For what it's worth, the new HIPAA (Health Insurance Portability and ACCOUNTABILITY Act) imposes fines of $250,000 per occurrence for any breach of data that can be pinned to you. Most medical facilities are requesting drives be shredded in the presence of someone from the medical group. Banks and financial institutions are under similar requirements, although the fines are about a 1/3 of HIPAA. Still very steep. There are almost a dozen different federal laws dealing with data loss and related fines so we feel it not worth the time and risk to sell hard drives.
Breaks my heart, but we degausse (magnetically erase) EVERY drive as soon as it comes in and the serial numbers are recorded in our database along with where they came from. Boards are then removed and we use a 5 ton log splitter fitted with a bracket to hold the drive and a 1" punch that aligns with drive motor. About 2" of travel is all that is required to punch the motor into the drive housing and shatter the platters. From there they are sold as Al. breakage. If requested, we will process drives at the customers location and we can provide a DVD of the process for a small fee. A Certificate of Destruction is standard and lists the serial numbers of all drives destroyed and manor in which it was done.
Short of spending $10,000 for a drive shredder, this offers the best risk management for the least amount of time and money. I know some the people on here erase drives with approved multi-pass software, but for us it isn't worth the time.
Finally, it goes without saying that a good liability insurance policy is in order.
Bookmarks