Data Destruction

The Reuse-First decision tree — when destruction is the right answer

Reuse-First is the default; destruction is the exception. Every retired drive enters a triage flow: (1) Is the asset working? (2) Is the data classification destruction-mandated by the regulator or by the data owner? (3) Are there sector-specific rules (BFSI top-classified material, healthcare PHI, government restricted-data) that pre-empt the reuse path? If the drive is working AND the data classification permits reuse, NIST SP 800-88 Rev. 1 Purge is applied, verification is captured, and the asset is routed to refurbishment and resale — settlement against your PO in your local currency. If destruction is mandated — top-classified data, board-material drives, non-functional media, encryption key stores, regulator instruction, or written client direction — the asset is routed to physical destruction with the destruction reason explicitly documented on the certificate. This decision tree is the most defensible disposition stance in front of your auditor and your sustainability committee. Destruction without a documented reason is, increasingly, a finding.

NIST SP 800-88 Rev. 1 — Clear, Purge, Destroy explained

NIST SP 800-88 Rev. 1 (the December 2014 revision still in effect as of 2026) defines three sanitisation levels selected by the data classification and the disposition path. CLEAR — applies logical techniques (typically a single-pass overwrite of all addressable storage locations) to defeat keyboard- and software-recovery attacks. Acceptable for low-classification data being redeployed within the same security boundary. Limitations: does not defeat laboratory-level recovery; not appropriate for SSDs with over-provisioned cells. PURGE — applies physical or logical techniques that defeat state-of-the-art laboratory attacks. For HDDs, this is typically multi-pass firmware-verified overwrite with cryptographic verification. For SSDs and NVMe, Purge is achieved via the IEEE 2883 Sanitize command (Block Erase / Crypto Erase). For self-encrypting drives, Cryptographic Erase (key destruction) qualifies. Purge is the default level for retired enterprise media being remarketed under Reuse-First. DESTROY — physically destroys the storage medium so that data recovery is technically impossible. Methods: shredding to 6mm / 2mm / 0.5mm particle size, disintegration, incineration (where licensed), pulverisation. Destroy is reserved for top-classified data, non-functional media that cannot be Purged, encryption key stores, and where the data owner or regulator mandates it. The Maxicom certificate names the level applied — Clear, Purge, or Destroy — for every asset on the manifest.

NIST SP 800-88 sanitisation method by media type (decision matrix)

HDD (spinning disk, working) → Purge via multi-pass overwrite, firmware-verified, cryptographic verification. HDD (top-classified or non-functional) → Destroy via 6mm or 2mm shred. SSD / NVMe (working, removable) → Purge via IEEE 2883-2022 firmware Sanitize (Block Erase or Crypto Erase). SSD / NVMe (top-classified or failed) → Destroy via 0.5mm disintegration or 2mm shred. Self-encrypting drive (SED) → Purge via Cryptographic Erase (key destruction); the encrypted ciphertext on disk is then unrecoverable. LTO / DLT magnetic tape → Purge via degaussing at ≥1.4 Tesla, then physical deformation (cartridge crushing). Optical media (CD, DVD, Blu-ray) → Destroy via shredding or pulverisation; degaussing is not effective. Smartphone / tablet → Cryptographic Erase via factory reset on devices with hardware-backed encryption (modern Android, all iOS); otherwise physical destruction. PCIe / FPGA / GPU on-board memory → Cryptographic Erase where supported; otherwise physical destruction. AI accelerator memory (NVIDIA H100, A100, AMD MI-series HBM) requires Crypto Erase via the management software stack before resale. USB flash, SD card → Destroy. NIST 800-88 explicitly notes consumer-grade flash storage cannot be reliably Purged.

IEEE 2883-2022 — the current SSD/NVMe sanitisation standard

IEEE 2883-2022, published in 2022, is the current authoritative standard for sanitising solid-state storage. It supersedes the older NIST SP 800-88 SSD guidance and corrects the longstanding error of treating SSDs as if they were spinning disks. Why SSDs cannot be reliably overwritten: SSDs use wear-levelling, over-provisioning, and bad-block remapping. A logical overwrite written to a particular Logical Block Address (LBA) does not necessarily overwrite the underlying flash cell — the controller may write to a fresh cell while the original retains the data. Multi-pass overwrite (DoD 5220.22-M, Gutmann) is therefore not appropriate for SSDs. IEEE 2883-2022 defines two firmware Sanitize commands: BLOCK ERASE (issues an erase to every flash cell, including over-provisioned regions, returning the drive to factory state) and CRYPTO ERASE (destroys the internal Media Encryption Key, rendering all encrypted data unrecoverable in microseconds — even on multi-TB drives). Maxicom issues the IEEE 2883 Sanitize command via the appropriate management protocol (NVMe Sanitize for NVMe, SCSI Sanitize for SAS, ATA Sanitize for SATA), captures the verification response confirming completion, and records the command + response on the per-asset Certificate of Destruction. The certificate is regulator-acceptable in every market we operate in.

DoD 5220.22-M — when it still applies, when it does not

DoD 5220.22-M is the U.S. Department of Defense National Industrial Security Program Operating Manual specification for clearing magnetic media. Its three-pass overwrite (write 0, write 1, write random + verify) was the de-facto standard for sanitising HDDs from 1995 until NIST SP 800-88 superseded it for civilian use in 2006. When DoD 5220 still applies: where a contract or RFP explicitly mandates it (still common in U.S. federal procurement, defence sub-contracts, and some BFSI engagements with legacy clauses); where a client policy was written in the 1990s–2000s and has not been refreshed. Where it does not apply: SSDs and NVMe (overwrite is not effective on solid-state media — IEEE 2883 Sanitize must be used instead, regardless of contract wording); modern HDDs with cryptographic erase capability (Crypto Erase is faster and equally effective); engagements written to NIST SP 800-88 Purge (which is a superset of DoD 5220 for HDDs). Maxicom executes DoD 5220.22-M three-pass overwrite where contractually specified, names the standard on the certificate, and documents the verification step. For SSDs received under a DoD-clause contract, we issue a written exception note explaining why IEEE 2883 Sanitize is being applied instead, with the data owner's acknowledgement on file.

Physical destruction — 6mm, 2mm, 0.5mm: what the particle size actually means

Particle size is the largest residual fragment after shredding, measured along the longest edge. Smaller particles mean higher data security at higher cost and longer processing time. Selecting the right size is a regulator and threat-model question, not a marketing one. 6mm shred — the standard for retired enterprise HDD destruction. Exceeds the recoverability threshold for state-of-the-art forensic recovery from spinning platters. Acceptable under NIST SP 800-88 Destroy for HDD. Acceptable for most BFSI and government engagements outside top-secret. 2mm shred — required by some regulators (notably for top-secret material) and by some BFSI internal policies. Effective against the most advanced platter-recovery techniques. Required for board-material drives at major banks. Standard for healthcare PHI at the most sensitive end (psychiatric records, genetic data). 0.5mm disintegration — used for SSD and NVMe physical destruction, because individual flash chips are small enough that 6mm shred can leave intact cells. Disintegration reduces the medium to a fine dust where no individual flash cell can survive. Required by some governments for top-secret SSD destruction. Maxicom industrial shredders are sized to the engagement: a typical BFSI refresh runs at 6mm; top-classified material runs at 2mm or 0.5mm with witness destruction. The certificate names the particle size achieved.

Degaussing — magnetic media destruction

Degaussing exposes magnetic storage media (LTO/DLT tape, legacy floppy, certain HDDs with low coercivity) to a strong reverse magnetic field that randomises the magnetic domains storing data, rendering the media unrecoverable. Field strength matters: modern LTO-9 tape has a coercivity of approximately 1.5 Tesla, requiring a degausser rated at ≥1.4 Tesla to fully sanitise. A degausser rated for older LTO-5 (~0.8 Tesla) will not fully sanitise LTO-7/8/9. Maxicom uses ≥1.4 Tesla degaussing units for all current-generation LTO. Degaussing is destructive to the cartridge — degaussed tape cannot be re-recorded — and we follow it with physical cartridge deformation as defence in depth. Per-cartridge serial number, degauss date, and field strength are captured on the Certificate of Destruction. Important: degaussing is not effective on SSDs or NVMe (which store data in NAND flash cells, not magnetic media). Routing SSDs through a degausser is a common procurement error; we explicitly route SSDs to IEEE 2883 Sanitize or physical destruction, never degaussing.

Cryptographic Erase — when key destruction is the sanitisation

For self-encrypting drives (SED), full-disk-encrypted volumes, and AI accelerator memory with hardware encryption, Cryptographic Erase is the fastest and most defensible sanitisation method. The data on disk is encrypted with a Media Encryption Key (MEK); destroying the MEK renders the ciphertext on disk unrecoverable in cryptographically-meaningful timescales (i.e. forever, for AES-256). NIST SP 800-88 Rev. 1 explicitly endorses Cryptographic Erase as a valid Purge method for SEDs. The certificate must document: the encryption algorithm in use (typically AES-256-XTS), the key destruction method (typically a firmware command that overwrites the MEK storage location), and the verification step that confirms the MEK is no longer recoverable. Maxicom applies Cryptographic Erase via the OEM-specific firmware command (Dell SED, HPE SED, Seagate SecureErase, NVIDIA accelerator firmware), captures the verification response, and documents the algorithm + key destruction method on the certificate. For drives that have been operating in plaintext mode (encryption disabled), Crypto Erase is not sufficient — we revert to NIST SP 800-88 Purge or Destroy.

Witness destruction — the audit-defensibility multiplier

Witness destruction is the practice of having the data owner's representative — typically the CISO, the compliance officer, or a delegated information-security officer — physically observe the destruction of high-classification media. The witness signs the per-batch manifest at the moment of destruction, attesting that they observed: the asset list reconciled to the manifest, the destruction equipment in operation, the residue (shredded particles, degaussed cartridges, sanitisation command verification responses), and the operator credentials. When witness destruction is required: BFSI top-classified material; government restricted-data; M&A diligence destruction; insurance-claim evidence destruction; regulator-mandated destruction following a data incident. Maxicom offers witness destruction at our facility (with cleared-area protocols, CCTV recording, dual-operator destruction) or on-site at the client facility (with mobile shred units, witness-grade documentation, and post-destruction certificate). Where the witness is on-site, Maxicom provides PPE, NDA-bound operators, and structured observation protocols. The witness signature appears on the Certificate of Destruction alongside the Maxicom operator signature, and on the consolidated batch manifest.

The Per-Asset Certificate of Destruction — what makes it audit-defensible

A Certificate of Destruction is the document a regulator, an auditor, an insurance assessor, or an incident-response team reads when they need to confirm that a specific drive containing a specific dataset was sanitised at a specific time using a specific method. The vast majority of regulator findings against ITAD documentation are about certificate completeness, not sanitisation method. A regulator-acceptable Maxicom Certificate of Destruction includes, per asset: (1) serial number; (2) make, model, and capacity; (3) data classification at retirement; (4) sanitisation method applied (Clear / Purge / Destroy with the specific standard cited — NIST SP 800-88 Rev. 1, IEEE 2883-2022, DoD 5220.22-M); (5) particle size where shredded, field strength where degaussed, encryption algorithm where Crypto Erased; (6) sanitisation tool name and version, sanitisation command issued, and verification response captured; (7) date and time stamp (UTC), facility location; (8) operator name, ID, and signature (digital and ink); (9) witness name and signature where present; (10) chain-of-custody references back to the original pickup manifest; (11) the destruction reason if Reuse-First triage was overridden. Bulk-job certificates that name only "all drives in batch B-2026-04-15 destroyed to NIST 800-88" are not regulator-acceptable in our experience and we do not issue them. Where a client procurement contract requests bulk paperwork for cost reasons, we route to per-asset paperwork and absorb the per-line cost.

Chain of custody — the data closet to destruction trail

Most data incidents in ITAD do not happen in destruction. They happen in transit, in staging, or at hand-off points where the chain of custody breaks down. Maxicom's chain-of-custody discipline is explicitly designed to close those gaps. At pickup: the data owner's representative signs the pickup manifest at the data closet; the Maxicom operator counter-signs; serial numbers are reconciled to the asset list. The vehicle is GPS-tracked from pickup to facility; route deviations are flagged and investigated. At facility intake: the seal on the transit container is verified, photographed, and documented. The intake operator counter-signs against the pickup manifest. Top-classified material goes to a cleared-area destruction station within 24 hours of intake. At sanitisation: the sanitisation operator captures the per-asset method, command, verification response, and timestamp. Where witness destruction applies, the witness signature is captured at this stage. At certificate issuance: the consolidated Certificate of Destruction is generated after destruction completion per SOW, signed digitally and ink-on-paper, and delivered to the data owner via the agreed secure channel (typically encrypted email + courier). The certificate references the original pickup manifest by reference number, closing the loop. For BFSI and government engagements, we maintain certificates in our compliance vault for the longer of: 7 years (Maxicom default), the regulator-required retention period in the engagement jurisdiction, or the period specified in the master service agreement.

Common mistakes that fail audit

Drawing from 25 years of running these engagements, a short list of the failure modes that most often produce regulator findings — and how Maxicom's methodology avoids each. Mistake 1: degaussing SSDs. SSDs are not magnetic media. Degaussing achieves nothing. We route SSDs to IEEE 2883 Sanitize or physical destruction, never degaussing. Mistake 2: single-pass overwrite called "DoD wipe". DoD 5220.22-M is three-pass plus verification, not single-pass. Marketing copy that calls a single overwrite "DoD-grade" is a finding waiting to happen. We name the actual standard applied. Mistake 3: bulk-job certificates with no per-asset detail. Regulators read these as "the vendor cannot prove this specific drive was sanitised". We issue per-asset certificates as standard. Mistake 4: 6mm shred for SSDs. Individual flash chips on an SSD circuit board are typically smaller than 6mm; a 6mm shred can leave intact chips. SSDs need 0.5mm disintegration (or IEEE 2883 Sanitize before resale). Mistake 5: missing the destruction-reason field on certificates where Reuse-First was overridden. Modern regulators ask "why was this asset destroyed instead of redeployed?". A blank field is a finding. We document the destruction reason on every Destroy-routed asset. Mistake 6: gap in the chain of custody between pickup and destruction. Even if every other step is perfect, a 48-hour gap with no signed manifest is a regulator finding. Our manifests are signed at every transfer, with no unsigned hand-off windows. Mistake 7: claiming NAID AAA membership without holding it. NAID AAA is a specific certification with annual audit costs. We operate to NAID-grade Protocol — the operational discipline — and we say so explicitly. False claims are a finding when audited.