Corporations have a bottom line to work under – this is an unfortunate reality of business, and it’s one that can’t be ignored. Costs need to be reigned in, and expenses need to be calculated to what benefit they bring about in order to be justified.
That being said, judging data destruction services on price alone is a dangerous practice – and one that might actually be illegal, depending on the process. While cost should certainly factor into the overall considerations, depending solely on the price metric is missing a huge point.
In this piece, we’re going to discuss the issue of price as it relates to data destruction services. We’ll talk about exactly why utilizing price as a sole metric is dangerous, and offer up some situation in which it might actually be illegal.
Note: we are not lawyers. Our advice here is based on our understanding as IT professionals and is not to be taken as legal advice or legal materials.
Why It’s Dangerous
Let’s say you’ve got a three day weekend, and you and a bunch of friends go out on the lake. While on the lake, your friend injures themselves badly and needs emergency attention. What’s the first thing going through your mind? Is it whether or not the closest emergency services are in their insurance network?
That might seem crazy, but that’s basically what providers are doing when they use cost as their primary factor. The simple fact is that services handling data are necessarily exposing themselves to all of the issues related to the handling of this data. While this isn’t a bad thing, and instead simply a basic fact of doing business, mitigating these issues is incredibly important – just as important as getting those emergency services.
The problem is there, and it needs to be fixed – but choosing on price alone is missing a bunch of data points that need to be considered.
Quality of Deletion
First and foremost, the quality of the program used should be considered. Anyone with a rudimentary understanding of data and a knowledge of programming can make a program to write empty data to a hard drive.
Getting this writing to be done in such a way as to remove all forensic data traces is not something that just anyone can do, and suggesting that a free program is just as good as a program such as ClaraWipe, without any other considerations other than price is simply misunderstanding these simple facts.
There’s a popular saying that summarizes this point rather succinctly – you get what you pay for. We’re not saying a free or cheap solution can’t get the job done no matter what – in some cases, the free solution looks good on paper.
What happens, though, when this solution runs into an issue? This is where you run into the problem with free and cheap data destruction. Having long-term support is invaluable, and this is generally not something that you get with free solutions.
Another factor to consider is whether the solution you choose supports all device types and sectors on a drive. ClaraWipe not only performs absolute data erasure for all device types, but it works across the entire drive including the HPA, DCO, and remapped sectors. Not only that, ClaraWipe provides full support for flash-based media and Solid State drives, which free utilities do not support.
Adherence and Compliance
If you are handling data, you will invariably be subject to laws and regulations that you must comply with. Accordingly, failing to comply with these laws is a huge issue, both in terms of economic and legal implications.
While free solutions will not necessarily always fail to comply with these laws and regulations, the simple fact is that judging simply based on price and not on whether or not the solutions properly adhere to said laws and regulations open you up to those punishments noted above.
There’s additionally the concern of certification. The Data Destruction industry has many data specific certifications that communicate an ability to effectively manage data in compliance with regulations and best standards. Generally speaking, free and cheap solutions do not always offer the certifications, and if they do, they only offer them as a reference point regarding the developers, and not of the product itself.
Certification is vitally important in this space, especially when considering the handling of specific data covered under HIPAA, HITECH, and other industry-specific data protection legislation. While certification is not a guarantee of quality, it is a guarantee that, at the very least, the developer of the solution cares enough about the data they intend on handling to understand the laws surrounding it.
Negligence and the Gray Area of Legality
Simply said, considering based on price alone is dangerous. It allows certain concepts to be ignored and prioritizes the saving of what amounts to pennies in the long-run against the possible loss of hundreds of thousands or millions due to data handling mishaps. But it’s just an economic concern, right?
Wrong. There’s a huge legal concern here in the form of negligence. Negligence is the idea that a company, individual, or organization willfully and knowingly made a choice that ultimately harmed their customers in a demonstrable, obvious way. This harm may be in the form of loss of security, loss of data, or economic loss.
Negligence is a huge concern not only in the direct form – i.e. civil suits and other such legal proceedings for immediate damages – but also have serious implications in consideration to punishments under certain legislation.
For instance, under the EU Data Protection Directive, negligent handling of data can result in dramatically increased fines, punishments, and fines. These fines can easily reach into the hundreds of thousands, but the chief concern here is that of legal responsibility. Courts are capable of forgiving certain data breaches that are not willful or done to a corporation who has protections on their data – this forgiveness goes out the window, however, the second you are found negligent.
Negligence also has long-term ramifications in terms of public image. It’s one thing if a group of hackers breaks your data because they’re skilled, or a third party vendor you rely on failed to update their service. It’s another thing entirely if the cause is your failure to properly secure assets, your failure to properly consider threats upon data, and principally, your choice to save some money rather than protect people’s intimate and private data.
Data Destruction is not a golden ticket to data protection. Destruction only works in as much as the data is properly handled and deleted – improper data deletion is, in many ways, almost worse than no data destruction at all, as it not only fails to do what you intended it to do, it gives the false sense of security that results in lax security practices and cultures internally.
Simply speaking, the best solution is not always the free one – and choosing only based on this metric is dangerous, and possibly illegal.
Accordingly, you should pick a great solution based on the fact that it’s great, not free. ClaraWipe is a gold-standard data destruction solution that utilizes some of the best data destruction methodologies to securely erase data. ClaraWipe meets or exceeds the following industry standards:
• Sarbanes-Oxley Act (SOx)
• HIPAA & HITECH
• The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
• US Department of Defense 5220.22-M
• CSEC ITSG-06
• Payment Card Industry Data Security Standard (PCI DSS)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• EU data protection directive of 1995
• Gramm-Leach-Bliley Act (GLBA)
• California Senate Bill 1386
Choosing ClaraWipe is a smart choice, but no matter what you do, always remember – choose based on quality, not on price.