Skip Navigation


Wednesday April 26, 2017

Customer Misconception: Vendor Qualifications Don’t Matter

Selling Information Disposition by the Book (vol. 2)

Bob Johnson, NAID CEO

In my last blog, Selling Information Disposition by the Book (vol. 1), the first in this series, I talked a bit about the mechanics of using the new Information Disposition textbook.

If I was to boil that post down to one sentence, it would be: Get the book in front of any customer bidding a shredding job, especially if they are floating a contract or RFP.

The rest of this series is meant to show readers some of the language in the book that is aimed specifically at customer misconceptions - misconceptions that put them at risk and stand in the way of service providers better serving them.

When we asked NAID members to vote, the number one customer misconception indicated was that “Vendor qualifications don’t matter.”  Of course, this is very disturbing since nothing could be more wrong. In fact, making sure the service provider has the right qualifications is a legal requirement. And, since the customer will be held fully responsible for the actions of their service provider, it is important from a practical perspective too.

As early as Chapter 1 (pg. 14) in Information Disposition, where data protection regulations are discussed in the book, regulatory language is used to make the point.

Vendor Selection Due Diligence
Data controllers often outsource information management or processing functions such as records storage, billing, scanning, and information destruction to service providers. Regulations universally understand this reality and, therefore, require data controllers to demonstrate due diligence in verifying such service providers meet the appropriate security standards and regulatory compliance.

            Per the U.S. Department of Health and Human Services:

The [HIPAA] Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity (HHS).

            In the GLB Safeguards Rule, the instructions are to...

(d) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring your service providers by contract to implement and maintain such safeguards (Federal Register, 2002).

But singling out one passage does the book and truth of the matter an injustice. The importance of due diligence in the vendor selection process is riddled throughout the 272 pages.

For example, a description of data breach notification a few paragraphs later includes the passage:

Further emphasizing the importance of appropriate vendor selection due diligence, regulators have embedded important practical provisions within the regulations. First, data controllers are held legally responsible for breaches resulting from inadequately vetted contractors. For instance, under data breach notification laws, service providers are simply required to notify the data controller. It is the data controller’s responsibility to notify regulators and the affected clients, as explained by the HHS:

If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.

Regulatory requirements for covered entities to have service providers’ contracts in place is also clear evidence that due diligence in the selection and management of service providers is an inherent expectation.

Chapter 4 addresses the topic of Risk Management Principles and focuses on four critical aspects that most dramatically decrease data controller risk and liability:

  • Personnel
  • Indemnification
  • Contracts
  • Service Provider Selection
    • Herein, an entire section of the chapter is dedicated to what proper vendor selection looks like.

Blogs are not books and by now readers get the point.

Once exposed to the content of Information Disposition, any customer would be forced to realize that the qualifications of their secure data destruction service are very important.

Heck, maybe all they have to do is read this blog!

Comments: 0 | Reply

Wednesday April 12, 2017

Selling Information Disposition by the Book

Bob Johnson, NAID CEO

The new Information Disposition textbook (Information Disposition: A Practical Guide to the Secure, Compliant Disposal of Records, Media and IT Assets) is an amazing tool for service providers to use with customers to help them truly understand the value of your offerings.

NAID has always operated from two guiding principles and are both at the heart of the new textbook:

  1. An informed customer is the best way for reputable service providers to promote secure information destruction
  2. Information destruction service providers should be professionally qualified

As reported elsewhere, NAID’s ambitions for the book are VERY high:

  • It will be used in universities to educate future data security and information professionals on a critical subject largely ignored in their current curriculum.
  • It will be used by current information managers, data security professionals and risk managers to improve the way they qualify and contract service providers.
  • It will educate current and future Certified Secure Destruction Specialists (CSDS) so they can better serve their employers and customers.

It can also increase sales. Here’s how…

  1. During the RFP or contracting process: When a prospective client is in the midst of an RFP or rebidding a contract, let them know you can give them, lend them, or direct them to a book that contains everything they need to know about the regulations, contract elements, and service provider requirements. If you know some particular weak link in their approach, you can point them to the section of the book that dispels that misconception.  They might tend to ignore you when you raise an issue, but it is completely different when they see it in black and white with the sources identified. Customers also appreciate a vendor who is willing to partner with them vs. just sell to them.
  2. To welcome a new customer: You place bins at a new customer location, but you know there is a lot more business there. The book stresses the importance of assigning accountability, employee training, “destroy all” programs, the need to be comprehensive, etc. All of these topics are important to your customer’s compliance, but they also allow you to be of more service to them.
  3. Reward an existing customer: This may have occurred to you while reading the previous point. If you have a long-standing relationship with an account but you know they are not destroying all they should be (or are otherwise non-compliant), give them the book. You are doing them a favor. Over time, as they look at it or when you seek to improve what they are doing, you can point them to the book.

NAID is already aggressively pursuing its ambitious plans for introducing the book to universities and professional associations.  I urge you to proactively explore how you can use it to reduce your customers’ risks by increasing the services you provide to them.

Keep following the NAIDnotes Blog and watch for my series on how this same Information Disposition textbook can be used to overcome customer misconceptions that put them at risk.

Order your copy of the book today and start putting it to work for you!

Comments: 0 | Reply

Tuesday April 4, 2017

Can We Take Control of the Industry’s Insurance Destiny?

Bob Johnson, NAID CEO

When NAID embarked on the Downstream Data Coverage insurance pathway, it did so primarily because the professional liability coverages members were purchasing did not protect them or their customers. Exclusions of claims resulting from the intentional acts of rogue employees and poor breach coverage language were universal in other policies. Since then, as data protection insurance has been rapidly evolving and competitive, there are policies that have reacted. As a result, some members are finding professional liability coverage they believe is just as good as Downstream Data… and they can get it from their familiar broker too.

Unfortunately, industry professionals who believe another policy “is just as good as Downstream” – whether they are right or wrong about that – are missing the point.  If all NAID wanted to do was fix the policy language, it could have done that without creating a new brand.

NAID stated its goal from day one - to create a Captive Insurance group, which would allow it to dramatically lower premiums by establishing a low claims history for a large group of similar services. However, in order to do this, we need to build the “large group” first. NAID is not giving up on this dream for our members.

For those who say, “I got a similar policy for $100 per year less,” two things. One, I implore you to speak with a Downstream Data broker (1.877.710.2498) about today’s coverage and pricing to really compare policies, because that amount of savings on a comparable policy is frankly doubtful. Two, and more importantly, know that while you win a small battle, you are losing the entire war. Your actions are delaying the day when the industry can take control of both premiums and policy language. You are implicit in delaying the day when all can have exactly the right coverage for significantly less than you will ever pay on the open market.

We can take control of the industry’s insurance destiny, when as an industry, we band together. And when we achieve success, those not currently supporting it will also line up to save more money.

Comments: 0 | Reply

Tuesday March 14, 2017

NAIDnews From the Editor: Fishing is a lot Like Networking

Kelly Martínez, NAID Director of Marketing & Communications

My father is an expert fisherman. I spent much of my childhood sitting in a boat or tramping up the creek bed in search of “the perfect spot”. As a young girl I hated baiting my own hook, and so my dad assisted me. He and his friends were there to teach me to properly cast my line, slowly real in, to set the hook, and more. I remember cruising on our small motorized dingy past drunk lunatics and commiserating with fellow serious fisherman about scaring the fish, what was biting, and where the good holes could be found along the walls of the cliffs.

Fishing is a lot like networking. The actual fishing part is more like business, but being a fisherman – standing along the shore in the silent grace of it all, sometimes you need the wisdom of a sage because those fish just won’t bite! You can know everything about the science of it, the solunar tables, the ideal location, and how a bobber works, but there are days when you are disdained to go home empty handed; then, it’s great to run into a fellow fisherman who can suggest something like bread dough balls over worms for bait (trust me on that one).

The same is true in the business world. We make networking sound hard, as if we are forced to cast and recast our lines to no avail. It doesn’t have to be a slimy, forced conversation. Networking is happening all the time, whether you are intentional about it, cultivating it, or just doing business as usual. Even when you’re not “actively networking”, the relationships you foster, big and small, may pay out in the future in ways you couldn’t imagine. That’s what happened in the featured article of the latest edition of the NAIDnews. Check out the story “It’s What You Know. It’s Who You Know” about how a simple referral set the bait for the biggest contract catch for one company.

I also encourage you to cast aside any stigmas you may have around networking. I have a personal list of positive experiences I’m happy to share with you at NAID 2017. Come find me; let’s chat – ahem – network.

You want the fish to bite? Get to know others on the lake.

Comments: 0 | Reply

Tuesday March 7, 2017

That Time I Donated my Outdated Technology

Kelly Martínez, NAID Director of Marketing & Communications

I was being responsible and cleaning out our electronics bin. Do you have one of those in the garage? The place where random cords, Ethernet cables, and broken PS2s go until they are needed (ahem - yeah right). I remember coming across lots of outdated goodies like my husband's old palm pilot and even his as-seen-on-TV aluminum, wallet organizer he never used (I don't know why it was in there). I kept too many random things, threw out a few, and donated the rest of our outdated technology to Goodwill. Are you bristling yet? It gets better.

We moved. I cleaned out the bin again.

Several months later I went to look up some photos of my oldest child from when she was baby. We had saved these on an external hard-drive for safekeeping since our computer was getting old, which was a good call since it crashed shortly thereafter. The hard-drive wasn’t in the desk. But we’d moved, so that made sense. Where else, could it be? I went through a few straggler boxes in the closet with no luck. Then I thought of the electronics bin?! This is where we put random things, so I searched it. No drive. I searched everywhere. I re-looked everywhere. I was so sad. Maybe it would show up in a random, mismarked, unpacked box in the garage.

I went to the store to purchase a new external hard-drive in the interim. I bought the same kind as before, because we had been happy with it. But when I saw the hard-drive, my stomach dropped. Do you know what that brand of hard-drive looks like? Almost exactly like the as-seen-on-TV aluminum wallet…. I am now positive I had donated my firstborn’s baby photos to Goodwill.

Guess what? We didn’t just store photos on our external hard-drive either… *gulp.


I never recovered my terabyte hard-drive, or my precious data back. People accidentally donate stuff all the time.

You’re probably still cringing that I donated a palm pilot without second thought, aren’t you?  I mindfully donated it, because the technology was so outdated. If it had been a computer, I would have wiped it, but that didn’t seem important in this instance. And you know better than I that even my precautions wouldn’t have mattered.

How many individuals are just as clueless as I was before I joined NAID?


So, where do we go from here?

Well, I started by saving low-res images of my kid off of email and Facebook to piece-meal together a new make-shift photo library. I also have identity theft recovery insurance just in case.

NAID is busy educating the public to be a little wiser. This includes the recent formation of the Industry Action Committee, which focuses on the industry, commercial and government decision makers and policy writers to demonstrate the value of NAID Certification. Later this month NAID will be releasing the results of the largest second hand electronic device study, which should bring awareness to the need for proper data destruction in this area. And NAID is also releasing a textbook this month, Information Disposition: A Practical Guide to the Secure, Compliant Disposal of Records, Media and IT Assets, by Bob Johnson (currently available for pre-order). The publication will serve as the CSDS training manual, a university-level textbook, and most importantly a tool for educating clients on the nature and importance of proper data destruction. NAID will work to continue to make headway in every way possible, so that more people make less stupid mistakes like me.

Kelly Martínez                                                                                                                                
Learning More Every Day

Comments: 0 | Reply

Tuesday February 21, 2017

The Golden Circle of Secure Data Destruction

Kelly Martínez, NAID Director of Marketing & Communications

In case you missed this message in the last edition of the NAIDnews… As the new Director of Marketing & Communications for NAID, it’s exciting to hear an established trade association such as this one buzzing with initiatives to make a difference for their members and the industry as a whole. NAID President Don Adriaansen reviewed several of these in his President’s Message; you can read this and more about these topics in the 2016 Fall NAIDnews.

What most excites me about working for NAID and in this industry is the WHY. I was recently introduced to Simon Sinek and his concept of the Golden Circle. It is neither WHAT a business sells that leads to success, nor even the HOW, it is the WHY. Sinek states in his book, Start with Why: How Great Leaders Inspire Everyone to Take Action, “Very few people or companies can clearly articulate WHY they do WHAT they do. By WHY I mean your purpose, cause or belief - WHY does your company exist? WHY do you get out of bed every morning? And WHY should anyone care?”

I have already been impressed with the passion and integrity NAID and its members live each day. We are more than a band of shredders, destroyers, and hard-workers. Our WHY is a powerful one that makes a difference daily in our local communities and across the world. We safeguard individual lives from being ruined, protect businesses so that they can operate legally and efficiently, educate so that we can put a stop to those who would prey upon the unsuspecting. This is something I can buy into, and I believe as we convey this message – our WHY - others will too.  

I look forward to meeting many of you in Las Vegas at NAID 2017 next month, where together we can learn more about our WHY, HOW, and WHAT.

Comments: 0 | Reply

View Archives