As more and more state and national governments started enacting data security legislation with significant civil penalties, Fortune 500 companies began developing plans for the destruction of legacy data on end-of-lifecycle equipment. KruseCom’s predecessor companies established an early lead in the provision of data destruction and data security services. Large banks and brokerage firms engaged our companies to overwrite or destroy their surplus hard drives.
Of course, there are other ways to destroy data. Corporations can buy the same tools that we employ. They can acquire overwriting software, degaussers, or crushers, and they could destroy their own data. Companies can delegate the data security process to their internal information technology staffers.
One story in particular illustrates the ramifications of these difficult decisions. Our data security division engaged one of the largest retail companies in the US, offering to provide data destruction services. We demonstrated our data destruction and certification processes, and proposed that we provide those services for the retailer. Ultimately, the retailer decided not to outsource this task. The retailer felt they could save on fees by assigning the data security task to their internal staff. So the decision was made to do the work in-house, and then sell the surplus to KruseCom’s parent company.
Preparing the surplus equipment for resale, we found that some percentage of the equipment still contained data. Some of the units were slipping through the retailer’s internal procedure. Somewhat naively, we notified the retailer that their process was not foolproof, thinking that fact would demonstrate the necessity to outsource data security to our data security team. Imagine our surprise when the retailer reacted negatively to hearing the truth. They did not appreciate that feedback.
In hindsight, it’s clear that we had exposed a flaw in the retailer’s internal operations. We had effectively “caught them speeding”. Key executives “lost face” in light of this scrutiny, and they did not appreciate our assistance. That business relationship immediately ended.
However, we learned a valuable lesson. ONE CANNOT INDEMNIFY HIMSELF.