Secure IT Disposal & Data Destruction

The standard: NIST 800-88

NIST Special Publication 800-88 (Guidelines for Media Sanitization) is the federal standard for data destruction and the one most auditors reference — for HIPAA, SOX, and FedRAMP compliance alike. It defines three levels of sanitization:

• Clear
  Overwriting data using software tools. Appropriate for drives that will be reused internally. Not sufficient for drives leaving the organization.
• Purge
  Cryptographic erasure or overwriting at a level that defeats laboratory recovery attempts. The minimum standard for drives leaving your organization. Appropriate for most regulated business use cases.
• Destroy
  Physical destruction — shredding, disintegration, or incineration. Required for the highest-sensitivity data (classified, certain HIPAA PHI, etc.) or when purge is not practical (failed drives, SSDs with firmware issues).

Certificate of Destruction

A Certificate of Destruction (CoD) is a document issued by the recycler or data destruction service confirming that specific assets were destroyed to a defined standard on a specific date. It typically includes:

• Asset list (make, model, serial number for each device)
• Destruction method (overwrite, degauss, shred)
• Standard applied (NIST 800-88, DoD 5220.22-M, etc.)
• Date and location of destruction
• Name and certification of the recycler
• Signature of authorized representative

Always request a CoD before engaging any recycler. If they can't provide one, they're not the right vendor for a regulated business.

Retention: how long to keep the CoD

When in doubt, keep longer. Storage is cheap. A missing audit trail is not.

What to do with equipment that can't be purged

Drives that have failed, SSDs without cryptographic erase support, and devices with sensitive data that cannot be confirmed erased should be physically destroyed. Most of the certified recyclers in our directory offer on-site shredding — a truck-mounted shredder comes to your facility and destroys drives in front of your staff, then issues the CoD on the spot. This is the preferred method for healthcare organizations and regulated businesses with strict chain-of-custody requirements.

What about copiers, printers, and fax machines?

Modern multifunction printers, copiers, and fax machines have internal hard drives that store images of every document processed. This is one of the most overlooked data security risks in small and mid-sized businesses. Before returning a leased copier or disposing of owned equipment:

• Run the manufacturer's hard drive overwrite function if available
• Remove and destroy the internal drive if feasible
• Confirm the process with the leasing company before return
• Get it in writing

Building a formal IT disposal policy

For regulated businesses in Massachusetts, an ad-hoc disposal process isn't enough. Your Written Information Security Program (WISP) — required under 201 CMR 17.00 — must include documented procedures for how equipment is decommissioned and data destroyed. Auditors will ask for it.

A complete IT disposal policy covers:

• Approved destruction methods by asset type
• Required certifications for third-party vendors
• Chain-of-custody documentation requirements
• Certificate of Destruction retention schedule
• Asset tracking from acquisition to destruction

If you need help building or reviewing your WISP and disposal policy, that's a consulting engagement. Talk to Jaime Pauline →