A factory reset that might have been enough a decade ago is now a basic requirement for businesses. Things have evolved, and the security landscape has become more advanced.
True data security is not just about handling what is visible – it is about removing what could be possible. And the “factory reset” approach simply end to return a device to its pre-owned state is not enough.
In this world, where a single data leak might cause huge money, choosing the right process is crucial. Read more to understand why business data security needs more than a factory reset.
Key Takeaways
- A factory reset is a good start for safety purposes, but it is not the end of it.
- Data can still be present in parts – even when the device looks clean to you.
- Ensuring proper erasure of data by a professional is no longer a luxury – it is a standard now.
Devices may look “clean” at first sight, and although personal files, accounts, and most settings are typically cleared effectively, parts may persist, and external storage, such as SD cards, may retain data unless it is cleaned separately.
Devices may also still contain installed apps and their data, saved passwords and account credentials, custom settings and adjustments, text messages and call history, WiFi passwords, network settings, browser history, saved logins, and personal files.
The latter can include photographs, videos, and documents. Although factory resets clearly overwrite information, many smaller pieces of data may still be recoverable.
For these reasons, many businesses allocate their old devices to trusted partners specializing in buying devices and undertaking certified data erasure. Devices can retain not only data but also malware, including rootkits and firmware-level attacks.
Often, devoted software is needed not only to remove files and erase settings but also to ensure compliance and provide device tracking.
NIST 800-88 is just one certification to consider. Depending on where a company finds itself, it may need to comply with additional or optional requirements. The main global and regional regulations include the GDPR, which defines data protection in the EU.
These regulations define the need for secure deletion of personal data when it is no longer needed, requiring that destruction methods should prevent data reconstruction. Similarly, the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. asks covered nonprofit organizations and business associates to securely dispose of protected health information (PHI) in both paper and electronic form, including by overwriting, degaussing, or defeating.
Meanwhile, the California Consumer Privacy Act requires businesses to delete personal customer information and to securely rid themselves of unnecessary data. There are also consumer credit and financial data rules, as well as country- and sector-specific rules that must be executed.
Data security extends long after a device is erased. In fact, devices involve many physical and manual steps from the time they leave a company’s office until their final processing.
It is vital for companies that want to maintain their reputation to control the chain of custody—the documented, solid trail indicating where the device went, who handled it, how it was stored, and how it was handed over.
Without controlling the chain of custody, companies could risk losing data to pirates who intercept, steal, or interfere with devices.
Working with people who specialize in data erasure is vital, as companies cannot have the resources to simply dispose of devices and hand them to unrelated sellers the way they would any other data-free device. Without tracking, seals, and signatures, they cannot prove to customers that their devices stayed secure until erasure or destruction.
During the chain of custody, devices are given barcodes, signed logs, and robust packaging. GPS-tracked transport is used, and secure facilities are chosen to close key security gaps and give customers certified records.
At the end of the day, a factory reset that seems like the end of the job is not the reality. Old devices can still be carrying some parts of sensitive data, and for a business, even small leaks can lead to major consequences.
Old devices are not just pieces of hardware; they are the storage spots of large containers—past activities and decisions made. At the end of the day, real security comes when the basic is pushed further and no traces are ensured.
No, it just removes the visible data, not the parts that hide deep down in the structure.
Things like saved passwords, documents and even app data can sometimes be recovered later.
Yes, even a small leakage of customer information can result in various security issues and legal troubles.
