The History and Future of Data Destruction: Interview with Bob Johnson of i-SIGMA

Steve Sidwell:

On this episode, we interview Bob Johnson, the CEO of i-SIGMA. In 1994, Bob founded NAID, the world’s most prominent and non-profit data destruction industry organization. During our interview, Bob explains NAID’s merger with PRISM to create i-SIGMA, how the cloud is changing data destruction, NAID certifications, and the future of data, and so much more. Brace yourself, you’re now entering The Tech Bench Podcast.

  (music)

   Well, Bob, just want to introduce yourself real quick so the audience can see who you are.

Bob Johnson:

Well, sure. Bob Johnson, CEO and executive director of i-SIGMA. Now, i-SIGMA is a rather new name on the information disposition and governance front. Recently, as you might know, NAID, the National Association for Information Destruction, which I founded 25 years ago, merged with PRISM which is the Professional Records and Information Services Management Association. So, I know that’s a lot of alphabet soup, but they were an organization that was largely made up of information governance professionals, so with NAID and PRISM merging, we formed the International Secure Information Management and Governance Association.

NAID and PRISM International haven’t gone anywhere. Both organizations exist as divisions of i-SIGMA and so their brands and their certifications are still very relevant and active in the marketplace, but I’ve been involved in information disposition my entire adult life, I mean literally since graduating high school when I started an information destruction services, and so for almost 40 years now I’ve been involved in this world and it’s been interesting to watch it unfold over those decades.

Steve Sidwell:

That’s fantastic. I just want to mention too, thank you so much for coming on The Tech Bench Podcast. I feel like NAID certification has been a pretty big thing for us here and I’m wondering how the NAID certification plays with NAID membership and where NAID kind of came from, I guess if that makes sense?

Developing the NAID Certification

Bob Johnson:

Mm-hmm (affirmative). No, it makes perfect sense and it’s worth clearing up because it is often a source of confusion. So, NAID was started 25 years ago as a trade association for companies that do what Liquid Technologies does, which is help their clients by properly disposing of their retired information. Now, back in those days, it was largely physical destruction of paper media, as well as hard drives in computers at the time, but mostly paper. So, it’s a trade organization like any trade organization would be for an industry, and to be a member you simply pay your membership dues and meet some basic qualifications. Of course, you’re subject to the Code of Ethics. But then along the way, of course, one of the challenges for our industry, and it continues to be a challenge, are the qualifications of those service providers, and obviously, at the membership level, there’s no thorough investigation of the qualifications and operating standards of the organizations, it’s just not possible.

So, we created, now let’s see, 17 years ago, so about eight years into our process, we created a certification program and with the idea that customers, although the regulations required them to verify the qualifications of their vendors when they hire a vendor, they’re trusting that vendor with confidential information, often under-regulated information. The regulations required that they vet them to a certain standard and they make sure that they’ve got certain qualifications, but the thing is most organizations that were subject to those regulations, the data controllers, the hospitals, and the financial institutions, and virtually every business these days, they didn’t really have the tools to be able to evaluate those qualifications. So, the NAID certification program is separate from NAID membership. It’s kind of an additional benefit that companies like yours, and I know you’re NAID certified for about everything we have, they’re able to … We go in with the certification program and we validate that those organizations meet all of the security and regulatory requirements so that they’re compliant with the regulations.

Now, we’re checking the things, in other words, that the customer is hypothetically supposed to be checking but wouldn’t necessarily know how to do. The other thing we do it on an ongoing basis, which it’s very common, of course, for a data controller, a customer, to hire a service and maybe that then initially, even if they know what they’re doing, but then not monitor it on an ongoing basis, so certification does all those things. The ironic thing about that is that in a certain way, the company that’s become NAID certified has done a favor or done a service for their customer because literally customer supposed to be checking those things, and the fact that they’re NAID certified means that they can go to their customer and say, “Well, these are the things you’re supposed to be looking for. We have this third-party organization that looks after these things and verifies them for you so you know that we’ve got them in place already.” And that way, you’ve help the client by making the client more compliant with the regulation because the client now knows that their vendor meets those standards.

Steve Sidwell:

Yeah, I feel like that’s such a really important part of it too is that, frankly, for so many of these companies need to do that type of work. Whatever their job is, whether it be data controller, or security, or facilities, or whatever it is, what it’s not necessarily, is knowing what the right standards are for paper-shred widths, or for destroying CDs, or whatever different type of media it is that they need to get rid of, or how long it should be able to sit around for, or any of this type of stuff, having a [inaudible 00:07:20] system, kind of where they can look to that and say, “All right, well, we know that this is right and we know it’s going to be right across the board, so that if we have different facilities in different locations if we have New York and LA and whatever, we know we can hire most of those locations and they’re all going to be the same, so our standards don’t have to change with each of our different locations, all the rest.” A.

And then B, I feel like data security and data destruction changes a lot over time as media gets more dense, or as printing technologies change, all that kind of stuff. I know that NAID’s standards have changed for shredding, at least once or twice over the years, so having something where the customer knows that they’re going to be able to just rely on say, “Okay, this is what it is now, but as it changes, as the regulations change, I don’t have to keep watching that. I do, but I can just get on with the rest of my job and know that as long as they’re maintaining certification, and they trust NAID, then I’m pretty much fine and I can just kind of tick the box for my boss and say I’ve done the work.”

Bob Johnson:

Well, and you’re exactly right. And compliments for picking up on that, and it’s important that the listeners understand that that’s the case, and I can give you some examples. When HIPAA had already been in existence for 12 or 13 years, when it was amended dramatically by the HITECH amendments in 2009, and in that amendment, it required breach notification, language, it required breach notification across the country related to protected health information, and a range of different things to the point where it required a new contract be in place. So, when we had to do some dramatic overhauling for the NAID certification program to make sure that we met those requirements, and now with the GDPR in which is coming from Europe but is sending ripples around the world, even in the United States where you’ve got California that just passed the law which mirrors much of the general data protection regulation in Europe, you’ve got Colorado which just passed a dramatic law that requires written information, destruction policies and procedures for any organization that’s got protected or personally-identifiable information, and all of those things are changing so rapidly that we’ve got to modify our certification programs to make sure we’re doing our job of vetting those qualifications.

So, many clients wouldn’t understand, quite understandably, they wouldn’t know that they now needed to make sure that the service provider is training their employees on their breach notification requirements, so that management can then fulfill their breach notification requirements to the client. So, those types of things is they kind of sneak into the laws, we need to respond to them.

Steve Sidwell:

Absolutely. Especially too with it being on a state by state basis and not coming at the federal level, whatever the laws are in California, is that I’m based in New York, I know that, obviously, whatever kind of business we’re doing in California, we have to comply with the laws there, but if you’re doing a one-off in Colorado, well, are you really going to research all the laws for that? Like, yeah, I guess you’re going to have to, but you still got to know that’s it compliant. So, for a firm that stores data or houses data, just even if you have data co-located at data centers, you still need to make sure that where your co-los are it’s going to be safe according to the same rules and regulations that you have where you are and throughout your company. So, having somebody know that they’re going to be compliant I feel like it’s such an asset. Also, you can do like-

Bob Johnson:

Well, your customers are lucky that you [crosstalk 00:11:28].

Steve Sidwell:

Sorry?

Bob Johnson:

I was just going to say, your customers are lucky to have somebody that realizes that.

Steve Sidwell:

Yeah, I feel like it’s such a big part of it. One of the things too that you mentioned is part of the certification program is that you guys basically take care of the what effectively are vendor audits, right, for these companies.

Bob Johnson:

Mm-hmm (affirmative).

Unannounced Audits Keep NAID Certified Companies in Compliance

Steve Sidwell:

So, you do I think annual audits for some of the stuff, and you also do bi-annual audits for paper, I think it is, but one of the things that NAID does that I always really like is that there’s surprise audits, which for everybody that’s listening that means that NAID can come and knock on your door at any time and say, “Hi, I’m from NAID and here’s my paperwork, and call central and make sure that I’m for real.” That they can just walk through your facility and make sure you’re doing the right thing on a day-to-day basis and that’s such a … I mean, one of the reasons that we wanted to become NAID certified is to be able to just talk about this. I feel like it’s such a strength, whereas opposed to you have to pass an audit once a year and then you kind of can go back to doing whatever, you can’t.

Bob Johnson:

Yeah. Well, we realized that right on, and right away, NAID did not start off with unannounced audits, we introduced them probably six or seven years into the program. We realized all the time that a scheduled, annual audit was easy to prepare for, and I would be less truthful if I said we couldn’t tell, so when an auditor would go in and they could tell that over the course of the last week they had readied themselves, and so to address that, we decreased the percentage of scheduled audits and we introduced an unannounced audit. And it’s a very, I mean we’re very proud of our unannounced program in that there’s no day of the week, literally, that a NAID certified company is sure that an auditor won’t show up, and we outsource that to a certified public accounting firm, and the algorithm they use is actually generates names in a pattern that we’ve had, literally had NAID board members who have had two or three audits in a one month period and we’ve had a couple of cases where unannounced audits have been done with only a few days in between them, and the reason that’s so important is that we don’t want someone relaxing, necessarily, the day after they’ve had an unannounced audit, that they’re in the clear for a while.

Steve Sidwell:

[crosstalk 00:14:08].

Bob Johnson:

The other thing that can happen though, and again, being candid on this, is that we also notice that because it is luck of the draw and random there were some companies that were going a longer period of time without an unannounced audit, so we actually modified the algorithm that’s used to introduce something that increases the likelihood of the random drawing, the longer they go without an unannounced audit.

 And I want to go back to something you said the first time, or at the beginning of this is that certifications can be, and we didn’t want to fall into this trap, can actually be a false sense of security to clients. And even, we’re living in a day and age when you can almost go online and buy a certification for something. I don’t know in our industry necessarily, but you got to be very careful of companies that hold out false certifications or false credentials. And so wanting to go the other way, we intensified to include those to make them very robust and let the customers really know that their vendor is being subjected to these things. But when we first introduced them, and this is history now, so I feel more comfortable talking about it, when we first introduced unannounced audits, the rates of non-compliance on an unannounced audit were six times higher than the announced audits. Now that might surprise you that it’s so low, we were shocked that it was so high.

Steve Sidwell:

I was going to say, that’s not so bad.

Bob Johnson:

Yeah, well, for us, especially when we feel that it could be compromising someone’s security, it was intolerable, and so when now, over time, as our members got used to these unannounced audits, that compliance is almost in line with the scheduled audits because they realize that it can have … And there are teeth to our audits too, both financially and we don’t advertise the fact, but we probably expel upwards of 20 companies from the program a year for non-compliance, and that’s just either they’ve gathered enough points that they can no longer be NAID certified because every violation has a point value and even if they’re minor infractions if you build up too many of them, we’re not safe. We owe it to companies like yours that are maintaining their certification to make sure that the other people that have that certification are measuring up, so it, again, we don’t advertise that, but it is the case.

And then, talking about these, just the last thing on unannounced audits is that it is so common, of course, for, and I think many of the ISO audits that are used where you’ve got an auditor that may have been inspecting a tire factory the day before, or a who knows what business they were in, they’re not intimately involved with our program, we’ve got a contracted force of upwards of 20 trained and accredited security professionals who only do audits of destruction facilities. Now, they have other things and-

Steve Sidwell:

You get pretty good at it, at that-

Bob Johnson:

Right.

Steve Sidwell:

If you’re doing that many of them, you get pretty good at knowing like, oh, yeah, that’s totally fake. You know, looking at it.

Bob Johnson:

Agreed and so you … Right. No, and so, I think that’s something that people overlook often when they look at our program, but I think it’s a real asset for what we do.

Steve Sidwell:

Well, I think too, one of the things I should mention is when you were saying that the rate of non-conformance, non-compliance of the standard was six times greater when you started looking at the numbers that are coming back from the surprise audits, in that too is, I mean there’s a lot of different stuff in the application, so that could be anything from, if I’m understanding correctly, from workers not having proper identification, or workers not being legally registered in the right location, or not legal to work where they’re working, or that could be not having an ID, or it could be something large, like mixing document storage with document shredding, like in the same room, or that kind of thing.

Bob Johnson:

Mm-hmm (affirmative).

Steve Sidwell:

Is that accurate?

The Complex Requirements of Secure Data Destruction

Bob Johnson:

No, that is accurate and it actually brings up two points is that, and we pay attention to this a lot, there are violations which are administrative if you will, or in law keeping and things like that, then there are also violations that would be at the other end of the spectrum where we really feel that client information was put at risk, or could be put at risk. So, we separate those and we treat them, well, obviously one is far more egregious and we are much more vigilant in how we address those or are heavy-handed if you will. So, we do look at that.

But, I think the other point in that you make in bringing that up is that in one we have to go to a lot is reminding your customers, and even our members, like Liquid Technologies, like information destruction, is a lot more than just the event of destroying the media or destroying the information on the media. There is employee requirements, and background screening requirements, access control, log keeping. There are written policies and procedures, and ensuring that those written policies and procedures have certain things in them that align with the regulations and the contract language, other things like that that have to be and there. It is very common when we are speaking with someone, even if they’re in charge of information security, the hiring of the destruction vendor per se, even if they’re focusing on information governance or data security, the disposition of the information is a very small slice of that pie, and that’s even when they have a dedicated job in that for a large organization, or even if for a smaller organization where you don’t have someone focused on it, it’s even smaller of a portion.

So, given what they know of our industry, it’s very common for them simply to focus on the event. You know, how do you do it? What’s the particle size, or what’s the system? How do I know that the overriding program works? And they focus on that only. They don’t think about those other 15 things that go into it. I have said, and I use this carefully, but it’s not only the laypeople that have a challenge with this thinking of it in a broader scope, it’s literally government specifications, and it’s not unusual for us to be presented with a, not a regulatory specification because those are different, but a government agency that has developed a certain spec, or even a company that has developed a certain specification for the process of destruction, without thinking of those other things that go into it.

And, when I confront those, I like to point out that I could meet that specification using unscreened, known criminals on a vacant lot in the most crime-ridden neighborhood of my city because they’re only looking at the particle size, whatever either drops out of the machine or whatever the machine says after the process is all they’re looking at. They need to be looking at or should be looking at all of those things that I rattled off earlier and it’s the whole, all the things that wrap around the destruction that are just as important, quite honestly, as the destruction of the media or the information itself.

Steve Sidwell:

And that’s kind of where that goes, right? So, the other things you’re talking about is everything that happens from when it’s in the machine. Like, so if we’re talking about shredding hard drives, just as a, for instance, it’s everything that really happens from when it’s in the machine, where it’s serving data up on whatever to you know, okay it’s reached its end of life, they’re going to migrate their systems over, the drive’s still got data on it, so what happens next? Is it pulled out? Is it stored locally? Is it sent somewhere for storage? Is it just kind of used as a doorstop? What happens with that? Because if you’re only concerned about well, I have to have it shred to three-quarters of an inch. Or another guy says, “Well, you know, honestly, an inch and a half’s okay.” That’s cool, and we can debate what you’re going to do using one or the other, but honestly, it’s going to be much easier to kind of look at it the problem from a little bit stepping back where you say, “Okay, so that’s cool, so how does it get from where it is now, actually into the shredder?” Or, any of the other stuff you’re talking about.

So, it’s that whole process that really kind of goes into it. Who’s going to do the work? How’s it going to get done? Where’s it going to get done? How’s it going to be transported? What are the locking systems like? What are your controls as far as, chain of custody? The whole system needs to kind of come into one where there’s checks and balances throughout, and then, of course, for us here at Tech Bench, we look at what happens to it afterwards. And one of the things that NAID does too, I know is look at that you can’t reuse the paper as like packing materials or whatever, it’s got to go down to its final destruction, that’s where the line kind of ends.

Bob Johnson:

Yeah, the responsible disposal of the destroyed remains is still kind of the buzz word or how we frame it around here, but for a host of reasons, it’s important to have that all buttoned down to know what was it’s final resting spot even after it was destroyed, but from, and I’ll just echo what you said, that in fact, in some cases, information disposition can start with the acquisition of the product in the first place. Now I know I keep going to IT on this stuff as opposed to paper, but we know from talking to our members and companies that are involved in helping their clients reconcile their IT assets when it comes to disposition that large organizations, sometimes even smaller organizations don’t know where a significant percentage of their IT assets even are when they would be cycling them out, and hypothetically, then that’s challenge. I mean there is literally a risk of, again, if we’re talking theoretically, every missing IT asset that that organization has is a potential data breach, and even just not knowing where it is means that it’s a data breach, so they at least need to show they investigated what was on it and if they figure what was on it was something …

When Coke did their breach notification, I think it was 75,000 or 77,000 of their past employees had to be notified that their information might be put at risk, that all stemmed from the fact that they discovered that laptops were being siphoned out of their iPad program internally, by the way, not from a vendor, but internally, and they couldn’t place where this certain laptop was. The interesting thing is that that happens every day and people aren’t and companies aren’t doing that reconciliation. So, I’m harping on that one part of it but from the time it is generated to the time that it’s transferred all the way to the time it’s, as you pointed out, put to it’s final resting spot, it all is part of the process.

Educating NAID-Certified Members and End-Users

James Patrignelli:

Bob, as you evangelize your mission, do you spend your time more educating end-users, or is more about educating your certified members on how to get your mission out?

Bob Johnson:

It’s a combination of both. Despite the success of the organization, and it has been relatively successful over the years, our resources are limited, and by and large, we do rely on our members and our certified members especially, who are out there talking to clients and we try to provide them with the education and the useful information so they can then pass it on to their clients. We just don’t have the bandwidth nor the resources to do the type of advertising that would require.

Now, the good news is with a couple of thousand member locations out there talking to clients and for providing them with the right information and the right education, they’re talking to their clients at a time when they’re receptive to this information, And it’s not uncommon for the end-user, the clients that use our member services to not be, just obviously, up to speed on all of the regulations as we are because we’re paying close attention to that, so very often the service provider is the one who is channeling that information to them, sometimes for the first time. So, we find that clients generally appreciate the fact that their service providers can help them stay up on what they’re responsibilities are and the case of NAID-certified companies that they’re service provider has someone else who is looking at what they’re doing and making sure they’re doing it correctly.

James Patrignelli:

Sure, and it’s not uncommon when we talk to clients or potential clients that they actually specifically request that they have a NAID-certified vendor, or R2 or re-stewards, we still run across, believe it or not, in this day and age people who actually say that media destruction isn’t important to them or even say, “I don’t care.” That makes me cringe. I’m not sure how you respond to something like that?

Bob Johnson:

Yeah. Well, as I mentioned, I’ve been this for a long time, so while it still is, I would say that hopefully you’re not running into too many of those individuals out there and my response is, when you have somebody that tells you that there’s no concern, generally you’re talking to the right person. And I’m sure you feel like I do, that if you were talking to someone higher up the food chain in those organizations, someone that really understood the impact on the organization of information getting out or even the feeling by customers that they’re not protecting their information that it would be horrible. So, if you’re talking to the right person, generally don’t get that.

Now, of course, it was much worse back in the, you know, I don’t want to sound like too much of an old fogey, but back in the 1980s and even the ’90s, it was tougher. So now it’s less common and hopefully, you aren’t running into that too often because it’s really scary when you think about that. But it opens a door to another conversation which is that while you maybe talking to an individual, well, let’s say you are running into those individuals, like you said, and I know that they’re out there, that minimize the need for the protection of the data still in this environment, and as foolish as that sounds, they are still out there, you still do have organizations that understand their responsibilities, and so they put a system in place and they cross their fingers, and they point to the bins and they instruct the employees what to do, but they still leave the decisions of what is done with media up to the frontline employee. So essentially, whether it’s getting rid of old electronic equipment they’re using, old phones, even thumb drives, or old laptops, or whatever it is, or it’s the paper media, they’re leaving the decisions to the individuals that are using them on what needs to happen to them.

And the analogy I like to use when I’m talking to a company like that is, would you ever think of giving every employee in your operation a switch that shuts off your firewall, and just it’s up to them; if they want it one they can turn it on, if they want it off they can turn it off? And, of course, nobody would allow every employee the discretion of turning on or off their firewall, and yet, when you give employees the discretion of what’s to happen with this piece of paper, or with this hard drive, or with this phone or you’re not … And where I’m going with this is that that decision needs to be taken out of every employees hand. There is no way that would not be deemed negligent if something bad happened, because in that deposition, one question would come up is, so as an organization you let every employee decide what they should do with discarding their obsolete media? Yeah, we told them what to do with it and we hoped they did it.

If that decision can be moved up one level by just saying that we’re going to run an organization where every bit of media we put out of this organization is going to be addressed because we cannot cross our fingers and hope that every employee gets to importance of what we’ve told them to do. And the impact will be so dramatic that we have to take that out of every employees hands. So, my point is that while often we are talking to people that do get it that when it translates to how they impose the [inaudible 00:32:56] or how implement their concern or implement their policies they’re still leading a wide swathe of discretion at the employee level and that’s a problem for them.

Specialized NAID Certifications Help Ensure Compliance

Steve Sidwell:

That’s interesting too. So I think one thing that NAID does, with having all of the different types of certifications that there are, right, and for everybody, basically there’s certifications for paper, there’s for media, there’s for hard drives, there’s for micro media, there’s for non-paper, right, various different types of things, and it’s about what the type of media it is, and then different methods that it can be destroyed by, how it needs to be destroyed. There’s all that stuff out there but the firms who are certified need to be certified for whatever work their trying to do, like they just get it for one, right, and then say, “All right, well, we’re NAID-certified,” and then not talk about the fact that they’re totally not certified for all this other stuff. If they want to do it they have to get it for whatever they want to do, right?

Bob Johnson:

That’s correct. So, the rule is and we do find ourselves having to enforce this sometimes, the rule is that you need to be certified for any services that you’re offering. So, if we have a certification for it and you’re providing that service and you want certification you can’t cherry-pick what it is that you’re getting certified for because there’s obviously the logical temptation then to try to extend that certification over to those other areas where you wouldn’t be, and so the other way we found to make that a practical solution and not potentially mislead the client is to say, “If you offer it, you need to be certified for it.”

Now again, we do our best and often someone will, not often, sometimes a company will add a service and in kind of between their certifications and they’ve got a new service or what it is. So, yeah, we do have that and we just rely on our other members to notify us if there’s something going on in the marketplace where we have to insert ourselves and kind of correct that.

The other thing we do, of course, where there is some type of a one-off destruction service is provided, you know, we don’t expect our members to walk away from opportunities to serve their clients, and if their clients have a certain situation which lies outside of NAID certification that we haven’t caught up with it, for instance, they’re supposed to inform the client that it’s a non-NAID certifiable thing. So, the certification doesn’t extend to that.

Steve Sidwell:

That comes under the requirements for contract language, right? Like, if you’re doing work and you’re certified, it’s going to be assumed that whatever work you’re getting is going to be under the NAID certification, right? So, like if you’re a NAID-certified company and I hire you to do some work for me and I give you hard drives and papers, and whatever, it’s assumed that you’re going to destroy them.

Bob Johnson:

Right.

Steve Sidwell:

And if you’re not then you need language to say that you’re not as opposed to say what you are going to do.

Bob Johnson:

Right, exactly.

Steve Sidwell:

Whereas I think that’s fantastic because I mean it makes it so much safer really for clients.

Bob Johnson:

Well, I agree and I would only say that NAID has … The world is evolving for us as well, and so, it’s not uncommon for our members to destroy products for instance for our members. Well, we didn’t have a product certification until a couple of years ago, so many of those companies that are doing product destruction now are integrating the certification into their program. It doesn’t cost them any more, but they have other things that they have to do in their policies and procedures. And as you may have read, we’re finally getting a solid state device sanitization certification. And if you look at the NAID certification complexion out there, there are a couple of kind of big categories and the media that falls under them is it’s going to be the same media, but the overarching platform is whether it’s done at a secure facility a plant-based facility, whether it’s done mobiley at the client’s location, and then with regard to the services, whether it’s the physical destruction of the media, or whether it’s some type of an overriding process where the media will be left intact but the information is removed, so you can almost draw a tic-tac-toe board, or a grid that has those things in it and then most of the media falls under that.

Now, you don’t erase information from paper, so if it’s paper destruction it’s going to be under physical and you’ll have mobile or plant-based, but if you’re talking about hard drives or solid state devices now, you can do physical destruction and you can do sanitization. Now, if you’re certified for physical destruction of hard drives, you’re not necessarily certified for the sanitization of hard drives, and that’s an important distinction that, of course, it can-

Steve Sidwell:

It does use completely different tools, yeah.

Bob Johnson:

Yeah, that’s right, and there’s a whole different process of validating the efficacy of the process and what needs to be in the policies and procedures. So, completely different. We do our best to make customers understand that these are different things that they need to be looking for.

Steve Sidwell:

That’s fantastic. You know, I think it really it makes a lot of sense because the world of data destruction it just changes so much and so I feel like the ability to work with somebody who is staying on top of it for companies, so even for clients, but also for vendors that having a trade association out there to get more information and all the rest is certainly a pretty big benefit, I think.

Bob Johnson:

Well, thank you.

Shifting Toward Mobile-Focused Data Destruction

James Patrignelli:

Well, considering the advancement … Sorry. Bob considering the advancements in technology and how quickly mobile devices are just being spread out within the enterprise level, where do you see the organization within five years or so, you know when people are moving off PCs and maybe even server technology and more to that mobile world?

Bob Johnson:

Well, there’s no doubt that on the … There’s two trends, right, so you’ve got the hard copy side where the consumption and therefore storage and destruction of business communications paper is on the decline in North America, and it’s actually not on the decline, it’s pretty stable. Where it’s being generated is changing, but it will shrink, and certainly record storage companies know they’re not putting as much paper in boxes and on shelves as they were 10 or 15 years ago. So, that’s changing and now while it’s changing the percentage of those materials that need to be destroyed has been increasing dramatically and so where the two lines cross is still in the distant future as far as the declining on business communications paper and the increasing need to destroy it. And you can even argue that as it declines, more and more of it is going to be highly sensitive and does need to be destroyed.

Going back to what I said about taking it out of the hands of the employee and just deciding that all media’s going to be destroyed. On the IT side where you’ve got a migration to a thin cloud or non-memory devices that are out there, first of all, on the lower end, there will never be a time, well, shouldn’t say never, I guess. The likelihood that data will reside on laptops and desktops and phones, and, of course, mobile storage devices will always be with us, so there will always be that need for that, and whether they’re physically destroyed or repurposed is a decision between the service provider and the client as to how that goes forward. On a broader level or where we see the increasing use of subscription software and cloud storage for memory and that type of stuff, well, number one, vendors who are serving those cloud storage services obviously are very busy because those organizations have a real need to be redundant in how they store it and very careful obviously in how they’re destroying that media, so it’s being concentrated in a different area, but there’s still quite a demand.

Whether NAID would move into, and I will say that we’ve already made advancements, some overtures in that area, into how information is properly destroyed in the cloud is something that we’re again, we’re keeping our eye on and we’ve made overtures toward. One thing that many people don’t realize, and of course, there are exceptions to this, but most of us that use cloud storage for our stuff, even if we decide that we don’t need it anymore and we’re destroying it and we designated on our machine to be destroyed, we’re essentially doing what people used to do when they pushed the delete button on their computer, is that they are erasing the directory or their access to that information, but the information still resides on those devices. So, if I’ve got my financial records in the cloud and I decide that I can destroy five years of them, those five years still exist in the cloud, it’s just I don’t have access to them anymore, and maybe those sectors are open for being rewritten and whatever, but when you talk about information governance and you talk about the disposition of information, knowing it’s gone is a really important thing.

Steve Sidwell:

[crosstalk 00:43:39].

Bob Johnson:

The fact that it might still reside … Go ahead, yeah.

Steve Sidwell:

I was going to say, then of course through the iterations of back-ups of whatever that data was-

Bob Johnson:

Yeah.

Steve Sidwell:

… going back who knows how far along, yeah, if that was deleted, did they mean to delete it? Is it okay to erase the back-up? Is it not okay? Basically, how to keep track of those things I think is something that definitely needs a lot of investigating, and honestly, policy on it probably too because if you’re looking at things like GDPR and the right to be forgot, how to you deal with me deleting a photo of my dog and me deleting my taxes after five years. When do you say that one is something that we need to make sure is erased and one isn’t?

Bob Johnson:

Or, you’re exactly right, and it’s even got ramifications with regard to legal discovery because if I go into a deposition and I say that we don’t have those records anymore, and some smart prosecutor or a litigator says, “Well, if you were using the cloud, they still do exist and we could subpoena whichever large corporation was backing that up and I’m sure they can produce it for us.” So, those are things yet to be decided probably through case law. But I know that if I was in charge of information governance for my organization I’d be pretty skittish knowing that the information that we designated for destruction and recorded as being destroyed still exists somewhere and so technically has not been destroyed.

So, anyway, those are things that will crop up and we’re going to have to watch for because our mission is not only at it’s core is really information governance and the proper disposition, i.e. destruction and disposal of information is one step in that governance process, but you know, governance extends to the cloud and the information on the cloud and when it’s said it’s destroyed, has it really been destroyed?

Steve Sidwell:

Definitely, the growth factor for NAID has been over the years one that has gotten I think a lot more, how can I say, theoretical than purely practical, it’s gone right from shredding papers and tapes and I mean huge, old back-up tapes and stuff like that through to erasing platter drives and now you guys are looking at SSD erasure, but data governance in a cloud-based infrastructure is a whole nother thing.

I think when you were saying a lot of the [inaudible 00:46:22] stuff will be decided on case law, I think honestly, it really makes a lot of sense because trying to make policy for that is certainly feasible but policies going to be different and in different jurisdictions are going to have completely different outlooks on things, so I think looking at what NAID is working on going forward, there’s a lot out there.

Bob Johnson:

Yeah. Just circling back on that issue of cloud storage for a second because I have these conversations with audiences of data security people and records managers and we inevitably get around just a point of well, so what am I going to do? Go back to, you know we all know who the five big cloud-storage services are and even the smaller guys are often already just lending space from them, and am I going to renegotiate my contract with them? Because there are even liability issues that go with it. Is Amazon a business associate because they’ve got help information recorded on … And what are they doing as far as breach notification and those? All of those things are going to … Anyway, to your point, yes, we’re moving into a whole probably as far away as you can get just the physical act of shredding paper.

Steve Sidwell:

Being notified that we are crushing right up on a lot of time that we had scheduled with you today. First, Bob, thank you so much for coming on, telling us all about NAID and the new merger with PRISM, looking at changing world of data destruction from SSD to cloud-based to history, to certification, to contracts, a whole manner of stuff. Really, really appreciate you coming on today, thank you so much.

Bob Johnson:

Well, thanks for having me.

Steve Sidwell:

No [inaudible 00:48:24]. Absolutely. I know that James and I both really enjoyed talking with you, so again, this is Steve Sidwell and …

James Patrignelli:

James Patrignelli.

Steve Sidwell:

From The Tech Bench Podcast and we wish you a lovely week.

James Patrignelli:

Thanks, Bob.

Bob Johnson:

Thanks, guys. Bye-bye.

Steve Sidwell:

Bye now.

Thank you for joining us for another episode of The Tech Bench Podcast. Next episode we’ll be speaking to Keith [Rooknic 00:48:47], ITAMS director of education.

If you enjoyed this episode, please make sure to subscribe and follow us on Instagram, Twitter, and Facebook, @LTTBPodcast. If you have any questions, comments, or show ideas, please feel free to email us at techbench@liquidtechnology.net. For show notes visit liquidtechnology.net/techbench.