Procurri specialises in helping businesses recycle, refurbish and remarket their old IT hardware assets wherever possible – and a huge part of such work is the process of data sanitization. Data sanitization ensures that all data-bearing hardware has all information wholly and completely removed from it before it is disposed of, recycled or reused. The process of data removal is not only an ethical and reputational obligation of businesses but also a legal one, which can result in heavy sanctions and financial fines if not completed correctly.
At Procurri, we manage all data sanitization to the highest in industry standards worldwide, including NIST. Indeed, the NIST premise of Clear, Purge, Destroy certainly sounds impressive in a process requiring such stringent security, but how does it work and what does it really mean? Let us explain all.
What is NIST?
NIST is an acronym for the National Institute of Standards and Technology; a non-regulatory agency and science laboratory of the US Department of Commerce. As an organization, NIST was founded over 100 years ago and has developed various measurements, standards and metrics for the technological and scientific industries. As such, NIST has become one of the leading guidance bodies for US businesses in these sectors; including on the best way to manage comprehensive data erasure for EOL (End of Life) hardware.
What are the specific NIST guidelines for Data Erasure?
The NIST Special Publication 800-88 (NIST SP 800-88, often just shortened to NIST 800-88) is a US government guideline document providing a methodology for erasing data from hardware storage media (most commonly known in the US as media sanitization). It aims to guide businesses to erase data from data-bearing hardware in a way that renders it entirely irretrievable. It is intended to be the safest possible best practice standard for data erasure.
NIST 800-88 was pre-dated by US DoD (Department of Defense) 5220m standard. This was originally created for the US military and later spread out to public sector departments. Although references to the DoD 5220m standard are still made in some countries and territories, it has now mainly been succeeded by NIST 800-88 – which deals with chip- based storage media as well as more traditional storage facilities.
NIST 800-88 was originally created for internal government use only but quickly gained popularity amongst other businesses, eventually becoming a worldwide accepted standard. It uses a method of three techniques to erase data from all storage media: Clear, Purge, Destroy.
NIST 800-88 was published in 2006 but revised at the end of 2014. NIST SP 800-88 Revision 1 incorporated changes that catered for the technological advances made since the original publication. This includes guidance on degaussing, which is an effective method for purging data across HDDs, floppy disks and magnetic tape media but will not work on SSDs or other flash-based storage.
NIST Clear
Clear is the first of the NIST methodologies used to securely erase data. It applies standard read/write commands and tools to overwrite data in all user-accessible storage locations. This data, once found, is overwritten with binary 1s and 0s (non-sensitive data) on media including SSDs and ATA (Advanced Technology Attachments).
NIST Clear is adequate for ‘official’ security level and is considered a moderate effort toward data protection. It protects against non-invasive and basic data recovery techniques.
NIST Clear works on:
- Floppy disks
- Disk drives
- USB sticks, memory cards, SSDs (all flash media)
- ATA hard drives
- SCSI drives.
NIST Clear allows for the storage media subject to it to be reused, which helps increase sustainability credentials and reduce e-waste. Most devices support some level of NIST Clear erasure, but it does not address any data found in inaccessible or ‘hidden’ areas of storage.
NIST Purge
NIST Purge is the next highest level of data erasure under NIST 800-88, using either physical or logical techniques to either overwrite, block erase or cryptographic erase data.
NIST Purge is considered adequate for ‘secret’ security level data, and is a higher functioning level of media sanitization than Clear.
NIST Purge works on:
- Floppy disks
- Disk drives
- USB sticks, memory cards, SSDs (all flash media)
- ATA hard drives
- SCSI drives.
In most cases, hardware subject to NIST Purge can be reused – although businesses may choose to only do so internally, depending on the security level of data previously present on the storage.
NIST Destroy
The highest and most comprehensive level of data destruction under this methodology is NIST Destroy. This uses physical destruction to render the hardware and the data within it entirely irretrievable.
NIST Destroy uses a variety of techniques including shredding, pulverizing, incinerating and smelting.
NIST Destroy works on:
- Floppy disks
- Disk drives
- USB sticks, memory cards, SSDs (all flash media)
- ATA hard drives
- SCSI drives
- Optical disks.
NIST Destroy is best suited to media containing highly confidential data or where data is beyond overwriting methods. However, its physical nature does result in less favourable sustainability outcomes, as the hardware can’t be reused or remarketed. Procurri’s ITAD partners work instead to recycle some of the materials within the hardware using state-of-the-art market-leading clean tech recycling processes.
Why aren’t all data-bearing assets subject to NIST Destroy?
Given the all-encompassing ‘one and done’ nature of NIST Destroy processes, it’s easy to see how businesses may favour such outcomes. However, it should be noted that unless organizations are working with specific sustainability-focused ITAD providers, such processes will usually result in e-waste – a dramatically rising waste channel.
Globally, e-waste reached a record high of 62 million tonnes in 2022; an increase of 82% compared to a decade previously. Projections suggest that levels may reach some 82 million tonnes by 2030, with only around 22% properly collected and recycled.
E-waste is devastating to the planet within which we all function, and so businesses focused on meeting their ESG commitments should instead consider the most sustainable data destruction method possible where appropriate. Indeed, for many data-bearing assets, NIST Destroy could be considered excessive – in both effort and cost.
When working with Procurri, you can rest assured that our technicians will properly prioritize and sort all assets as appropriate to each on an individual basis. This bespoke approach ensures that all data is erased as required but no excess or unnecessary e-waste is produced.
The Cost of Improper or Insufficient Data Sanitization
It is critical that businesses invest properly in the highest level of quality data sanitization that they can afford and work with an ITAD provider who offers transparency across their processes with a certified guarantee of data removal at the end. Improper or insufficient data sanitization can mean that the information held within data-bearing assets is later retrieved by a third party. This can result in devastating consequences for both the business and the subject of the data; including but by no means limited to data breaches, identity theft, significant financial fines, reputation damage and legal action.
For many businesses, a data breach can financially bankrupt the organization. Costs include:
- Incident response efforts
- Legal fees
- Regulatory fines and penalties
- Data loss impact
- Loss of customer trust resulting in reduced revenue
- Business disruption resulting in lost revenue and productivity
- Investigation costs
- Civil lawsuits.
Indeed, a 2022 study by IBM and the Ponemon Institute found that the global average cost of a data breach was $4.35 million – and in 2024 the average cost was $4.88 million.
However, if a business works with an ITAD provider that certifies their data removal for each hardware asset once complete, any legal responsibility for data breaches due to improper data sanitization would be passed on to that provider. Procurri offers full certification for their data removal services across all asset types.
What other ITAD standards does Procurri work to?
Procurri works not just to the localized standards required wherever they offer ITAD services but also to global best practice standards. These include:
- ISO 9001 – standard for quality management systems (QMS)
- ISO 14001 – standard for environmental management systems (EMS)
- ISO 27001 – standard for information security management systems (ISMS)
- NCSC Cyber Essentials certification
- R2 (Responsible Recycling) accreditation
- ADISA certification.
Procurri also uses Blancco data erasure hardware. This hardware has been approved by NCSC to HMG IAS 5 (1 or 3 overwrite). Using the Blancco data erasure hardware, Procurri’s specialist engineers can process high volumes of disks all erased to this level, each item with a certificate of data erasure produced to provide a full end-to-end audit process.
Want to investigate more into how Procurri can help erase your data whilst continuing to derive residual value from your assets and focus on sustainability? Get in touch with the team today!