What to do When Clients Misapply Specifications

February 10, 2021

It’s happened to many data destruction service providers and to those it hasn’t happened yet, it will at some point.

It looks like this: You have been destroying media for a client for many years, when they ask whether you comply to a certain specification or standard. (Usually someone else in the firm is bringing it up)

Often, but not always, it is a particle size spec (NIST 800-88, DIN, IRS Pub. 1075, etc.). Once in awhile, it’s about a compliance with a more general standard (PCI-DSS). And sometimes it’s a question about compliance with something totally irrelevant like money laundering or arms trafficking.

Over the years, I have interceded with hundreds of i-SIGMA members who have found themselves in these situations. In all that time, I have a few takeaways.

The first is that one response does not fit all. That’s not to say there aren’t similarities and rules of engagement. It just means you need to know where the question is coming from and ask before you respond.

The second is that when the question, or supposition behind the question, is mistaken, the client is usually delighted, relieved even, to learn the specification they’ve been told to ask about is not applicable to your services. That happiness stems from a.) learning they have not been doing something wrong up to now, and b.) because meeting the suggested specification will often cost them a lot more. That said, it does not always turn out that their question is wrong. Sometimes it addresses a legitimate issue.

Third, even if you already know how to respond, sometimes a letter from your industry trade association explaining the nature of the misconception gets better traction with the client than you responding directly.

For purposes of this blog, however, I’m going to explain what we need to know about the request.

1) What are they asking for?

Is it a particle size spec? Is it a compliance standard that is irrelevant to what you do? Is it a self-attested compliance standard which only slightly overlaps with the service you provide? There are multiple strategies regardless of the answer, but we need to know.

2) Who is the client and what type of information are you destroying for them?

Even if we think the question is about an irrelevant specification, this information is required just to make sure we’re not the victim of wrong assumptions. Even if it is a government office, for instance, it doesn’t automatically mean they (you) need to meet that requirement. The most common mistake is that they are misapplying some irrelevant spec or treating regulated information as if it is classified. Time has proven, when they learn it will cost them 5 times as much to meet a proposed particle size, they are delighted if you can show them why it does not apply.

In my next blog, I’ll specifically discuss requests for NIST 800-88, IRS Pub. 1075, DIN and PCI-DSS, and the most common question related to such requests: How does NAID AAA Certification apply or help address compliance with them.

Reminder: If you are interested in reading more on this – or if you’re having trouble sleeping – there is a section of my book Information Disposal, available directly through our website or Amazon, that delves into this more deeply.

Written by Bob Johnson | 11 February 2021