Information Disposition’s Most Common Misconceptions (Part 2)

The second installment of our two-part series dispelling common information destruction misconceptions that put organizations at risk:

Most other types of regulations apply only in the state in which an organization is located, many businesses mistaken disregard data protection and privacy regulations of other states and countries.

Reality: Data protection and privacy regulations are not limited to the jurisdiction in which a business is located, but rather they also apply in 1) the states in which business in conducted and/or 2) the states in which customers or employees reside. This cross-border application is not just limited to the different state data protection and privacy laws, it applies to international data protection regulations too. Many organizations, such as universities, airlines, insurance companies, major hotel chains, and healthcare organizations must also consider regulations of other countries since they routinely collect the personal information of non-US citizens. The borderless nature of modern data protection regulations also means the data protection service providers must also comply with these broader regulations, insofar as their clients are handling the personal information of people from other states and other countries.

Data security is often a non-issue when hiring vendors that are not specifically designated for that purpose, and, as a result, their data destruction and other data protection procedures are not considered.

Reality: Whether it’s the subcontractor hired to manufacture a proprietary part, the cleaning service that will have access to offices after hours, or the outsourced accounting or IT managed services, the list of vendors for which data security applies is much longer than most organizations realize. From specific security and regulatory contract language to background screening and employee training and data destruction practices, data protection and privacy measures should be embedded and verified as a basic part of the relationship. The unfortunate truth is that vendors that are not typically considered under the banner of data security are most often the weak link in an organization’s data protection regulatory profile.

To the unsophisticated computer user, pushing “delete” makes the information go away.

Reality: It doesn’t. Pressing “delete” only means that the deleted information (document, spreadsheet, email, etc.) has been disconnected from the access directory and that the computer has permission to overwrite that space with new information if needed. It’s slightly different for solid-state drives but not meaningfully. Using relatively simple and available tools, deleted information can be retrieved.

It is natural to hold others responsible for the damages they cause. It follows, therefore, that when hiring a data destruction company, a client might think it perfectly reasonable for that vendor to financially indemnify them to an unlimited amount.

Reality: The “unlimited liability” concept is misguided on several levels. Any contractual indemnification clause is only as good as the underpinning insurance. There is no such thing as an insurance policy with an unlimited claims cap. Expecting (or believing) that any service provider can or will cover anything over the amount of their insurance is unrealistic. Ironically, a client should actively avoid (I.e., run the other way), if a service provider is willing to take on any unlimited liability, since 1) they clearly don’t have unlimited coverage, and 2) they are actively misleading the client by indicating they are able to cover an unlimited amount. The better approach from the client’s perspective is to set a reasonable indemnification amount, based on the value of the business transacted, and then verify that the service provider has the appropriate coverage.