You don't want to just dump tape cartridges or disk
According to a June 2009 research report by the Enterprise Strategy Group called "Protecting Confidential Data Revisited," 53% of large enterprises surveyed used "brute-force" methods, such as physically destroying their disk drives and tapes. Other enterprises used data destruction software (35%) and homegrown tools and processes (25%). But whatever method they chose, 82% of respondents said they have formal policies and procedures in place for data destruction of storage media.
Russ Fellows, senior analyst with the Evaluator Group, considers destroying data with a degausser the greenest method for data destruction.
"However, multiple passes may be required in order to completely erase data," Fellows wrote in an email to SearchDataBackup. "The least efficient, but most secure way is to write random data over the tapes with multiple passes [similar to disk erasure], then degauss the tapes, followed by shredding or burning. Thus, the tradeoff is between efficiency and security."
Kevin Beaver, founder and principal information security consultant of Principle Logic LLC, advises, "Outside of physical destruction, degaussing is a very reliable means for erasing backup tapes. The problem with basic degaussing is that there's not a 'yes' or 'no' confirmation that the destruction has indeed taken place. So, ideally, both degaussing combined with physical destruction would be best to ensure nothing's going to be recovered."
Outsourcing data destruction
Companies including Cintas Document Management, Iron Mountain Inc., Kroll Ontrack, and Sun Microsystems offer tape destruction services.
"Service costs vary widely, but typically involve billing for time, on-site visit, media handling, etc.," Fellows said. "Costs also vary depending upon the level of destruction. Services can include data overwrite to DOD standards, bulk data erasure with a degausser and may optionally include physical destruction of media via shredding."
But is outsourcing data destruction really secure?
"It's as safe and as reliable as the humans and technologies involved in the process," Beaver said. "So, there's no way to know for sure. That said, by and large, outsourcing data destruction to reputable companies is safe. If anything, you've transferred the risk to a third party -- at least to an extent -- something management and legal counsel like to do."
However, he added, "If something still goes awry [a lost tape, failed destruction and subsequent recovery, etc.], the odds are good that you're still going to be on the hook and receiving end of a compliance penalty or lawsuit."