Skip Navigation
 
 

NAIDnotes

Wednesday July 26, 2017

Leverage NAID Content to Your Advantage

Kelly Martínez, NAID Director of Marketing & Communications
 
Have you ever heard the phrase “Content is King”? Bill Gate first coined the phrase in 1996 and Marketers have made it a religious mantra ever since - with good cause of course. Gates predicted, “Content is where I expect much of the real money will be made on the Internet, just as it was in broadcasting.” 
 
SilkStream, a digital marketing agency, concludes that “Gates was right in his predictions. Content is what drives the Internet as we know it.”
 
There are multiple factors that anchor the “Content is King” principle. Original content is prized on the internet and Google rewards sites that produce it with higher search results. But I’m not going to focus on the benefits of good Search Engine Optimization (SEO) today. It is by all means important and entire discussions surround the topic. Here is a quick reference on “5 SEO Basics” and how the release of Google Panda centered quality content over thin sites.
 
My goal today is to look at another benefit of being a content rich business - Reputability. 
 

Words Have Meaning

Have you clicked through to a website that didn’t have much information? I have, and because I couldn’t easily derive who they really were and what they were about, I couldn’t trust them as a business. After a quick scan of their site I clicked back and tried another that looked more reputable. A website with robust content encourages confidence in a brand. 
 
Some businesses demonstrate their expertise and seek to educate consumers by creating e-newsletters, social media posts that can be shared and re-shared, brochures, etc. Materials of this nature need to be pointed and relevant. Key content in these mediums can influence conversions. Of course, it's important to back-up your words with actions as well!
 

The Trick

The advice to produce unique rich content for reputability and to demonstrate expertise in the industry may be great. However, as many NAID members are small business owners, we all know that there is a flaw in this notion – one major hitch that stops everything in its tracks. Who has the bandwidth to create all this ever needed content?! 
 
NAID understands the realities of its members. That some have neither the time nor budget presently to focus on such initiatives. Businesses traditionally garner the greatest ROI if they can generate new evergreen content or hire a firm to assist them with it. However, if you currently can’t manage this, DO SOMETHING. The Harvard Business Review posted the article "Your Content Marketing Strategy Doesn’t Have to Be Complicated" by Nick Wesstergaard with some excellent pointers. As Wesstergaard points out, "We can’t afford to do everything — and we shouldn’t anyway... We have to be more strategic if we want to produce better content." Content isn't just for the sake of SEO and thought leadership (both of which are important). Ensure you have quality content to validate that you know what you're talking about, that you're committed to being an expert in your industry. 
 
The good news is that NAID believes in wholly supporting our members. That means that as an association we offer as a member-benefit for all content we produce to be freely leveraged (re-used) by our members, so long as they credit NAID as the source.

 

Use NAID Content

Did you catch that? As an association NAID offers as a member-benefit for all content we produce to be freely leveraged (re-used) by our members, so long as they credit NAID as the source. 
 
Re-share timely posts from NAID to demonstrate that you too have a finger on the pulse of the industry. Copy and paste meaningful articles and quotes on regulations to exhibit your understanding and commitment to compliance, just be sure to attribute appropriately. Active members have full permission.
 

NAID Content Resources

 

Comments: 0 | Reply

Thursday July 13, 2017

Self-Storage Shaming: Example Shows How Far Information Management Has to Go

Bob Johnson, CEO, NAID

The headline a few days ago read: “WSU gets costly lesson in theft of hard drive with more than 1 million people’s personal data.”

It then goes on to say how Washington State University (WSU) spent $150,000 as a result of the theft of information (a hard drive in this case) from an Olympia self-storage unit.

And so, we are once again reminded how far we still have to go in raising the Records and Information Management (RIM) practices of organizations across the country (and around the world). 

Any competent records management or data security professional understands that it is inexcusable and irresponsible to retain records and information in self-storage unit.

  1. Managers and other people who work for there, who are usually unscreened, and definitely untrained on security with no fiduciary acknowledgment on file, often have full access to the storage units (legally I might add). This fact alone is a potential violation of regulations.
  2. It is difficult to image that records and information stuffed into a self-storage unit undergo any retention management… or even a basic inventorying. This sets an organization up for all types of regulatory and legal vulnerabilities that stem from retaining records unnecessarily.
  3. In the event of a lawsuit, all information and records are subject to discovery. Failure to produce a document germane to case because “no one knew it was there” almost guarantees an unfavorable outcome.

And the list goes on. There are at least a half dozen other reasons why stashing information and records into a self-storage is irresponsible… made all the more illogical by the simple fact that storing records in a professional records storage facility is an easy (actually easier) and inexpensive option.

The bottom line is there is no circumstance in which it is acceptable to store information or records in self-storage… and furthermore, there is no good reason to do it either.

The fact that a major university was burned because it left information in a self-storage should be a wakeup call for every organization. Don’t do it. It’s risky and foolish… and completely unnecessary.

Read the original newspaper article >>

Comments: 0 | Reply

Tuesday July 11, 2017

Conclusion 

Selling Information Disposition by the Book (vol. 12)

By Bob Johnson

I came into this blog series with two intentions:
 
First, I wanted to demonstrate the fact that the new Information Disposition textbook confronts the top ten misconceptions that keep NAID members from best serving their customers. And that, properly understood and used, it could help service providers overcome those misconceptions. 
 
Second, many field representatives still don’t know that there are clear and concise arguments for overcoming these objections. Too often, when we come upon a customer who is putting their organization at risk because they harbor one or more of these misconceptions, we simply throw up our hands or shrug our shoulders, and walk away frustrated. Thanks to Information Disposition that is no longer the case. 
 
Whether it’s by using the textbook as a proof statement or simply mastering the content, the responses to educate customers are now readily available and it up to secure destruction service providers to use the resources at their disposal to reduce customer risks and to improve their businesses. 
 
 
 

Comments: 0 | Reply

Thursday July 6, 2017

Customer Misconception: A Compliance Officer is Unnecessary 

Selling Information Disposition by the Book (vol. 11)

By Bob Johnson

NAID members rated this issue as tenth in our survey of misconceptions that prevent them from providing service to their customers and prospects. Personally, I think it is in reality much higher. I believe that if every company had a person on staff responsible for the organization’s compliance, there would be a lot more data destruction occurring. 
 
Information Disposition makes it very clear that the assignment of a compliance officer should be a major priority. It not only describes why all data protection regulations require it, it describes what will happen if there is a data breach and it is discovered that there was no compliance officer appointed. 
 
As early as page 14 of Chapter 1, we read: 
 
Designation of Accountability 
 
HIPAA and GLB require organizations to appoint an individual to be responsible and accountable for compliance. Of course, from a practical perspective, it is easy to understand why that is important. Without a person assigned accountability for compliance, it would be very difficult if not impossible to achieve and enforce. 
 
In the event of a data security breach or an audit, regulators will almost certainly first ask to speak to the individual responsible for the organization’s compliance. Of course, admitting that accountability has not been designated, in addition to being non-compliant with the regulation, is also very likely to be considered negligent, and, in the case of HIPAA, could well rise to the level of Willful Neglect. 
 
Not all regulations are as clear as HIPAA and GLB on the issue of assigning internal compliance accountability. However, even where that is the case (FACTA and state laws), practically speaking, it is still incumbent on an organization to assign such accountability. Were there an investigation into a violation of a data protection regulation, an organization should still expect investigators to be interested in speaking to the person who is responsible for compliance. Though having not designated such a person may not technically violate the law, it would certainly reflect poorly on the organization simply because it is unreasonable to expect that compliance could have been achieved without someone responsible to make sure of it. 
 
Assigned accountability, even when not required specifically, is a de facto necessity insofar as the absence of such accountability would likely be deemed unreasonable, even negligent, if there were ever a non-compliance determination. 
 
How could any customer read that and ignore their responsibility to assign such accountability? Certainly some will continue to disregard this obligation (at their own peril), but they will no longer do so with a clear conscience or with plausible deniability. 
 
 

Comments: 0 | Reply

Monday June 26, 2017

Customer Misconception: It’s Okay to Store Records Indefinitely

Selling Information Disposition by the Book (vol. 10)

By Bob Johnson

At its worst, the conversation unfolds something like this: 

Service Provider: “I would like to discuss your records destruction needs.”
Data Controller: “That’s not necessary. We keep everything forever.”
 
And even though the data controller may not say it so blatantly, it is common knowledge that many, if not most, companies don’t destroy retained records when they have reached their retention period. Of course, this is bad news - for them, because it puts them at risk, and for secure destruction services, because they are robbed of the opportunity to properly protect their customers.
 
This risky misconception is confronted directly on page 56 of Chapter 3: Records and Information Management Principles, in the section titled Liability of Retaining Unnecessary Records.
 
The risks delineated within this section include Legal Discovery, Adverse Inference, and Increasing Risk of Unauthorized Access. In all, almost two pages of text describe in detail why the data controller should not retain records longer than legally required. 
 
It should be noted that the short conversation above characterizing this misconception is to as an issue also signals that the data controller does not consider the daily flow of media as something that requires destruction. Readers will remember that was covered in Customer Misconception #3. So, when you hear a data controller say they don’t need a records destruction service because they keep everything, you probably have two misconceptions to overcome – and good use for the new textbook. 
 

Comments: 0 | Reply

Monday June 12, 2017

Customer Misconception: Particle Size is the Only Thing that Matters 

Selling Information Disposition by the Book (vol. 9)

By Bob Johnson

In Chapter 6: Secure Destruction Methodologies, the section Process/Particle Size Standards, Guidance and Requirements most directly confronts this misconception starts on page 132: 
 
In navigating their responsibilities, requirements and options for information destruction, data controllers are understandably interested to know if the materials they wish to destroy are subject to a required particle size specification. In truth, however, outside of government classified NSI, where the data controller is legally bound to a particle size, PHI and PII, the types of information most organizations discard, are not subject to any prescriptive regulatory particle size requirements whatsoever. (see Reasonableness in Chapter 1). As for competition-sensitive information, particle size preference is completely left to the data controller, insofar as they are subject to no form of regulatory obligation. 
 
The section goes then to describe how in years past, when media was destroyed in-house, particle size was the most critical issue, but how, with the advent of outsourcing, as the most common means of data destruction, there are many other factors that equal or surpass particle size in importance. 
 
Later in the same section, there is a warning regarding the dangers of turning to non-governmental particle size specification recommendations: 
 
Unfortunately, in the search for some direction on this particle size, data controllers sometimes mistakenly interpret and/or apply standards where they are unnecessary or, worse, where reliance on particle size provides a false sense of security. In any case, but especially when information destruction is outsourced, the overall process is the critically important factor. Particle size is simply one aspect of that process. The problem with relying only on particle size guidance is that the more important factors (the written procedures, the training, the employee screening, the secure staging, the custody transfer, the access control, and the disposition of destroyed material) are often ignored. 
 
Though it may sound a bit cavalier; if particle size were the key to compliance, compliance could be met using unscreened, known criminals on a vacant lot in the most crime-ridden neighborhood in town. 
 
The fact that no data protection regulation includes a prescribed particle size is also the subject of discussion in Chapter 1, where the requirements of each regulation are described in detail.


Get your copy of Information Disposition today >> 

Read the next blog post in this series >>

Comments: 0 | Reply

Monday June 5, 2017

Customer Misconception: No Need for Written Information Destruction Procedures

Selling Information Disposition by the Book (vol. 8)

By Bob Johnson

There is a good reason Chapter 7: Information Disposition Policies and Procedures is dedicate strictly to advising data controllers on how to create their internal operating manual for destroying obsolete media and information. That reason: it’s required by law that they have them. 
 
That point is first emphasized on page 14 of Chapter 1: Data Protection Regulations, where it states:
 
Written Procedures and Employee Training 
 
HIPAA, GLB, and FACTA require an organization to have written information protection policies and procedures. Again, it is easy to understand the logic. Not only are such written procedures necessary to demonstrate internal operational accountability, without them employee training and guidance is non-existent from a regulatory standpoint. It is clearly unreasonable to represent to authorities that an organization can provide a reasonable level of direction to employee without written procedures. 
 
In fact, the absence of adequate written policies and employee training are the two most frequently cited reasons for regulatory penalties associated with data security violations. On the other hand, having and implementing such written procedures insulates an organization from the worst consequences of a violation. 
 
And, while the book includes the actual regulatory language specifying the legal requirement to have written policies and procedures, it also provides examples of what can happen if there is a breach and such written policies are not available. 
 
Below can be found on page 137, Chapter 7, Information Disposition Policies and Procedures: 
 
The following excerpt is taken from the press release by the Massachusetts Attorney General in May of 2012, announcing a $750,000 settlement stemming from the improper disposal of protected health information. 
 
“The allegations against South Shore Hospital in the lawsuit are based on both federal and state law violations, including failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place with Archive Data, and failing to properly train its workforce with respect to health data privacy.” 
 
….phrases like “failing to implement appropriate safeguards, policies, and procedures” and “failing to properly train its workforce” are among the most commonly cited when regulators announce settlements and sanctions related to data protection violations. 
 
The book establishes beyond any reasonable argument that written policies and procedures are required, that they are easy to create (especially with the help of the book), and that not having such procedures documented results in the highest fines, where as having them (along with training), practically insulates the data controller from suffering a violation or of being found of negligence. 

Get your copy of Information Disposition today >> 

Read the next blog post in this series >>

Comments: 0 | Reply

Tuesday May 30, 2017

Customer Misconception: The Certificate of Destruction Removes Regulatory Liability

Selling Information Disposition by the Book (vol. 7)

By Bob Johnson

It is understandable that data controllers would be comforted by believing that once they have a certificate of destruction from the service provider, they are no longer responsible for the security of the information. Unfortunately, there are still service providers that try to capitalize on that misconception. At its worst, this position is seen when a client says something like, “I don’t care about their security, I have a certificate of destruction, and so, if it turns up, it will be the service provider’s problem.” Of course, that is far from

the truth. The truth is that if records turn up, the client will have to answer for the selection of that service provider. The client will also be responsible for all the regulatory damages that result. In other words, the certificate of destruction does not transfer any regulatory responsibility from the client to the service provider.

 

Information Disposition stresses throughout that the only way to transfer regulatory responsibility is through proper due diligence and contractual language, and even then the transfer is only partial and tenuous at best. It also, however, contains clear language to dispel any misconception that a certificate of destruction is of any value in that regard and that reliance on it alone is a very dangerous practice.

On page 69 in Chapter 3: Records and Information Management Principles:

Data controllers sometimes also mistakenly view the certificate of destruction (CoD) as transferring liability for destruction to a service provider; the thought being that a CoD issued by the service provider makes them responsible for any damage should the information surface. This is a dangerous misconception. Obviously, the previous discussion on the difficulty associated with establishing proof plays into this discussion. For example, if one cannot prove that an item was in the batch or that it was the only copy, holding the service provider accountable is problematic. While this is true, the more significant reason the CoD is not capable of transferring liability is because regulations do not allow for it.

Of course, the statement above builds on the point that data cannot transfer regulatory responsibility to the service provider, which is documented in Chapter 1: Data Protection Regulations.

Get your copy of Information Disposition today >> 

Read the next blog post in this series >>

Comments: 0 | Reply

Tuesday May 23, 2017

Customer Misconception: Only a Small Portion of Discarded Media Must be Destroyed

Selling Information Disposition by the Book (vol. 6)

By Bob Johnson

There are several ways in which data controllers put themselves at risk by destroying only a portion of what should be destroyed. Usually it is by letting employees decide what should be securely destroyed and what can be disposed of casually. It is most commonly seen where a data controller gives the employee multiple options for how media is discarded. This is a mistake for several reasons, and one of the many places Information Disposition confronts this mistake is in can be found on page 47 in Chapter 2 on Physical Security:

Special Collection Issues
Allowing Employee Discretion

It is very risky for a data controller to allow rank and file employees the discretion to determine what media or information requires secure destruction. While allowing employee discretion minimizes the amount of material requiring destruction, it gives every employee the ability to violate an organization’s regulatory compliance. Furthermore, a data security breach traced back to such employee discretion, having arguably been authorized precisely because it was more economical, would be difficult to defend.

Chapter 3 defines what actually constitutes as an official “record,” and what is considered “personal information,” as this will also help explain to data controllers that they are taking a big risk with any destruction program that doesn’t include ALL discarded media. The example of Carlucci v. Piper Aircraft Corp., 102 F.R.D. 472 (S.D. Fla. 1984) in Appendix A of Chapter 3, page 77 is case law demonstrating:

...the need for a document destruction policy as well as a document retention policy -- especially in legal situations. The court ended up ruling against Piper in this case due to their incriminating (i.e. inconsistent) document destruction.

Information Disposition also spends considerable time on the importance of employee training, which will help maximize their sensitivity to what must be destroyed.

Get your copy of Information Disposition today >> 

Read the next blog post in this series >>

Comments: 0 | Reply

Tuesday May 16, 2017

Customer Misconception: Recycling is Adequate

Selling Information Disposition by the Book (vol. 5)

By Bob Johnson

Of all the misconceptions, that put clients at risk and minimize the role of service providers in protecting clients, mistaking general unsecure recycling as a substitute for secure destruction is among the most disturbing.

As Information Disposition explains on page 125 of Chapter 6: Secure Destruction Methodologies:

Reducing paper media to pulp is a very thorough method of destruction. However, because the process is most generally available only at large-scale paper mills, where data protection is not mission-critical, the overall process lacks the necessary security controls. The pulping process performed at paper mills, therefore, falls far below the level of security that would be considered minimally reasonable by data protection compliance standards. Those attempting to convince customers that large-scale pulping operations are suitable for providing secure destruction are either hoping to play on client ignorance or demonstrating their own lack of knowledge. While there are instances in which data controllers have been tempted or tricked into accepting pulping as a method of destroying paper media, it is not appropriate without the proper employees screening, training and acknowledgements, access control, acceptance of fiduciary responsibility, written data protection policies and procedures, or contractual linkage to security or regulatory compliance.

Electronics Recycling: Thankfully, on the whole, most customers realize paper recycling does not provide adequate security or regulatory compliance, and so, it remains less of a misconception than in past decades.

On the other hand, there are still organizations that look to basic computer recycling to meet their data protection requirements, they are not even thinking of data protection as their primary imperative when they dispose of obsolete IT equipment.

For instance, a few years ago, the Toronto Sanitation Department ran a television advertisement advising residents to put their old computers at the curb for collection. When the Information and Privacy Commissioner of Ontario discovered this, the ad was pulled immediately. The point is, the security (or vulnerability) of the personal information on those sanitation officials was not even a consideration. This same mentality is apparent in business as well.

Of course, as discussed earlier, the importance of vendor qualifications that need to factor heavily into selecting a data destruction vendor are stressed throughout the text of the book. In addition, and more specifically, the need for detailed quality control measures related to computer recycling companies as outlined on page 122 of Chapter 6 are critical:

Quality Control for Electronic Erasure Processes

Because neither overwriting nor degaussing change the appearance of the media to which they are applied, quality control procedures are critical to ensure the reliability of these processes.

Quality control starts with written procedures describing the steps and flow of materials through the stages of the process. Written procedures 1) demonstrate that due diligence has been afforded the process, 2) provide for the appropriate training of qualified technicians to comply and conform to the instructions, and 3) establish a method of organizational and individual accountability.

The section goes on to outline in detail the steps and measures to be employed in a defined quality control publication.

Any service provider, looking to impress the importance of vendor qualifications and quality control in order to confront the misconception that recycling is a legitimate option will find plenty of ammunition in Information Disposition.

Get your copy of Information Disposition today >> 

Read the next blog post in this series >>

Comments: 0 | Reply

Monday May 8, 2017

Customer Misconception: Only Large Records Purges Need Destruction (not daily paper)

Selling Information Disposition by the Book (vol. 4)

Bob Johnson, NAID CEO

The third most costly misconception is when customers do not give appropriate attention to destroying the media that they discard on a daily basis in the normal course of business (usually waste paper).

In fairness, most of the data destruction industry growth in the U.S. market over the past 15 years is due to the fact that more and more organizations do destroy incidental media. In that regard, things are better. However, there is a still lot of room for improvement. Not only do too many organizations still neglect protecting the media they discard daily, even if they do provide a way to collect it, they do not make sure it all gets in the security container.

This usually boils down to one common denominator: The client doesn’t really think of the discarded daily media as an official business record.

The book, Information Disposition, spends considerable real estate on educating clients to understand that incidental records – those that never go into a box or are not retained – are business records in every way and that they require the same amount, perhaps even more security. Further, the book explains that employees should not be give the discretion to make a decision on what gets destroyed and what does not. It all needs to be destroyed.

On example of this language can be found on page 59 in Chapter 3: Records and Information Management Principles:

Records Creation

A discussion on proper information disposition requires an understanding of how records are created and that all information recorded by an organization has the potential to be considered a record. As described previously, such records may be incidental (having only a momentary lifespan), duplicate (copies of controlled records), or controlled (retained by the organization, preferably subject to a formally adopted retention schedule). These records exist independent and regardless of the media on which they are stored. While controlled records are conventionally recorded on paper or electronic media, something as casual as a handwritten note on a cocktail napkin can qualify as an official record in certain circumstances.

For purposes of this chapter, “record” will be defined as any recorded information created in the course of or as a function of an organization. It is admittedly a very liberal definition, however, when it comes how courts might interpret or define a “record,” it is prudent to anticipate the liberal definition as opposed to a more restricted interpretation. To that end, when designing an information disposition program, organizations should be mindful to comprehensively account for all potential sources and types of information including memos, duplicate or flawed forms, or even a casual planning note jotted in haste, regardless of whether that information is recorded on paper, computer, a removable solid state flash drives, email, or magnetic tape.

Later in the same chapter, the discussion resumes on the destruction of incidental records:

Disposition of Incidental Records

As previously defined, incidental records are those with a lifespan limited to their immediate usefulness. Common examples include memos, reports, surveys, drafts of correspondence, and flawed copies of forms. From a RIM perspective, the most important thing to remember is that they are as much an official record as those retained formally. Failure to identify incidental records and develop written procedures for their proper disposition is inconsistent with regulatory compliance and RIM best practices.

Due to their nature, no internal authorization is required for the disposition of incidental records.

As with all the examples provided in these blogs, I am providing only a couple samples of the type of education provided in the textbook that make the point. Information dispelling the misconception – or in this case omission – for the need to destroy incidental records is woven throughout much of the book.

Get your copy of Information Disposition today >> 

Read the next blog post in this series >>

Comments: 0 | Reply

Monday May 1, 2017

Customer Misconception: No Need for a Contract

Selling Information Disposition by the Book (vol. 3)

Bob Johnson, NAID CEO

This is the third installment in my blog series on using the Information Disposition textbook to overcome the most costly customer misconceptions. It makes perfect sense that customers who do not see the critical importance of vendor qualifications would also minimize the value of having a contract with those vendors.

Information Disposition will equip service providers who encounter the customer philosophy that there is no need to have a contract with a destruction vendor on the job, by pointing directly to regulatory compliance and best practices. The subject of contracts surfaces in most detail in Chapter 4: Risk Management; in fact, it is considered one of the top four elements of any information disposition risk management strategy.  As readers will see, there is more than enough even in the introductory paragraphs to convince a customer that a contract is prudent. One excerpt in particular may be all that is necessary for the client to understand its importance:

“…there may be no circumstance in which a data controller could reasonably defend the absence of a written contract with any service provider retained to dispose of regulated PII or PHI. Not only do data protection provisions in HIPAA and GLBA require covered entities to have a contract, but not having a contractual agreement with a downstream data-related service provider would likely be deemed unreasonable and negligent.” (pg. 85)

Still, it is worth reading the introduction in its entirety.

Contracts

Obtaining appropriate legal counsel is a prerogative of any party entering a contractual relationship. The forthcoming information is not to be construed as legal advice but rather an attempt to articulate relevant issues.

From an internal perspective, employee acknowledgements and agreements mentioned previously are a form of contract.

From an external perspective, there may be no circumstance in which a data controller could reasonably defend the absence of a written contract with any service provider retained to dispose of regulated PII or PHI. Not only do data protection provisions in HIPAA and GLBA require covered entities to have a contract, not having a contractual agreement with any downstream data-related service provider would likely be deemed unreasonable and negligent.

Contracts codify agreements and, in doing so, protect all parties to it. Contracts between a data controller and service provider would typically include all of the following:

  • Contain or reference exhibits containing the promised/expected security measures and processes
  • Include pricing and payment terms
  • Provide regulatory linkage, for example, to breach notification requirements, the HIPAA Privacy and Security rules, GLBA Safeguards Rule, etc.
  • Include the term (period) of the contract, renewal and early termination provisions
  • Delineate how and where disputes would be resolved

It is expected that each party in the contract is responsible for protecting their interests. As a result, the party producing the agreement is primarily focused on protecting its interests, potentially at the expense of the other. It is assumed that both parties will consider how the agreements affect them and to be aware of the other party’s responsibility to protect themselves.

The chapter goes on to list more than a dozen contractual clauses that are either required by law or required as a best practice to protect the client (and in most cases the service provider as well).

No client could read this section of Chapter 4 and still believe that the obligation to have a contract with a data destruction service provider should be ignored.


Buy Information Disposition Today and Start the Conversation with Your Customers >>

Read the next blog post in this series >>

Comments: 0 | Reply

Wednesday April 26, 2017

Customer Misconception: Vendor Qualifications Don’t Matter

Selling Information Disposition by the Book (vol. 2)

Bob Johnson, NAID CEO

In my last blog, Selling Information Disposition by the Book (vol. 1), the first in this series, I talked a bit about the mechanics of using the new Information Disposition textbook.

If I was to boil that post down to one sentence, it would be: Get the book in front of any customer bidding a shredding job, especially if they are floating a contract or RFP.

The rest of this series is meant to show readers some of the language in the book that is aimed specifically at customer misconceptions - misconceptions that put them at risk and stand in the way of service providers better serving them.

When we asked NAID members to vote, the number one customer misconception indicated was that “Vendor qualifications don’t matter.”  Of course, this is very disturbing since nothing could be more wrong. In fact, making sure the service provider has the right qualifications is a legal requirement. And, since the customer will be held fully responsible for the actions of their service provider, it is important from a practical perspective too.

As early as Chapter 1 (pg. 14) in Information Disposition, where data protection regulations are discussed in the book, regulatory language is used to make the point.

Vendor Selection Due Diligence
           
Data controllers often outsource information management or processing functions such as records storage, billing, scanning, and information destruction to service providers. Regulations universally understand this reality and, therefore, require data controllers to demonstrate due diligence in verifying such service providers meet the appropriate security standards and regulatory compliance.

            Per the U.S. Department of Health and Human Services:

The [HIPAA] Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity (HHS).

            In the GLB Safeguards Rule, the instructions are to...

(d) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring your service providers by contract to implement and maintain such safeguards (Federal Register, 2002).

But singling out one passage does the book and truth of the matter an injustice. The importance of due diligence in the vendor selection process is riddled throughout the 272 pages.

For example, a description of data breach notification a few paragraphs later includes the passage:

Further emphasizing the importance of appropriate vendor selection due diligence, regulators have embedded important practical provisions within the regulations. First, data controllers are held legally responsible for breaches resulting from inadequately vetted contractors. For instance, under data breach notification laws, service providers are simply required to notify the data controller. It is the data controller’s responsibility to notify regulators and the affected clients, as explained by the HHS:

If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.

Regulatory requirements for covered entities to have service providers’ contracts in place is also clear evidence that due diligence in the selection and management of service providers is an inherent expectation.

Chapter 4 addresses the topic of Risk Management Principles and focuses on four critical aspects that most dramatically decrease data controller risk and liability:

  • Personnel
  • Indemnification
  • Contracts
  • Service Provider Selection
    • Herein, an entire section of the chapter is dedicated to what proper vendor selection looks like.

Blogs are not books and by now readers get the point.

Once exposed to the content of Information Disposition, any customer would be forced to realize that the qualifications of their secure data destruction service are very important.

Heck, maybe all they have to do is read this blog!

Order your copy of the book today >>

Read the next blog post in this series >>

Comments: 0 | Reply

Wednesday April 12, 2017

Selling Information Disposition by the Book

Bob Johnson, NAID CEO

The new Information Disposition textbook (Information Disposition: A Practical Guide to the Secure, Compliant Disposal of Records, Media and IT Assets) is an amazing tool for service providers to use with customers to help them truly understand the value of your offerings.

NAID has always operated from two guiding principles and are both at the heart of the new textbook:

  1. An informed customer is the best way for reputable service providers to promote secure information destruction
  2. Information destruction service providers should be professionally qualified

As reported elsewhere, NAID’s ambitions for the book are VERY high:

  • It will be used in universities to educate future data security and information professionals on a critical subject largely ignored in their current curriculum.
  • It will be used by current information managers, data security professionals and risk managers to improve the way they qualify and contract service providers.
  • It will educate current and future Certified Secure Destruction Specialists (CSDS) so they can better serve their employers and customers.

It can also increase sales. Here’s how…

  1. During the RFP or contracting process: When a prospective client is in the midst of an RFP or rebidding a contract, let them know you can give them, lend them, or direct them to a book that contains everything they need to know about the regulations, contract elements, and service provider requirements. If you know some particular weak link in their approach, you can point them to the section of the book that dispels that misconception.  They might tend to ignore you when you raise an issue, but it is completely different when they see it in black and white with the sources identified. Customers also appreciate a vendor who is willing to partner with them vs. just sell to them.
  2. To welcome a new customer: You place bins at a new customer location, but you know there is a lot more business there. The book stresses the importance of assigning accountability, employee training, “destroy all” programs, the need to be comprehensive, etc. All of these topics are important to your customer’s compliance, but they also allow you to be of more service to them.
  3. Reward an existing customer: This may have occurred to you while reading the previous point. If you have a long-standing relationship with an account but you know they are not destroying all they should be (or are otherwise non-compliant), give them the book. You are doing them a favor. Over time, as they look at it or when you seek to improve what they are doing, you can point them to the book.

NAID is already aggressively pursuing its ambitious plans for introducing the book to universities and professional associations.  I urge you to proactively explore how you can use it to reduce your customers’ risks by increasing the services you provide to them.

Keep following the NAIDnotes Blog and watch for my series on how this same Information Disposition textbook can be used to overcome customer misconceptions that put them at risk.

Order your copy of the book today and start putting it to work for you!

Read the next blog post in this series >>

Comments: 0 | Reply

Tuesday April 4, 2017

Can We Take Control of the Industry’s Insurance Destiny?

Bob Johnson, NAID CEO

When NAID embarked on the Downstream Data Coverage insurance pathway, it did so primarily because the professional liability coverages members were purchasing did not protect them or their customers. Exclusions of claims resulting from the intentional acts of rogue employees and poor breach coverage language were universal in other policies. Since then, as data protection insurance has been rapidly evolving and competitive, there are policies that have reacted. As a result, some members are finding professional liability coverage they believe is just as good as Downstream Data… and they can get it from their familiar broker too.

Unfortunately, industry professionals who believe another policy “is just as good as Downstream” – whether they are right or wrong about that – are missing the point.  If all NAID wanted to do was fix the policy language, it could have done that without creating a new brand.

NAID stated its goal from day one - to create a Captive Insurance group, which would allow it to dramatically lower premiums by establishing a low claims history for a large group of similar services. However, in order to do this, we need to build the “large group” first. NAID is not giving up on this dream for our members.

For those who say, “I got a similar policy for $100 per year less,” two things. One, I implore you to speak with a Downstream Data broker (1.877.710.2498) about today’s coverage and pricing to really compare policies, because that amount of savings on a comparable policy is frankly doubtful. Two, and more importantly, know that while you win a small battle, you are losing the entire war. Your actions are delaying the day when the industry can take control of both premiums and policy language. You are implicit in delaying the day when all can have exactly the right coverage for significantly less than you will ever pay on the open market.

We can take control of the industry’s insurance destiny, when as an industry, we band together. And when we achieve success, those not currently supporting it will also line up to save more money.

Comments: 0 | Reply

Tuesday March 14, 2017

NAIDnews From the Editor: Fishing is a lot Like Networking

Kelly Martínez, NAID Director of Marketing & Communications

My father is an expert fisherman. I spent much of my childhood sitting in a boat or tramping up the creek bed in search of “the perfect spot”. As a young girl I hated baiting my own hook, and so my dad assisted me. He and his friends were there to teach me to properly cast my line, slowly real in, to set the hook, and more. I remember cruising on our small motorized dingy past drunk lunatics and commiserating with fellow serious fisherman about scaring the fish, what was biting, and where the good holes could be found along the walls of the cliffs.

Fishing is a lot like networking. The actual fishing part is more like business, but being a fisherman – standing along the shore in the silent grace of it all, sometimes you need the wisdom of a sage because those fish just won’t bite! You can know everything about the science of it, the solunar tables, the ideal location, and how a bobber works, but there are days when you are disdained to go home empty handed; then, it’s great to run into a fellow fisherman who can suggest something like bread dough balls over worms for bait (trust me on that one).

The same is true in the business world. We make networking sound hard, as if we are forced to cast and recast our lines to no avail. It doesn’t have to be a slimy, forced conversation. Networking is happening all the time, whether you are intentional about it, cultivating it, or just doing business as usual. Even when you’re not “actively networking”, the relationships you foster, big and small, may pay out in the future in ways you couldn’t imagine. That’s what happened in the featured article of the latest edition of the NAIDnews. Check out the story “It’s What You Know. It’s Who You Know” about how a simple referral set the bait for the biggest contract catch for one company.

I also encourage you to cast aside any stigmas you may have around networking. I have a personal list of positive experiences I’m happy to share with you at NAID 2017. Come find me; let’s chat – ahem – network.

You want the fish to bite? Get to know others on the lake.

Comments: 0 | Reply

Tuesday March 7, 2017

That Time I Donated my Outdated Technology

Kelly Martínez, NAID Director of Marketing & Communications

I was being responsible and cleaning out our electronics bin. Do you have one of those in the garage? The place where random cords, Ethernet cables, and broken PS2s go until they are needed (ahem - yeah right). I remember coming across lots of outdated goodies like my husband's old palm pilot and even his as-seen-on-TV aluminum, wallet organizer he never used (I don't know why it was in there). I kept too many random things, threw out a few, and donated the rest of our outdated technology to Goodwill. Are you bristling yet? It gets better.

We moved. I cleaned out the bin again.

Several months later I went to look up some photos of my oldest child from when she was baby. We had saved these on an external hard-drive for safekeeping since our computer was getting old, which was a good call since it crashed shortly thereafter. The hard-drive wasn’t in the desk. But we’d moved, so that made sense. Where else, could it be? I went through a few straggler boxes in the closet with no luck. Then I thought of the electronics bin?! This is where we put random things, so I searched it. No drive. I searched everywhere. I re-looked everywhere. I was so sad. Maybe it would show up in a random, mismarked, unpacked box in the garage.

I went to the store to purchase a new external hard-drive in the interim. I bought the same kind as before, because we had been happy with it. But when I saw the hard-drive, my stomach dropped. Do you know what that brand of hard-drive looks like? Almost exactly like the as-seen-on-TV aluminum wallet…. I am now positive I had donated my firstborn’s baby photos to Goodwill.

Guess what? We didn’t just store photos on our external hard-drive either… *gulp.

***

I never recovered my terabyte hard-drive, or my precious data back. People accidentally donate stuff all the time.

You’re probably still cringing that I donated a palm pilot without second thought, aren’t you?  I mindfully donated it, because the technology was so outdated. If it had been a computer, I would have wiped it, but that didn’t seem important in this instance. And you know better than I that even my precautions wouldn’t have mattered.

How many individuals are just as clueless as I was before I joined NAID?

***

So, where do we go from here?

Well, I started by saving low-res images of my kid off of email and Facebook to piece-meal together a new make-shift photo library. I also have identity theft recovery insurance just in case.

NAID is busy educating the public to be a little wiser. This includes the recent formation of the Industry Action Committee, which focuses on the industry, commercial and government decision makers and policy writers to demonstrate the value of NAID Certification. Later this month NAID will be releasing the results of the largest second hand electronic device study, which should bring awareness to the need for proper data destruction in this area. And NAID is also releasing a textbook this month, Information Disposition: A Practical Guide to the Secure, Compliant Disposal of Records, Media and IT Assets, by Bob Johnson (currently available for pre-order). The publication will serve as the CSDS training manual, a university-level textbook, and most importantly a tool for educating clients on the nature and importance of proper data destruction. NAID will work to continue to make headway in every way possible, so that more people make less stupid mistakes like me.

Kelly Martínez                                                                                                                                
Learning More Every Day

Comments: 0 | Reply

Tuesday February 21, 2017

The Golden Circle of Secure Data Destruction

Kelly Martínez, NAID Director of Marketing & Communications

In case you missed this message in the last edition of the NAIDnews… As the new Director of Marketing & Communications for NAID, it’s exciting to hear an established trade association such as this one buzzing with initiatives to make a difference for their members and the industry as a whole. NAID President Don Adriaansen reviewed several of these in his President’s Message; you can read this and more about these topics in the 2016 Fall NAIDnews.

What most excites me about working for NAID and in this industry is the WHY. I was recently introduced to Simon Sinek and his concept of the Golden Circle. It is neither WHAT a business sells that leads to success, nor even the HOW, it is the WHY. Sinek states in his book, Start with Why: How Great Leaders Inspire Everyone to Take Action, “Very few people or companies can clearly articulate WHY they do WHAT they do. By WHY I mean your purpose, cause or belief - WHY does your company exist? WHY do you get out of bed every morning? And WHY should anyone care?”

I have already been impressed with the passion and integrity NAID and its members live each day. We are more than a band of shredders, destroyers, and hard-workers. Our WHY is a powerful one that makes a difference daily in our local communities and across the world. We safeguard individual lives from being ruined, protect businesses so that they can operate legally and efficiently, educate so that we can put a stop to those who would prey upon the unsuspecting. This is something I can buy into, and I believe as we convey this message – our WHY - others will too.  

I look forward to meeting many of you in Las Vegas at NAID 2017 next month, where together we can learn more about our WHY, HOW, and WHAT.

Comments: 0 | Reply

View Archives