When purchasing and utilizing solid state drives (SSD) end-of-life management should be seriously considered.  Data sanitization prior to disposition or re-deployment for a SSD differs from a traditional hard disk drive (HDD). SSDs store, write, and re-write data differently than spinning hard disk drives, and require a more stringent approach to achieve secure data erasure.

In a PC Magazine article SSD vs. HDD: What's the Difference? more in depth details are given for the differences between spinning HDD and the interconnected flash memory chip data storage technology of the SDD.

A software solution that is typically used to over-write data on HDDs, even with multiple passes, may not be a proper data destruction solution for SSD.  Some common software erasure tools may not consistently access all storage areas on the SSD, and as a result blocks of data can be left behind after binary wiping solutions are utilized.

The various manufacturers of SSDs offer their own solutions for SSD erasure. These built in processes are important to understand before purchasing SSD as they will need to be performed on each drive at time of disposition or reuse.  All secure SSD erasure procedures should be followed up with manual confirmation of success and regular random quality assurance from upper management, as well as physical destruction procedure where failure to wipe or security policy otherwise dictates.

Deguassing solid state drives is not a secure option as SSDs do not use magnetic storage.  

It is advisable to have a good understanding on the process of each secure erase instructions from the various OEM utilities:    

Seagate: http://www.seagate.com/files/www-content/product-content/_cross-product/en-us/docs/how-to-ise-your-drive-tp-644-1-1211-us.pdf

Kingston:  http://www.kingston.com/us/community/articledetail?ArticleId=10 

Samsung SSD Magician Manual (Secure Erase): http://www.xander.com.hk/product/product_manual/prod_manual_500.pdf

Intel: http://www.intel.com/support/ssdc/hpssd/sb/CS-034294.htm

Corsair: http://www.corsair.com/applicationnote/secure-erase

Crucial: http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/SSDs-and-Secure-Erase/ta-p/112580

Feel free to post other instructions for major SSD manufacturers and ITAMG will continue to update this list.

“Don’t panic, it’s only a data breach.”  Are those words that you would ever hear?  Certainly not, because when there is a data breach while panic may not be the optimal reaction it more often than not is the reaction. 

A data breach can cause shock waves through a company and even a community.  Just look to the example of Santa Clara Valley Medical Center who had to notify 571 patients that their information, including birthday, age, sex, and even specific medical results,  was compromised after a laptop had been stolen from their location in San Jose, California.  571 individuals concerned about identity theft and their information in the hands of criminals all because one laptop was stolen.  

According to information obtained by Symantec, theft or loss was the top cause for data breaches second to criminal hacking.  The study, done in 2011, revealed the combined statistics from theft and hacking resulted in over 200 million compromised identities.

So if theft is number one and hacking is number two, it is safe to say that companies must defend themselves sufficiently against both aspects.  HR and the department heads of IT must consistently be planning and implementing procedures to mitigate risk from both loss and criminal activity.  From demanding that simple procedures be followed such as shutting down computers so passwords are required on start up, locking down offices after work hours, to training on the importance of keeping mobile assets secure everywhere they go, companies must arm themselves with every means possible to take care of data that is stored on-site at the firm.

As an IT Asset Disposal vendor operating since 1999 we have found that assets at time of disposal are at an increased risk to theft.  When assets are retired and not properly secured, stored, and accounted for negligence can lead to a low tech data breach in the form of missing, lost, and stolen media.

The first step to ensuring loss and theft does not affect your data security is to take accurate inventory of retired assets.  Once this is complete assets should be kept in a locked room or cage until sanitized or serviced by an approved disposal vendor.  For highly confidential media santization or destruction should take place prior to disposal of equipment. Receiving logs and inventory audit reports from disposal vendors should then be used to cross reference serial numbers to your firm's asset management records. Many companies may have excellent data sanitization processes but neglect the serious threat of theft prior to the completion of data destruction due to real estate, space, and other logistics obstacles.        

In the Ponemon Institute’s and Symantec’s Report "2013 Cost of Data Breach Study,"  the numbers regarding the costs associated with a data breach are frightening:

US Cost per Record:  $188

Average Records per US Breach:  23,647

Average US Data Breach Total Cost:  $4,445,636

Average Cost Due to Lost Business: $3,030,814

In response to these alarming figures companies can also mitigate risk by implementing a policy regarding data destruction using a firm that will monitor, guard, and provide proof of destruction through Department of Defense compliant data eradication methods.

The U.S. Department of Defense (DOD) has established a National Industrial Security Program Operating Manual that various Federal Government Departments must use including the Department of Defense, Department of Energy, and CIA. The program describes the methods and systems by which classified information must be secured. Through this data destruction protocol, information is kept secure from acquisition through destruction.

Disastrous results can be avoided through strict adherence to safety and security policies both on-site and after the sale of IT equipment.  Informing customers and employees of a data breach is the last thing any company wants to have to do.  Customers will be lost and employees’ trust will be diminished. To avoid these issues company heads must plan accordingly, take action, and choose wisely when selecting vendors to help with security needs.

Looking for More Info On Best Practices for EOL Equipment?