 33 zettabytes (ZB). By 2025, the IDC predicts, that number will balloon to 175 zettabytes of data worldwide. While corporate data holds great value, it also carries a great deal of risk. The more data your organisation deals with, the greater the risk of its exposure.
What kinds of data are there?
Customer data - This includes personally identifiable information (PII). Customer data will allow you to identify a specific person such as name, address, account numbers, financial data and Social Security numbers. It also covers protected health information (PHI), such as medical records or associated payment data.
Employee data – This is the same as customer data, but will also include salary and performance reviews.
Corporate data – This may include intellectual property, research and development data, marketing information, merger and acquisition information, financial results, internal communications, operational information.
Data for sale
The dangers of confusing erasure and deletion were evident in one of our recent studies. In partnership with Blancco Technologies, we purchased 159 second-hand drives (a mixture of HDDs and SSDs) from eBay and Amazon to analyse for residual data.
We found sensitive residual data on 42% of the devices, with 15% containing PII. This meant that for every 20 drives analysed, at least three had PII residing on them.
Some of the PII included:
- A drive from a software developer with a high level of government security clearance. Scanned images of family passports and birth certificates, CVs and financial records
- University student papers and associated email addresses
- 5GB of archived internal office email from a major travel company
- 3GB of data from a cargo/freight company, along with documents detailing shipping details, schedules, and truck registrations
- University student papers and associated email addresses
- Company information from a music store, including 32,000 photos
- School data, including photos and documents with pupils' names and grades
One of the significant concerns to highlight from the study is that each of the second-hand sellers that the drives were purchased from stated that proper data sanitisation methods had been performed – guaranteeing that no data would be left behind. The results show that this was not the case; highlighting a significant concern that while individuals recognise the importance of removing data, the methods that they are using are inadequate.
Formatting and deleting vs. erasure
It's a common misunderstanding that formatting a drive is a secure way of erasing data. It's certainly more reliable than simply deleting the files, but a format will only make the operating system mark the area as deleted so an overwrite can occur. You will not see any data on your screen, but they will still be there and available to recover.
One deletion method that is often mistaken for a way of erasing data is the use of the recycle bin on a laptop or desktop. Any file that you send to a recycle bin – even after emptying the bin – isn't erased, it continues to exist on your hard drive. The files hide from view, but most data recovery programmes will quickly recover these files.
Data erasure tools
Data erasure software will permanently remove data from all IT assets, including PCs, hard drives, servers, data centre equipment, and smartphones. Using effective data erasure software allows your organisation to reuse, resell or recycle its entire storage media securely.
A degausser is a total data destruction solution for magnetic media. Generating a peak field of 18,000 gauss, a degausser will erase 100 per cent of media in a matter of seconds. This powerful electromagnetic field overcomes the varying oersted levels of differing magnetic media and their manufacturers' recommended gauss levels ensuring complete media device data destruction.
Shredders are a safe and effective way of destroying HDDs, SSDs, smartphones, and mini-tablets. Each shredder will break down the chosen media into tiny particulars, rendering them completely unusable. Certified to the highest security level, shredders are an efficient way of destroying certain storage media quickly and reliably.
Certified data erasure
Ensuring an organisation has correct data erasure standards is one thing, but for those in highly regulated industries, certified data destruction is essential. Data erasure certifications and data erasure standards are not the same. Set by government agencies, data erasure standards refer to how a device is sanitised. Any organisation can follow these guidelines, but it doesn’t mean that the company has been certified by that government organisation to meet its stringent requirements.
Data erasure certificates highlight erasure methods ability to meet the needs of the most highly-regulation industries. Certified data erasure methods provide organisations with tamper-proof certificates of erasure that are audit-ready and help to meet compliance needs.
Know the difference
Individuals and organisations understand the difference between deletion and erasure is critical to ensure the protection of sensitive data. It may seem simple, but even today, there is still confusion surrounding the correct methods to use to ensure secure data erasure. If you are in doubt, always contact an expert – it’s just not worth the risk!