Clarabyte’s data erasure tools offer one of the most powerful solutions for data wiping and erasure currently on the market. One of the reasons such a bold claim can be made is that Clarabyte has designed its solutions to cover a wide variety of complex standards, adhering to the highest regulations and standards.
This wide range of standards can be a minefield, however, for those who are unfamiliar. Today, we’re going to crack that nut – by the end of this piece, you should have a fairly strong understanding of the major standards that ClaraWipe and ClaraMobile supports, and what those standards entail.
# Sarbanes-Oxley Act (SOx)
In 2002, the United States Congress passed the Sarbanes-Oxley Act, which was designed expressly to protect investors and other accounting services from fraudulent accounting activities, specifically those undertaken by corporations. While the primary bulk of the bill contained huge financial disclosure and other fraud prevention reforms, the act also included some significant IT requirements as well.
Notably, the Sarbanes-Oxley Act has some pretty heavy considerations in terms of both how long financial data must be stored and how such data is handled during the end of lifecycles. Supporting the act means that ClaraWipe is perfect for financial institutions, allowing for greater security not only in data erasure but in terms of confidence of legality and compliance.
HIPAA, the Health Insurance Portability and Accountability Act, is a medical record protection act that overhauled the records system in the united states and set some very specific IT standards for the storage of these records.
These standards, coded under Title II of the act, has some important stipulations for data providers. In addition to setting a requirement for a national provider number and a standardized method for data exchange, the act further coded the handling of information by both the HIPAA Privacy Rule and the HIPAA Security Rule.
These two rules specify how data should be handled throughout the lifecycle. Adhering to and complying with this standard means quite a lot – not only can the provider avoid massive legal and economic punishments for data handling inadequacies, but providers can also handle more information than they would otherwise under the law be allowed to.
HITECH, or the Health Information Technology for Economic and Clinical Health, is an extension of the same type of legislation as HIPAA. It was enacted in 2009 as part of the American Recovery and Reinvestment Act, with Subtitle D encoding further privacy and security rules. HITEC built upon the huge reforms of HIPAA
Of note is that HITECH also applies greater civil and criminal consequences for failure to enforce HIPAA rules, meaning that matching HITECH provides some significant economic and legal protections to providers.
# The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
FACTA is a United States Federal law that covers credit data management and transfer. It was implemented to extend the Fair Credit Reporting Act to combat rising identify theft. Notably, it mandates the secure disposal of consumer information to prevent such identity theft and comes with hefty legal and economic punishments for failure to adhere.
ClaraWipe supports FACTA as a matter of economic policy. Using ClaraWipe means that you match the FACTA standards, securing not only the data of your consumers but their identities as well.
# US Department of Defense 5220.22-M
Superseded by the NIST 800.88 Clear and NIST 800.88 Purge. The DoD 5220.22-M was developed while the data sanitization industry was still being developed, although at the time it was believed to offer the best processes for complete data sanitization, the NIST 800.88 is by far superior.
A few reasons this standard is no longer relevant:
• Multiple overwrite passes are not always necessary.
• One overwrite pass will often do the job.
• Does not utilize firmware level ATA secure erase commands – which means this standard is ineffective against erasing the HPA & DCO sectors of a drive and does erase reallocated sectors caused by wear leveling.
• The U.S. Department of Defense no longer references the 5220.22-M as a secure method for HDD erasure.
# NIST 800-88
NIST – The National Institute of Standards and Technology is a federal institution that identifies as a physical sciences laboratory with a mission to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
Information disposition and sanitization decisions occur throughout the system life cycle, with the most activity occurring during the disposal phase of a system’s lifecycle. Although, there are instances during the lifecycle of a system that information must be properly disposed of which include all reasons when control over that information is transferred outside the positive control of the organization. Such activities include maintenance, system upgrades, or during a configuration update.
The three types of data sanitization methods include: clearing, purging, and destroying. Encryption is not an acceptable means of sanitization since modern computers are able to crack ciphertext more quickly which means that encrypted data could be recovered. Clarabyte’s data erasure tools meet both the Clear and Purge guidelines.
# CSEC ITSG-06
CESC ITSG-06 is another sanitization method, just like 5220.22-M, that is used to prevent all recovery methods from lifting any usable data from a wiped drive. The method is an alternative to other such methods, but it performs largely the same.
# Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security standard was set as a methodology and system to protect credit, debit, and banking cardholder data. This data has been protected under the standard from the storage, process, and transmission regulations as set by the standard authority.
Adhering to the PCI DSS means that you should be able to process and store data from American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. Compliance with these standards means that ClaraWipe can securely delete consumer data preventing breaches and major identity theft issues.
# Personal Information Protection and Electronic Documents Act (PIPEDA)
The PIPEDA is a Canadian law that governs data privacy, specifically concerning how the private sector handles the collection of data, how they use that data, and how they destroy that data. The law was fundamentally a measure to align Canadian privacy law with European Union laws concerning European citizens, considering the close cultural and economic relationship between Canada and Europe in general.
Notably, PIPEDA has some mandatory provisions taken from the Model Code for the Protection of Personal Information as codified under the Canadian Standards Association. These provisions govern the collection of data, but also the erasure thereof, and regulations of compliance and economic/legal punitive measures should compliance not be maintained.
Adhering to PIPEDA means a great many things, but generally speaking, it’s another market-specific solution that must be adhered to by organizations occupying that market.
# EU data protection directive of 1995
The Data Protection Directive is an EU directive governing the free movement, collection, and transference of data. In the directive is some heavily coded manners of data erasure, assuring citizens that their data is effectively and correctly wiped and secured. This directive is set to be superseded by the Data Protection Directive as of 2018.
Complying with the EU Data Protection Directive is not only generally a good policy, but it’s also required for any organization handling data in the EU. Therefore, compliance with this directive means an entire market is more or less open to organizations in terms of the data policies that must be complied with.
# Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act, also known as GLBA, is an act passed in 1999 that repealed part of the Glass-Steagall Act of 1933. While the main purpose of this act was to remove market barriers to economic organizations, it included some significant data considerations and dictated how data is handled in financial data transference.
Complying with the GLBA allows institutions to securely transfer data between financial organizations, but it also offers some heavy data protections
# California Senate Bill 1386
SB-1386 was a bill introduced into the California Legislature as a means to protect private information and to help in data erasure. The act dictates the erasure, protection, and general handling of personal data for individuals.
ClaraWipe’s matching of this bill means that private data is erased in accordance with the said act, thereby protecting personally identifiable information and data.
While we’ve only gone over these topics very briefly, the items featured herein are very important to consider, especially when considering which data sanitization solution is best for your organization. Physical destruction isn’t necessarily absolute, whether it be through crushing, incineration, melting, or shredding. If any large enough disk pieces survive, they may still contain recoverable information which is especially risky with SSDs. If your organization would like to reuse drives, data erasure software doesn’t leave any traces of data on a drive and is a much more cost-effective method for proving complete data removal.
Clarabyte’s data erasure tools not only assure that data is removed beyond forensic recovery, but they are easy to deploy and offer a more eco-friendly solution. Since the software auto-detects all data storage mediums, may be deployed over the network and exceeds all international standards, the choice is clear. At worst, organizations use Clarabyte’s tools as a first-touch best practice and at best they’re used as a way to improve security, improve value recovery, and prove compliance with the most strict regulations.
The best way to ensure complete data removal – for the most privacy obsessed organizations – is to combine a software-based data erasure approach paired with physical destruction. Any drives that fail due to bad sectors or other mechanical malfunctions should be physically destroyed by a certified professional data destruction specialist.