Data Erasure: A 21st Century Necessity

Host (00:01):

All right, let’s get started. Hi, Jodi Daniels here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional providing practical privacy advice to overwhelmed companies. And I’m joined by

Host (00:24):

Jodi Daniel’s husband, Justin Daniels. Here, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I’m a cybersecurity subject matter expert and business attorney.

Host (00:44):

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trusts so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit RedCloverAdvisors.com. Today we have a very special guest. Paul Katzoff joins us. He is the CEO of WhiteCanyon software and White Canyon is known for their wipe drive data erasure program for corporate and government organizations providing data sanitization with high hardware, compatibility, and ERP integration. Welcome to the show.

Paul Katzoff (01:46):

Thanks Jody. Thanks Justin. Thanks for having me here on. She Said Privacy. He Said Security and I appreciate the chance to talk with you and your audience. Thank you.

Host (01:55):

Well, before we get started, I just have a question for my cohost, your attire very professionally today. Thank you.

Host (02:04):

Apparently I don’t do it every day.

Host (02:07):

Just notice all of our podcasts are usually pretty casual and that’s not the case today.

Host (02:11):

You know, Paul’s a special guest. I decided to just,

Host (02:16):

If I want that, I need to be a guest on my own podcast.

Host (02:19):

Exactly. I can send you a booking form and you can sign up.

Host (02:26):

It’s a pleasure to have you this morning and you’re out there in Utah, which is close to my heart and ski season, but talk to us a little bit about how you got started in this industry and how you evolved to where you are today as the head hauncho

Paul Katzoff  (02:40):

Sure. it was kind of a long process. Definitely. Wasn’t planned back in 2007-08. I had gotten my MBA about two years before and in 2005 and I was looking for a position and the the big the big stock market collapse happened, all that happened in. So I was looking for anything and I found the technical support job here at WhiteCanyon software and took that. And I was happy to get a job happy to be, to be working. And from there worked up to technical support, did that for sorry, tech support manager did that for a year or two and then moved into sales. And I really loved that. I love software sales, technology sales. And from there moved into management and about three years ago, our CEO retired and, and they’re looking for someone to fill his his boots and they talk with me about it and said, Hey, we’d love to have you fill that role. And I think like anyone in my position, I said, absolutely let’s do it. So it’s been a good three, three and a half years here at at WhiteCanyon as the CEO. And looking forward to the future where we’re headed with data privacy

Host (03:53):

Well in the world of data privacy, which is what I speak about all day long. I’d love to hear more about kind of how, what you do fits into this universe of data privacy. When should a company be thinking about data eraser? Is it any particular laws and I’d kind of love to see also, how have you seen a bit of an uptick given some of the different laws that companies now have to comply with?

Paul Katzoff(04:19):

Yeah. Well, first off it’s, it’s really changed since 2008. When I came on board Whitecanyon, as far as the company goes, WhiteCanyone been around since 1998. So a good 23 years of providing our wipe drive tool. And it started out as just a little three and a half inch floppy disks, get the Air Force approved it. So it went to every air force base throughout the world, back in the early two thousands. And from there, we kind of grew into the commercial market. And like you mentioned, the, the commercial side or the enterprise side started realizing, Hey, when these IT assets leave our facility, we need to erase them. Or we need to make sure that we have proof that all the data is gone. And so from about 2012, 2013 on it kind of became very important kind of growing matter.

Paul Katzoff (05:05):

And then you had GDPR come out, which really pushed that the HIPAA privacy laws also kind of push that initiative as well. And lately the California data, privacy law has been the latest that has kind of pushed corporations to say, Hey, you know, we have all these IT assets. We used to just store these drives in the basement, donate them to a charity or sell them or whatever we did with them or smash them. But that data is at risk that whole time it’s just sitting there or when it leaves our facility. So let’s incorporate an eraser tool. Let’s erase all that data before it can be exposed or vulnerable at it. And then let’s go from there.

Host (05:44):

Well, thank you for sharing really. I mean, from a privacy point of view, I certainly see more companies paying attention to the data that they have. You know, we’re so focused on the collection, the use and the sharing, but the end piece sort of its resting state is important to be paying attention to what happens all the way at the end.

Host (06:03):

It’s funny that you stated it that way. I would have asked Paul the same question and said, so Paul nowadays beta is what if we collect, use it and store it. It now becomes what potentially a liability liability

Host (06:17):

Do I get money? I get money. Our daughter always asks if she does something, she gets money. We get money. You can discuss it with my representative.

Host (06:26):

My point is Paul, from your perspective the liability that now has created by all this data, that’s either stored or somewhere else. I assume that is a big selling point as to how your company fits into helping companies manage what is now the single biggest asset, but also potential liability in case the ransomware man comes calling.

Paul Katzoff  (06:50):

Yeah, the ransomware man or the, the data breach, and you’ve lost X number of Phi private health information files, or data. All of a sudden your company now has a financial and legal responsibility and that’s costly on their side. So yeah, we fit in that data ratio realm of either end of life or reallocating assets and where we’ve kind of wanting to make ourselves more valuable to our clients is how we’re deployed. You know, we could be pushed out remotely. We could be pushed out to anywhere in the globe, whatever, you know, whatever data or data bearing device you have. We can erase that we have mobile phone erasure you name it mass volume eraser with our pixie network boot. We have all these different capabilities. So on the corporate side, you can buy one tool and use it throughout your architecture and be headache free.

Host (07:41):

So speaking on that point, can you talk to us a little bit more about, you know, how the eraser works, but also does it really erase everything irrevocably, you know, what they saw on the internet, the internet is forever

Paul Katzoff (07:56):

You know, you know how often we get that question it’s because data erasure ratio kind of has a bad name to it. It comes from a bunch of software tools that weren’t certified, weren’t tested, and there were out there making claims that weren’t actual and weren’t true. And so we actually have to fight this all the time with I=T managers, where they may call us up and say, Hey, I’d rather drill this, or I’d rather crush it. Or, you know, if it’s not an SSD and that’s 50 to $80 per device, that you’re just destroying also in the circular economy, that’s not going back in to be resold or reuse and it’s being shredded or destroyed, hopefully recycled as much as possible. And the rest goes into landfill or is e-waste. So there’s really a high need for data erasure as far as kind of keeping these, these items outside of landfills and the garbage disposal, that side of area, but also the same time, there’s this trust issue.

Paul Katzoff (08:51):

And so what we’ve done on our side is we’ve gotten common criteria certification here in the U S we’ve got NCSC out in the UK, a DISA certification and pretty much what these standards mean is someone’s gone. They’ve tested our software on a host of devices. They’ve ensured that all the data is gone, but also you can trust us on any database burying device that’s out there as well. And a good note on that to kind of make people feel even more confident is the IT asset disposition industry, the iPads for their certifications, they’re required to test 1% of their drives. So they’re running a verification on our white drive tool on a 100 to 200 devices a month per item. So these are being forensically examined, tested, and making sure that there’s no data there. So there’s a whole industry that’s, you know, verifying and certifying that our product does what it says it does.

Host (09:51):

I love the focus on recycling as someone else knows. I’m a huge fan of recycling and I’m the person who takes it out of the garbage and rinses it and puts it back in the recycling pile. When some people, I don’t know who maybe sitting next to me named Justin, don’t always recycle. Now bringing the idea of recycling though. It’s really now a big part of the sustainability of a company and ESG is, is a and social responsibility is an element that customers are now focused on in companies. So this, what we’re talking about is a very internal part, but it really can support an overall company’s social responsibility plan. Can you share a little bit? The company probably sends you these devices they’re getting wiped. What happens maybe kind of walk us through the process, almost like the life cycle of I’m a device and I need to be erased. And what happens to me…

Paul Katazoff (10:53):

So we don’t actually touch the devices. We just provide the software tool to any of our clients so they can boot it up and run on there at their location or on their systems, wherever they are. And it really depends on how they want to get it done. As far as the software does itself, it accesses each sector, each platter, each bite each bit and overwrites it with random data or whatever information they’d like to override it with. So that process is kind of set forward for any device. And then, like I said earlier, we can erase mass devices at one time. So some corporations are, you know, processing 10,000 systems a year. We can set up a work bench and they can be running a hundred, 200 wipes simultaneously on those work benches. So that makes it easy on their side. You don’t have tech sitting there booting off USB 500 times a day and trying to get their log reports and where these audit trails go to, or where do you put the certificate of destruction? All that’s kind of managed by our system and our platform so that you don’t have to have, you don’t have to worry about it. It’s not a headache. 

Host (11:54):

Even better at reducing the shipping, reducing carbon emissions? I love it. Environmentally friendly

Host (12:01):

When we send you there. So we can have you erased for June 3.0, so now I can do no wrong. No. All right. Well onto the next topic. So Paul, can you talk a little bit about, you know, based on what you’re seeing with your part of the industry is what do you think the next evolution is in the data erasure protection regime given Virginia’s now not only for lovers, but also for data privacy and other laws that are coming out.

Paul Katzoff (12:38):

Well, first off I liked that all the States are moving towards more data privacy laws and breach notification, which is a nice kind of foundation, nice space. You have the federal government, they have a federal data privacy law in in committee. So that’s being discussed. The word on the street is it’s only going to be as tough as a California data privacy law. So there’s not going to be any financial penalties unless you delay your breach notifications. It’s not going to be like GDPR, which is kind of a shame like personally as a consumer and not, not on the business side, but as a consumer, I like the idea that corporations have a financial penalty. If they lose my data or, or there’s a breach or something like that, it makes me feel like that corporations are going to work harder to protect my information. We’re not there yet. I hope in five years or a decade that comes out and is added to it. But right now it’s just merely kind of that basic, you know, let you know that your data has been taken or there’s a breach. And then also you have the right to be forgotten, which is nice.

Host(13:40):

What size company needs to pay attention to this? I feel like I talked to a lot of small companies and privacy and security is, you know, it’s overwhelming, it’s a challenge, there’s resource constraints, whether it be cost and people, is this just a big company problem? Or what should the smaller companies also be thinking about?

Paul Katzoff (14:05):

Great question. So for the small companies, if you’re, if you’re regulated by HIPAA, if you’re a dentist office or doctor’s office, you already know that you need to control and maintain your Phi. So they need to worry about it. Large corporations have been worrying about this for about five or 10 years on their side. The medium and small are kind of the ones that are coming to the realization that their data can be attacked or that they’re vulnerable if they aren’t too careful. So it’s headed that, that way. I don’t think due to how much they’re trying to balance and do themselves, I don’t think the small corporations and medium are really going to get to it for a while. But I think what will happen is the MSPs, the managed service providers and others that provide, you know, third-party services to these small companies will start incorporating or do incorporate a ratio in their policies. And that will kind of cover that small segment. It is important to them, but I don’t think it’s risen to that priority just yet.

Host (15:03):

It’s funny when we were talking about the national privacy and security law, data’s really an international issue.

Host (15:10):

Well, for sure, and we’re a global economy and data doesn’t really stop and give its passport to the airplane people and, you know, get on the airplane and go to the next country. It just kind of comes

Host (15:26):

Experience that the other governments may view privacy and how that relates to nation States a little

Host (15:31):

So all kind of taking us into more of a personal realm, given your extensive experience in the industry is what is your best personal cyber tip for our audience?

Paul Katzoff (15:48):

Ooh, I like unique passwords. I think those are the ones where, as it, as a home user, that’s like the biggest headache. So my recommendation is for your password, do a number, do at the first couple letters of the domain, choose three or four letters or five or whatever domain it is. Choose a unique word in a special character and also capitalize one of them. What’s nice. There is, if your passwords get out, you’ll have unique passwords for every website and it will be difficult for them with an automation tool to kind of crack that. But on your side, it kind of protects you as far as your password goes. And it’s easy to remember easier to remember. I guess

Host (16:30):

One of the things we had talked about kind of pre-show was protecting kids data, and I’d love to have an extension to sort of the best personal cyber tip for all of the parent listeners out there. What should they also be considering when it comes to their kids’ devices?

Paul Katzoff (16:47):

Yeah, so, you know, with these kids, well, with everyone working, you know, the school’s going remote and all the children being assigned devices, the biggest risk that’s coming up and it kind of happened this last summer is that all these devices are going to get turned back in and they have to go back out three months later. And your local school district has three or four it employees to, to erase and securely process. All of these devices, the risk there is they don’t do it properly. They don’t do it all. You’re first grader, second grader hops on their little Google Chromebook or whatever they have. And the senior junior that had had the year before has loads of pictures and videos and things like that, that they could open up and click through or find. So on the data security side for schools and things like that, we just recommend the Google power wash or wipe drive to erase your devices. You know, let’s get this data clean. And as a parent, you should definitely be asking your, your local school, are you cleaning these devices before they come to me or to my child? Do we have to clean them before I, them to my child? What’s the, what do you want us to do to kind of ensure that there’s no data on that device when it comes into the house?

Host (17:56):

Yeah, that is a really important tip that I think every parent needs to hear and a really excellent point that I think is likely overlooked by a lot of schools. So thank you so much for sharing really important.

Host (18:09):

And we always like to end with a fun question, which is, you know, outside of your CEO going and helping with the cyber industry and the fact that you live in Utah out West what do you like to do for fun? 

Paul Katzoff (18:30):

My latest passion has been mountain biking with these new e-bikes

Paul Katzoff (18:32):

Yes. If, if you have not written the e bike, I’m not in the greatest shape, but I think that’s where e-bikes really come in, but you get this full suspension e-bike and I can power up Hills as if I’m a first grader and I love it. It is, you can go up and down. It’s it’s fun. If you ever get a chance to take one of those out, it will. It just changes the paradigm of mountain biking. It does.

Host (18:57):

We’ll just leave the mountain biking to you. I’m going to stick to the road, the road bike on a nice, actually not the road, like on a trail, nice paved trail. You can give me some Hills, but I need a paved trail. You, you can take the crazy mountain biking. You can go to Utah, you can visit Paul. And the two of you can go mountain biking.

Host (19:13):

If you could just erase the software in her head now, and we can clean it up with Jodi 3.0 adventure edition. We’d have something.

Paul Katzoff

My, my devs brought that up with, I think Elon Musk, they’re doing some kind of connections to your brain. And then he brought up like, do we need to do a white brain tool? What’s what’s next? What’s coming up. So anyway, the way he’s thinking,

Host (19:33):

That’ll be a whole different podcast episode. Well, Paul, thank you so much for joining us. Where can people connect with you and learn more?

Paul Katzoff (19:40):

Yeah, absolutely. Go to our website @whitecanyon.com. You can also reach out to me on Twitter at @PaulKatzoff. Happy to answer your questions, take you through anything that you need on your side, discuss data security, data ratio, or whatever you guys would like to do. Reach out to us. We’d be happy to help.

Host(19:56):

Wonderful. Well, thank you so much for joining.

Host (19:59):

Yup. Thanks Justin. Thanks Jodi. Thanks for having me on. She said privacy. He said security podcast and thanks to your audience members for listening.