Your data will haunt you. That's the risk your clients run if they won't pay to properly classify and destroy data that resides on disk drives, tapes, paper or any media when it is at the end of its life. Though there is no definitive way to document the cost of not taking part in data destruction, if your customers fail to properly dispose or never dispose of data that they are not required by law to keep, it can resurface and cost them in ways that they never anticipated.
In the 2002 case of Murphy Oil USA vs. Fluor Daniel, the court ordered Fluor Daniel to produce emails relevant to the case that were archived on backup tapes. While Fluor Daniel's email retention policy allowed them to recycle backup tapes after 45 days, Fluor Daniel neglected to follow its own data destruction policy, which resulted in it preserving 93 backup tapes. Though the court did not order Fluor Daniel to recover data on all of the tapes, Fluor Daniel had to produce email from one of the tapes that was selected by Murphy Oil USA.
Incriminating evidence found on that tape resulted in Fluor Daniel paying two-fold. Fluor Daniel received an unfavorable court decision and they also had to pay for some of the costs associated with the legal discovery required to recover the data from the tape. In this case, Fluor Daniel could have potentially avoided both of these outcomes had they followed their own data destruction policies and destroyed the data on these tapes.
Having no data destruction policy at all eventually spelled disaster for Johns Manville. In 1949, Johns Manville found through X-rays taken in 475 of their 700 workers that their workers showed signs of asbestosis but never told them. More damning was a confidential memo that was attached to this medical report advising that Johns Manville should not tell its employees as long as they were not disabled. This confidential memo surfaced in the late 1970s and contributed to Johns Manville eventually filing for bankruptcy in the early 1980s.
The ethics of how the individuals in these companies acted in these instances aside, by not having a documented data destruction plan or carrying out in the one they did have, both companies suffered losses years later. These examples illustrate that companies are punished, not rewarded, for over compliance and it behooves you to advise your clients of their risks of not implementing a viable data destruction policy. The absence of such a policy coupled with the existence of incriminating data can come back to haunt them years or even decades later.