Skip Navigation
 
 

NAIDnotes

Tuesday May 16, 2017

Customer Misconception: Recycling is Adequate

Selling Information Disposition by the Book (vol. 5)

By Bob Johnson

Of all the misconceptions, that put clients at risk and minimize the role of service providers in protecting clients, mistaking general unsecure recycling as a substitute for secure destruction is among the most disturbing.

As Information Disposition explains on page 125 of Chapter 6: Secure Destruction Methodologies:

Reducing paper media to pulp is a very thorough method of destruction. However, because the process is most generally available only at large-scale paper mills, where data protection is not mission-critical, the overall process lacks the necessary security controls. The pulping process performed at paper mills, therefore, falls far below the level of security that would be considered minimally reasonable by data protection compliance standards. Those attempting to convince customers that large-scale pulping operations are suitable for providing secure destruction are either hoping to play on client ignorance or demonstrating their own lack of knowledge. While there are instances in which data controllers have been tempted or tricked into accepting pulping as a method of destroying paper media, it is not appropriate without the proper employees screening, training and acknowledgements, access control, acceptance of fiduciary responsibility, written data protection policies and procedures, or contractual linkage to security or regulatory compliance.

Electronics Recycling: Thankfully, on the whole, most customers realize paper recycling does not provide adequate security or regulatory compliance, and so, it remains less of a misconception than in past decades.

On the other hand, there are still organizations that look to basic computer recycling to meet their data protection requirements, they are not even thinking of data protection as their primary imperative when they dispose of obsolete IT equipment.

For instance, a few years ago, the Toronto Sanitation Department ran a television advertisement advising residents to put their old computers at the curb for collection. When the Information and Privacy Commissioner of Ontario discovered this, the ad was pulled immediately. The point is, the security (or vulnerability) of the personal information on those sanitation officials was not even a consideration. This same mentality is apparent in business as well.

Of course, as discussed earlier, the importance of vendor qualifications that need to factor heavily into selecting a data destruction vendor are stressed throughout the text of the book. In addition, and more specifically, the need for detailed quality control measures related to computer recycling companies as outlined on page 122 of Chapter 6 are critical:

Quality Control for Electronic Erasure Processes

Because neither overwriting nor degaussing change the appearance of the media to which they are applied, quality control procedures are critical to ensure the reliability of these processes.

Quality control starts with written procedures describing the steps and flow of materials through the stages of the process. Written procedures 1) demonstrate that due diligence has been afforded the process, 2) provide for the appropriate training of qualified technicians to comply and conform to the instructions, and 3) establish a method of organizational and individual accountability.

The section goes on to outline in detail the steps and measures to be employed in a defined quality control publication.

Any service provider, looking to impress the importance of vendor qualifications and quality control in order to confront the misconception that recycling is a legitimate option will find plenty of ammunition in Information Disposition.

Get your copy of Information Disposition today >> 

Comments: 0 | Reply

Monday May 8, 2017

Customer Misconception: Only Large Records Purges Need Destruction (not daily paper)

Selling Information Disposition by the Book (vol. 4)

Bob Johnson, NAID CEO

The third most costly misconception is when customers do not give appropriate attention to destroying the media that they discard on a daily basis in the normal course of business (usually waste paper).

In fairness, most of the data destruction industry growth in the U.S. market over the past 15 years is due to the fact that more and more organizations do destroy incidental media. In that regard, things are better. However, there is a still lot of room for improvement. Not only do too many organizations still neglect protecting the media they discard daily, even if they do provide a way to collect it, they do not make sure it all gets in the security container.

This usually boils down to one common denominator: The client doesn’t really think of the discarded daily media as an official business record.

The book, Information Disposition, spends considerable real estate on educating clients to understand that incidental records – those that never go into a box or are not retained – are business records in every way and that they require the same amount, perhaps even more security. Further, the book explains that employees should not be give the discretion to make a decision on what gets destroyed and what does not. It all needs to be destroyed.

On example of this language can be found on page 59 in Chapter 3: Records and Information Management Principles:

Records Creation

A discussion on proper information disposition requires an understanding of how records are created and that all information recorded by an organization has the potential to be considered a record. As described previously, such records may be incidental (having only a momentary lifespan), duplicate (copies of controlled records), or controlled (retained by the organization, preferably subject to a formally adopted retention schedule). These records exist independent and regardless of the media on which they are stored. While controlled records are conventionally recorded on paper or electronic media, something as casual as a handwritten note on a cocktail napkin can qualify as an official record in certain circumstances.

For purposes of this chapter, “record” will be defined as any recorded information created in the course of or as a function of an organization. It is admittedly a very liberal definition, however, when it comes how courts might interpret or define a “record,” it is prudent to anticipate the liberal definition as opposed to a more restricted interpretation. To that end, when designing an information disposition program, organizations should be mindful to comprehensively account for all potential sources and types of information including memos, duplicate or flawed forms, or even a casual planning note jotted in haste, regardless of whether that information is recorded on paper, computer, a removable solid state flash drives, email, or magnetic tape.

Later in the same chapter, the discussion resumes on the destruction of incidental records:

Disposition of Incidental Records

As previously defined, incidental records are those with a lifespan limited to their immediate usefulness. Common examples include memos, reports, surveys, drafts of correspondence, and flawed copies of forms. From a RIM perspective, the most important thing to remember is that they are as much an official record as those retained formally. Failure to identify incidental records and develop written procedures for their proper disposition is inconsistent with regulatory compliance and RIM best practices.

Due to their nature, no internal authorization is required for the disposition of incidental records.

As with all the examples provided in these blogs, I am providing only a couple samples of the type of education provided in the textbook that make the point. Information dispelling the misconception – or in this case omission – for the need to destroy incidental records is woven throughout much of the book.

Get your copy of Information Disposition today >> 

Comments: 0 | Reply

Monday May 1, 2017

Customer Misconception: No Need for a Contract

Selling Information Disposition by the Book (vol. 3)

Bob Johnson, NAID CEO

This is the third installment in my blog series on using the Information Disposition textbook to overcome the most costly customer misconceptions. It makes perfect sense that customers who do not see the critical importance of vendor qualifications would also minimize the value of having a contract with those vendors.

Information Disposition will equip service providers who encounter the customer philosophy that there is no need to have a contract with a destruction vendor on the job, by pointing directly to regulatory compliance and best practices. The subject of contracts surfaces in most detail in Chapter 4: Risk Management; in fact, it is considered one of the top four elements of any information disposition risk management strategy.  As readers will see, there is more than enough even in the introductory paragraphs to convince a customer that a contract is prudent. One excerpt in particular may be all that is necessary for the client to understand its importance:

“…there may be no circumstance in which a data controller could reasonably defend the absence of a written contract with any service provider retained to dispose of regulated PII or PHI. Not only do data protection provisions in HIPAA and GLBA require covered entities to have a contract, but not having a contractual agreement with a downstream data-related service provider would likely be deemed unreasonable and negligent.” (pg. 85)

Still, it is worth reading the introduction in its entirety.

Contracts

Obtaining appropriate legal counsel is a prerogative of any party entering a contractual relationship. The forthcoming information is not to be construed as legal advice but rather an attempt to articulate relevant issues.

From an internal perspective, employee acknowledgements and agreements mentioned previously are a form of contract.

From an external perspective, there may be no circumstance in which a data controller could reasonably defend the absence of a written contract with any service provider retained to dispose of regulated PII or PHI. Not only do data protection provisions in HIPAA and GLBA require covered entities to have a contract, not having a contractual agreement with any downstream data-related service provider would likely be deemed unreasonable and negligent.

Contracts codify agreements and, in doing so, protect all parties to it. Contracts between a data controller and service provider would typically include all of the following:

  • Contain or reference exhibits containing the promised/expected security measures and processes
  • Include pricing and payment terms
  • Provide regulatory linkage, for example, to breach notification requirements, the HIPAA Privacy and Security rules, GLBA Safeguards Rule, etc.
  • Include the term (period) of the contract, renewal and early termination provisions
  • Delineate how and where disputes would be resolved

It is expected that each party in the contract is responsible for protecting their interests. As a result, the party producing the agreement is primarily focused on protecting its interests, potentially at the expense of the other. It is assumed that both parties will consider how the agreements affect them and to be aware of the other party’s responsibility to protect themselves.

The chapter goes on to list more than a dozen contractual clauses that are either required by law or required as a best practice to protect the client (and in most cases the service provider as well).

No client could read this section of Chapter 4 and still believe that the obligation to have a contract with a data destruction service provider should be ignored.

 

Buy Information Disposition Today and Start the Conversation with Your Customers >>

Comments: 0 | Reply

Wednesday April 26, 2017

Customer Misconception: Vendor Qualifications Don’t Matter

Selling Information Disposition by the Book (vol. 2)

Bob Johnson, NAID CEO

In my last blog, Selling Information Disposition by the Book (vol. 1), the first in this series, I talked a bit about the mechanics of using the new Information Disposition textbook.

If I was to boil that post down to one sentence, it would be: Get the book in front of any customer bidding a shredding job, especially if they are floating a contract or RFP.

The rest of this series is meant to show readers some of the language in the book that is aimed specifically at customer misconceptions - misconceptions that put them at risk and stand in the way of service providers better serving them.

When we asked NAID members to vote, the number one customer misconception indicated was that “Vendor qualifications don’t matter.”  Of course, this is very disturbing since nothing could be more wrong. In fact, making sure the service provider has the right qualifications is a legal requirement. And, since the customer will be held fully responsible for the actions of their service provider, it is important from a practical perspective too.

As early as Chapter 1 (pg. 14) in Information Disposition, where data protection regulations are discussed in the book, regulatory language is used to make the point.

Vendor Selection Due Diligence
           
Data controllers often outsource information management or processing functions such as records storage, billing, scanning, and information destruction to service providers. Regulations universally understand this reality and, therefore, require data controllers to demonstrate due diligence in verifying such service providers meet the appropriate security standards and regulatory compliance.

            Per the U.S. Department of Health and Human Services:

The [HIPAA] Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity (HHS).

            In the GLB Safeguards Rule, the instructions are to...

(d) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring your service providers by contract to implement and maintain such safeguards (Federal Register, 2002).

But singling out one passage does the book and truth of the matter an injustice. The importance of due diligence in the vendor selection process is riddled throughout the 272 pages.

For example, a description of data breach notification a few paragraphs later includes the passage:

Further emphasizing the importance of appropriate vendor selection due diligence, regulators have embedded important practical provisions within the regulations. First, data controllers are held legally responsible for breaches resulting from inadequately vetted contractors. For instance, under data breach notification laws, service providers are simply required to notify the data controller. It is the data controller’s responsibility to notify regulators and the affected clients, as explained by the HHS:

If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.

Regulatory requirements for covered entities to have service providers’ contracts in place is also clear evidence that due diligence in the selection and management of service providers is an inherent expectation.

Chapter 4 addresses the topic of Risk Management Principles and focuses on four critical aspects that most dramatically decrease data controller risk and liability:

  • Personnel
  • Indemnification
  • Contracts
  • Service Provider Selection
    • Herein, an entire section of the chapter is dedicated to what proper vendor selection looks like.

Blogs are not books and by now readers get the point.

Once exposed to the content of Information Disposition, any customer would be forced to realize that the qualifications of their secure data destruction service are very important.

Heck, maybe all they have to do is read this blog!

Comments: 0 | Reply

Wednesday April 12, 2017

Selling Information Disposition by the Book

Bob Johnson, NAID CEO

The new Information Disposition textbook (Information Disposition: A Practical Guide to the Secure, Compliant Disposal of Records, Media and IT Assets) is an amazing tool for service providers to use with customers to help them truly understand the value of your offerings.

NAID has always operated from two guiding principles and are both at the heart of the new textbook:

  1. An informed customer is the best way for reputable service providers to promote secure information destruction
  2. Information destruction service providers should be professionally qualified

As reported elsewhere, NAID’s ambitions for the book are VERY high:

  • It will be used in universities to educate future data security and information professionals on a critical subject largely ignored in their current curriculum.
  • It will be used by current information managers, data security professionals and risk managers to improve the way they qualify and contract service providers.
  • It will educate current and future Certified Secure Destruction Specialists (CSDS) so they can better serve their employers and customers.

It can also increase sales. Here’s how…

  1. During the RFP or contracting process: When a prospective client is in the midst of an RFP or rebidding a contract, let them know you can give them, lend them, or direct them to a book that contains everything they need to know about the regulations, contract elements, and service provider requirements. If you know some particular weak link in their approach, you can point them to the section of the book that dispels that misconception.  They might tend to ignore you when you raise an issue, but it is completely different when they see it in black and white with the sources identified. Customers also appreciate a vendor who is willing to partner with them vs. just sell to them.
  2. To welcome a new customer: You place bins at a new customer location, but you know there is a lot more business there. The book stresses the importance of assigning accountability, employee training, “destroy all” programs, the need to be comprehensive, etc. All of these topics are important to your customer’s compliance, but they also allow you to be of more service to them.
  3. Reward an existing customer: This may have occurred to you while reading the previous point. If you have a long-standing relationship with an account but you know they are not destroying all they should be (or are otherwise non-compliant), give them the book. You are doing them a favor. Over time, as they look at it or when you seek to improve what they are doing, you can point them to the book.

NAID is already aggressively pursuing its ambitious plans for introducing the book to universities and professional associations.  I urge you to proactively explore how you can use it to reduce your customers’ risks by increasing the services you provide to them.

Keep following the NAIDnotes Blog and watch for my series on how this same Information Disposition textbook can be used to overcome customer misconceptions that put them at risk.

Order your copy of the book today and start putting it to work for you!

Comments: 0 | Reply

Tuesday April 4, 2017

Can We Take Control of the Industry’s Insurance Destiny?

Bob Johnson, NAID CEO

When NAID embarked on the Downstream Data Coverage insurance pathway, it did so primarily because the professional liability coverages members were purchasing did not protect them or their customers. Exclusions of claims resulting from the intentional acts of rogue employees and poor breach coverage language were universal in other policies. Since then, as data protection insurance has been rapidly evolving and competitive, there are policies that have reacted. As a result, some members are finding professional liability coverage they believe is just as good as Downstream Data… and they can get it from their familiar broker too.

Unfortunately, industry professionals who believe another policy “is just as good as Downstream” – whether they are right or wrong about that – are missing the point.  If all NAID wanted to do was fix the policy language, it could have done that without creating a new brand.

NAID stated its goal from day one - to create a Captive Insurance group, which would allow it to dramatically lower premiums by establishing a low claims history for a large group of similar services. However, in order to do this, we need to build the “large group” first. NAID is not giving up on this dream for our members.

For those who say, “I got a similar policy for $100 per year less,” two things. One, I implore you to speak with a Downstream Data broker (1.877.710.2498) about today’s coverage and pricing to really compare policies, because that amount of savings on a comparable policy is frankly doubtful. Two, and more importantly, know that while you win a small battle, you are losing the entire war. Your actions are delaying the day when the industry can take control of both premiums and policy language. You are implicit in delaying the day when all can have exactly the right coverage for significantly less than you will ever pay on the open market.

We can take control of the industry’s insurance destiny, when as an industry, we band together. And when we achieve success, those not currently supporting it will also line up to save more money.

Comments: 0 | Reply

Tuesday March 14, 2017

NAIDnews From the Editor: Fishing is a lot Like Networking

Kelly Martínez, NAID Director of Marketing & Communications

My father is an expert fisherman. I spent much of my childhood sitting in a boat or tramping up the creek bed in search of “the perfect spot”. As a young girl I hated baiting my own hook, and so my dad assisted me. He and his friends were there to teach me to properly cast my line, slowly real in, to set the hook, and more. I remember cruising on our small motorized dingy past drunk lunatics and commiserating with fellow serious fisherman about scaring the fish, what was biting, and where the good holes could be found along the walls of the cliffs.

Fishing is a lot like networking. The actual fishing part is more like business, but being a fisherman – standing along the shore in the silent grace of it all, sometimes you need the wisdom of a sage because those fish just won’t bite! You can know everything about the science of it, the solunar tables, the ideal location, and how a bobber works, but there are days when you are disdained to go home empty handed; then, it’s great to run into a fellow fisherman who can suggest something like bread dough balls over worms for bait (trust me on that one).

The same is true in the business world. We make networking sound hard, as if we are forced to cast and recast our lines to no avail. It doesn’t have to be a slimy, forced conversation. Networking is happening all the time, whether you are intentional about it, cultivating it, or just doing business as usual. Even when you’re not “actively networking”, the relationships you foster, big and small, may pay out in the future in ways you couldn’t imagine. That’s what happened in the featured article of the latest edition of the NAIDnews. Check out the story “It’s What You Know. It’s Who You Know” about how a simple referral set the bait for the biggest contract catch for one company.

I also encourage you to cast aside any stigmas you may have around networking. I have a personal list of positive experiences I’m happy to share with you at NAID 2017. Come find me; let’s chat – ahem – network.

You want the fish to bite? Get to know others on the lake.

Comments: 0 | Reply

Tuesday March 7, 2017

That Time I Donated my Outdated Technology

Kelly Martínez, NAID Director of Marketing & Communications

I was being responsible and cleaning out our electronics bin. Do you have one of those in the garage? The place where random cords, Ethernet cables, and broken PS2s go until they are needed (ahem - yeah right). I remember coming across lots of outdated goodies like my husband's old palm pilot and even his as-seen-on-TV aluminum, wallet organizer he never used (I don't know why it was in there). I kept too many random things, threw out a few, and donated the rest of our outdated technology to Goodwill. Are you bristling yet? It gets better.

We moved. I cleaned out the bin again.

Several months later I went to look up some photos of my oldest child from when she was baby. We had saved these on an external hard-drive for safekeeping since our computer was getting old, which was a good call since it crashed shortly thereafter. The hard-drive wasn’t in the desk. But we’d moved, so that made sense. Where else, could it be? I went through a few straggler boxes in the closet with no luck. Then I thought of the electronics bin?! This is where we put random things, so I searched it. No drive. I searched everywhere. I re-looked everywhere. I was so sad. Maybe it would show up in a random, mismarked, unpacked box in the garage.

I went to the store to purchase a new external hard-drive in the interim. I bought the same kind as before, because we had been happy with it. But when I saw the hard-drive, my stomach dropped. Do you know what that brand of hard-drive looks like? Almost exactly like the as-seen-on-TV aluminum wallet…. I am now positive I had donated my firstborn’s baby photos to Goodwill.

Guess what? We didn’t just store photos on our external hard-drive either… *gulp.

***

I never recovered my terabyte hard-drive, or my precious data back. People accidentally donate stuff all the time.

You’re probably still cringing that I donated a palm pilot without second thought, aren’t you?  I mindfully donated it, because the technology was so outdated. If it had been a computer, I would have wiped it, but that didn’t seem important in this instance. And you know better than I that even my precautions wouldn’t have mattered.

How many individuals are just as clueless as I was before I joined NAID?

***

So, where do we go from here?

Well, I started by saving low-res images of my kid off of email and Facebook to piece-meal together a new make-shift photo library. I also have identity theft recovery insurance just in case.

NAID is busy educating the public to be a little wiser. This includes the recent formation of the Industry Action Committee, which focuses on the industry, commercial and government decision makers and policy writers to demonstrate the value of NAID Certification. Later this month NAID will be releasing the results of the largest second hand electronic device study, which should bring awareness to the need for proper data destruction in this area. And NAID is also releasing a textbook this month, Information Disposition: A Practical Guide to the Secure, Compliant Disposal of Records, Media and IT Assets, by Bob Johnson (currently available for pre-order). The publication will serve as the CSDS training manual, a university-level textbook, and most importantly a tool for educating clients on the nature and importance of proper data destruction. NAID will work to continue to make headway in every way possible, so that more people make less stupid mistakes like me.

Kelly Martínez                                                                                                                                
Learning More Every Day

Comments: 0 | Reply

Tuesday February 21, 2017

The Golden Circle of Secure Data Destruction

Kelly Martínez, NAID Director of Marketing & Communications

In case you missed this message in the last edition of the NAIDnews… As the new Director of Marketing & Communications for NAID, it’s exciting to hear an established trade association such as this one buzzing with initiatives to make a difference for their members and the industry as a whole. NAID President Don Adriaansen reviewed several of these in his President’s Message; you can read this and more about these topics in the 2016 Fall NAIDnews.

What most excites me about working for NAID and in this industry is the WHY. I was recently introduced to Simon Sinek and his concept of the Golden Circle. It is neither WHAT a business sells that leads to success, nor even the HOW, it is the WHY. Sinek states in his book, Start with Why: How Great Leaders Inspire Everyone to Take Action, “Very few people or companies can clearly articulate WHY they do WHAT they do. By WHY I mean your purpose, cause or belief - WHY does your company exist? WHY do you get out of bed every morning? And WHY should anyone care?”

I have already been impressed with the passion and integrity NAID and its members live each day. We are more than a band of shredders, destroyers, and hard-workers. Our WHY is a powerful one that makes a difference daily in our local communities and across the world. We safeguard individual lives from being ruined, protect businesses so that they can operate legally and efficiently, educate so that we can put a stop to those who would prey upon the unsuspecting. This is something I can buy into, and I believe as we convey this message – our WHY - others will too.  

I look forward to meeting many of you in Las Vegas at NAID 2017 next month, where together we can learn more about our WHY, HOW, and WHAT.

Comments: 0 | Reply

View Archives