It’s illegal to hire data destruction services on price alone

January 22, 2015

By Bob Johnson, NAID CEO

Let’s just say ABC Corporation hires a data destruction service because they are the lowest price. It does not take a lot to imagine that scenario, right? It happens all the time – maybe most of the time.

It also would not surprise anyone that the lowest bidder might also cut corners on security. As fate would have it, our low bidder causes a data-related problem for ABC Corporation and now the state attorney general and other state and federal regulators are investigating.

In every one of the inevitable interviews and depositions that follow, one of the first questions will be: “On what basis did you select the company that caused the problem?” If the answer is that the service provider was selected because they were the lowest price, “it’s all over but the crying,” as they say. The proverbial “book” is about to be thrown. Why? ABC Corporation violated one of the most important requirements of all data protection regulations, namely, the legal requirement to demonstrate due diligence when selecting vendors to handle personally identifiable information.

On the other hand, had ABC Corporation done their vendor selection due diligence, although they might not be held harmless, there is little doubt that things would go a lot better for them. As it stands, however, ABC Corporation violated the law by hiring a service provider on just price and will likely experience the full measure of the regulatory consequences.