Every business that’s ever retired a computer, decommissioned a server, or upgraded a storage array has faced the same question: what do we do with the old drives? The most common answer — “just delete everything and get rid of it” — is also the most dangerous one.
The reality is that deleting files does not destroy data. Not even close. And for businesses handling customer information, financial records, healthcare data, or proprietary IP, that gap between “deleted” and “destroyed” is where data breaches happen.
This post breaks down why standard deletion fails, what certified data destruction actually involves, and what your organization should be doing before any piece of storage media leaves your control.
What Actually Happens When You “Delete” a File
When you delete a file on a computer — whether you drag it to the trash, empty the recycle bin, or even format the entire drive — the actual data isn’t removed. What gets removed is the pointer that tells the operating system where that file lives on the disk.
Think of it like ripping the table of contents out of a book. The chapters are all still there. You just can’t look them up by page number anymore. But anyone with the right tools can still read every page.
This is true for traditional hard disk drives (HDDs), and it’s also true — with some nuances — for solid-state drives (SSDs) and NVMe storage. The data persists on the physical media until it is deliberately and thoroughly overwritten or the media is physically destroyed.
Free and commercially available data recovery software can retrieve “deleted” files in minutes. This isn’t theoretical — it’s how data breaches involving disposed equipment actually happen.
The Real-World Cost of Improper Data Disposal
Data breaches caused by improperly disposed IT equipment aren’t hypothetical. They happen regularly, and the consequences are severe.
Regulatory penalties under frameworks like HIPAA, PCI-DSS, GLBA, SOX, and FERPA can reach into the millions. But the financial penalties are often just the beginning. Businesses also face litigation from affected customers, mandatory breach notifications, reputational damage, and loss of trust that takes years to rebuild.
In Texas, the Texas Identity Theft Enforcement and Protection Act requires businesses to destroy customer records containing personal identifying information by shredding, erasing, or otherwise making the information unreadable before disposal. Failure to comply can result in penalties of up to $50,000 per violation.
The common thread in almost every disposal-related breach is the same: someone assumed that deleting files or formatting a drive was sufficient. It wasn’t.
What Certified Data Destruction Actually Means
Certified data destruction is the process of permanently eliminating all data from storage media using methods that are verifiable, documented, and compliant with recognized standards. It’s the difference between assuming data is gone and proving it.
The gold standard for data sanitization in the United States is NIST Special Publication 800-88, Revision 1 — “Guidelines for Media Sanitization.” Published by the National Institute of Standards and Technology, NIST 800-88 defines three levels of media sanitization:
Clear
Applies logical techniques to sanitize data in all user-addressable storage locations. This is the most basic level — essentially a thorough overwrite using software tools. Effective against straightforward data recovery methods but may not address data in hidden or inaccessible areas of the drive.
Purge
Applies physical or logical techniques that render data recovery infeasible using state-of-the-art laboratory techniques. For HDDs, this typically means multiple-pass overwriting with verification. For SSDs and NVMe drives, it involves using the manufacturer’s built-in secure erase or cryptographic erase commands. Purge is the standard most businesses should target for drives being reused or resold.
Destroy
Renders the media physically unusable and data recovery impossible by any known means. Methods include shredding, disintegration, incineration, or degaussing (for magnetic media). This is reserved for the highest-sensitivity scenarios or drives that can’t be reliably purged.
Certified data destruction means the process follows one of these defined levels, is performed using validated tools and methods, and produces documentation — a certificate of data destruction — that records what was done, when, and to which specific media (typically identified by serial number).
HDDs vs. SSDs vs. NVMe: Why the Method Matters
Not all storage media can be sanitized the same way. The method that works for a traditional spinning hard drive may be completely ineffective on a solid-state drive.
Hard Disk Drives (HDDs)
HDDs store data magnetically on spinning platters. They’re the most straightforward to sanitize. Software-based overwrite tools can write patterns across every sector of the drive, and verification passes can confirm the data is gone. Degaussing — exposing the drive to a powerful magnetic field — is also effective for HDDs and renders the drive completely inoperable. For physical destruction, shredding is the standard.
Solid-State Drives (SSDs)
SSDs store data on flash memory chips and use internal controllers to manage where data is physically written. This creates challenges for sanitization because the drive’s controller may remap bad blocks, maintain over-provisioned areas, or use wear-leveling algorithms that move data around in ways that are invisible to software overwrite tools. The most reliable sanitization method for SSDs is using the drive’s built-in ATA Secure Erase or Cryptographic Erase command, which instructs the controller to wipe all flash cells — including areas not accessible through normal I/O.
NVMe Drives
NVMe drives face similar challenges to SATA SSDs but communicate over the PCIe bus and use the NVMe command set. Sanitization requires issuing an NVMe Format or NVMe Sanitize command, which triggers a controller-level wipe. Not all NVMe drives implement these commands identically, so verification is critical.
The takeaway is that a single “one-size-fits-all” approach to data wiping doesn’t work. Any credible data destruction provider needs to understand the media types involved and apply the appropriate method for each.
What to Look for in a Data Destruction Provider
If you’re outsourcing data destruction — whether as part of an IT equipment pickup, a decommission project, or a standalone service — here’s what to look for:
Documented process aligned to NIST 800-88. The provider should be able to explain exactly how they sanitize each type of media and at what NIST level.
Certificates of data destruction. Every job should produce a certificate that identifies the specific drives processed (by serial number), the method used, the date of destruction, and the responsible party. This is your audit trail.
Chain of custody controls. From the moment drives leave your facility to the moment they are sanitized or destroyed, there should be a clear, documented chain of custody. Drives should never be left unsecured or unaccounted for.
Ability to handle mixed media types. Real-world IT environments have HDDs, SSDs, NVMe drives, tape, and more. Your provider should have the tools and expertise to handle all of them appropriately.
On-site options when needed. For the most sensitive scenarios, some organizations require data destruction to happen on-site before any equipment leaves the building. A good provider should be able to accommodate this.
How GreenIT Pickup Handles Data Destruction
At GreenIT Pickup, data destruction is built into our pickup and disposition workflow — not bolted on as an afterthought.
When we pick up IT equipment from businesses across Dallas-Fort Worth, all storage media is handled under a strict chain of custody from the moment it leaves your facility. We offer both software-based data sanitization aligned to NIST 800-88 standards and physical destruction for drives that require it.
Every sanitization job produces a certificate of data destruction documenting the drives processed, the method used, and the date of completion. Whether you need documentation for HIPAA compliance, PCI-DSS audits, or internal governance requirements, we’ve got you covered.
If you’re getting ready to retire IT equipment and want to make sure your data is handled properly, we can help. Schedule a free pickup and we’ll take care of the rest — equipment removal, data destruction, and responsible disposition, all in one service.
The Bottom Line
Deleting files is not data destruction. Formatting a drive is not data destruction. Even a factory reset is not data destruction. If your organization is retiring IT equipment without following a certified, documented data sanitization process, you’re carrying risk that’s entirely avoidable.
Certified data destruction — performed to NIST 800-88 standards, with a verifiable chain of custody and a certificate of completion — is the only way to know that your data is actually gone.
Don’t leave it to chance. Talk to us about secure IT equipment disposal in DFW →
GreenIT Pickup provides free IT equipment pickup and certified data destruction services across Dallas-Fort Worth. We’re operated by FitzgeraldTech LLC and backed by deep expertise in enterprise IT hardware and data security.