There's a hard drive sitting in a filing cabinet in your IT room. It came out of a laptop that was replaced two years ago. Nobody's touched it since. You might assume it's harmless — after all, it's not connected to anything.
It isn't harmless. It's a liability.
Data doesn't disappear when a device is powered off, retired, or even reset. Until a storage device is properly destroyed — by verified overwrite methods or physical shredding — every file, credential, and record on it is potentially recoverable by anyone with the right tools. And those tools are widely available and inexpensive.
This is what certified data destruction is designed to prevent. Here's what it actually means, what the standard requires, and what documentation you should always walk away with.
When you delete a file — even permanently — the operating system typically marks the space as available for reuse, but doesn't immediately overwrite the data. The original data remains intact until something new is written over it. With the right recovery software, deleted files can be restored in minutes.
A factory reset is better, but still not sufficient for compliance purposes. Depending on the device and operating system, a factory reset may not overwrite all sectors, may leave residual data in protected partitions, or may simply re-initialize the file system without touching the underlying data.
⚠️ A factory reset does not meet NIST 800-88 standards. It is not an acceptable method of data sanitization for devices containing sensitive organizational, student, or patient data.
NIST Special Publication 800-88 — "Guidelines for Media Sanitization" — is the federal standard for data destruction. It defines three levels of sanitization:
Overwriting all addressable storage locations with a fixed data pattern. This protects against simple recovery using standard software tools. Appropriate for lower-sensitivity data being repurposed internally.
More thorough overwriting or cryptographic erasure that protects against more sophisticated recovery techniques. Required for devices containing sensitive data before they leave organizational control — including donation, resale, or third-party recycling.
Physical destruction of the media — shredding, disintegration, or incineration — rendering data recovery technically infeasible. Required for devices containing the most sensitive classifications of data, or when purge methods aren't feasible for a given storage type.
Re-initializes the file system but does not reliably overwrite underlying data. Fails NIST standards.
Marks space as available but leaves data intact and easily recoverable with basic tools.
Multiple-pass overwrite with verification. Meets NIST 800-88 for most organizational data.
Shredding or disintegration of the media. Highest assurance. Required for classified or highly sensitive data.
Depending on your sector, you may have specific legal obligations around data destruction — not just best practices.
The Family Educational Rights and Privacy Act governs how schools handle student educational records. Devices that have touched student data — including Chromebooks, tablets, and administrative workstations — must have that data properly destroyed before the device leaves district control. Failure to do so constitutes a potential FERPA violation.
The Health Insurance Portability and Accountability Act requires covered entities to implement policies for final disposal of electronic protected health information (ePHI). Devices containing any patient data must be sanitized to NIST standards before disposal. The penalties for non-compliance are substantial — up to $1.9 million per violation category per year.
Most states have enacted electronic waste recycling laws that prohibit disposal of electronics in general trash and may impose specific requirements on data-bearing devices. Requirements vary significantly by state — work with a partner who understands your jurisdiction.
For businesses subject to security audits, asset disposal policies — including data destruction — are a standard audit component. Documented, certified destruction is the expected control.
After a compliant data destruction process, your vendor should provide a Certificate of Data Destruction (sometimes called a Certificate of Sanitization). This document should include:
📋 File your Certificate of Data Destruction permanently. If a data breach is ever alleged and traced to a decommissioned device, this certificate is your evidence that the device was properly sanitized before it left your control.
Before you hand your devices to any third party, ask these questions directly:
Data destruction isn't a checkbox — it's a genuine liability control. Every device that leaves your organization without certified sanitization is a potential breach waiting to happen. The cost of doing it right is zero if you work with the right partner. The cost of getting it wrong — in regulatory fines, legal exposure, and reputational damage — can be enormous.
Demand the certificate. Keep it on file. And make sure whoever you work with can explain exactly what they did and to what standard.
NIST-compliant data destruction. Itemized documentation. No loose ends for your compliance records.
Schedule a Free Pickup →