[qual]

Most data destruction compliance standards I am familiar with allow for cryptographic erasure when the device is encrypted prior to sensitive data being written to it (excluding some specific data-sensitivity levels).

If they are strict enough to not allow for cryptographic erasure (or the data is above a specific sensitivity), this device would likely not be in compliance either -- physical destruction generally requires shredding/grinding to a specific particulate size, or incineration, and this device does not appear to do either.

[verandaguy]

I'm not saying there are many (any?) modern standards that would allow physical destruction without cryptographic erasure. As far as I know, physical destruction requirements are usually accompanied by cryptographic erasure requirements.

I'm also not saying that all compliance standards related to data security require physical destruction; just that these absolutely exist, mostly in defense and similar areas.

[qual]

Most standards (e.g. ISO 27001, NIST 800-88) do allow for physical destruction without cryptographic erasure if the device is being shredded or incinerated (to the applicable shredding/incineration standard of particulate size/temperature). Especially because cryptographic erasure is effectively pointless (at high data-sensitivity levels) if the device wasn't encrypted immediately and prior to data being written. Notably, NIST 800-88 2.6 explains when not to use cryptographic erasure, and when to consider it, but there is no requirement for it.

But, I mainly made my comment in reply to this part of your comment:

>I’d assume this device targets that market.

Because I don't think there is any market where this SSD punching device would be compliant and cryptographic erasure wouldn't be compliant. At least, in my career, I have not seen any environment or standard where this would be considered compliant but cryptographic erasure wouldn't be.

[verandaguy]

Right, but nobody's arguing that there are cases where you'd physically destroy a device, while cryptographic erasure of the data is not required as well.

I didn't explicitly say this in my original comment since it seemed implicit given the context.

[qual]

>nobody's arguing that there are cases where you'd physically destroy a device, while cryptographic erasure of the data is not required as well.

I am very explicitly saying cryptographic erasure is not required if you are following physical destruction standards (in ISO 27001 and NIST 800-88, at least).