Skip Navigation

NAIDnotes Archives

Thursday December 19, 2013

How to add compliance consulting to your services

By Bob Johnson, NAID CEO

This is the first of a series of posts to familiarize readers with 2014 conference educational content. Not only will this help attendees decide which sessions they want to attend, but also demonstrate the high level of thought planners put into developing content that address today’s most common challenges and opportunities. In this entry, I focused on the panel discussion How to Add Compliance Consulting to Your Services, a breakout session currently scheduled for Saturday, April 5 from 2:30 to 3:30 p.m.

Fifteen years ago, IBM and XEROX were equipment manufacturers. Now, they make most of their money from consulting. They learned that equipment-based strategies are easy to copy but industry acumen and value-added strategies are not. While most secure destruction service providers will always be equipment-based, offering compliance resources and training is a method for standing out in a market, increasing profits, and building greater customer loyalty. In the recent SDB Magazine, you can read how one NAID member is effectively building on this strategy. And, they are not alone. There are dozens of NAID members that for which offering secure destruction is becoming part of an overall compliance partner strategy. Certainly this strategy might not be for everyone but that is why it is so effective. For those who learn to effectively embrace this strategy, it is something that cannot be easily copied by the competition. It releases them from the chains of commoditization. In this session, industry veterans who have successfully integrated compliance and consulting services will discuss how they did it, what they learned along the way, and how it has benefited their bottom lines.

While this is just one of over 20 such sessions, it is one that could dramatically change the long-term trajectory of those who attend. Visit the NAID 2014 Annual Conference website for more information or to register. A 25 percent advance registration discount is still available.

Comments: 0 | Reply

Thursday December 12, 2013

How do I build trust?

By Ray Barry, Chief Shreducation and Member Relations Officer

In the information management and destruction industries, relationships rule the sales process. You get a new client as soon as you build know, like and trust feelings with a prospect. If you lost a deal, it’s most likely because the prospect knew, liked and trusted your competitor more. Ouch, that hurts.

I think most of us know how to build the “know” in our market and we certainly know how to be more likeable with our prospects. But the biggest challenge usually is how to build the trust with your prospects. If the relationship doesn’t start right, it will not end right. Here are some of the top ways to earn trust with your prospects:

  • Respect their time: In your initial conversations, say, “If I caught you at a good time, I’d like to ask you a few quick questions to see if what we have to offer may be of help to you. Would that be ok?” Also, find common ground, but don’t waste time getting down to business. Stick to their time budget as long as it is reasonable for you too.
  • Be on time and follow up on time: Unfortunately, some sales professionals rarely follow up when they say they are going to. Don’t just say “I am calling to follow up or touch base.” That’s what all salespeople say. I like to say “I am calling to continue our previous conversation.” Be different.
  • Be relevant: How does your solution help the prospect’s business? How does your service help them profit more? How do you make their life easier? How can you bring them more clients?
  • Do your homework: Know everything and anything about their business before you meet. There are many tools online to get as much information as possible.
  • Stop pitching, start asking: Jeffrey Gitomer’s mantra is “people don’t like to be sold but they love to buy.” In other words, don’t give a canned presentation or sales pitch to your prospects. Engage them about by asking questions and letting them talk about themselves. The trust meter goes sky high when you let people talk.
  • Down sell: What Ray? Are you crazy? Sounds unconventional? Exactly! Customers are used to the same old sales stuff and most sales professionals try to get as much revenue upfront as possible. Even if you know your prospect may need three bins picked up every month, suggest they start with just one to gauge the volume and test the waters. Their comfort level with you just went up because you didn’t try to take advantage of them like a stereotypical sales person.
  • Train their employees: Thanks to the NAID Customer Employee Training Program, you can train your prospects’ employees on proper document disposal and provide written instructions so they are compliant with current regulations (e.g., HIPAA, Red Flags Rule, state laws). BAM! You just became a trusted adviser.
  • Walk away unless you know you can help the prospect’s business: Trust is something you cannot force. Prospects have more respect for professionals that are prepared to walk away if they can’t improve their current situation. If you know you can improve their situation or business, don’t walk away and start building trust. 
  • Speak! Public speaking is the best way to become the perceived expert in your market. However, the message should be about them. Remember, perceived experts gain instant trust.

In a competitive industry and tough economy, a prospect’s trust is more and more important every day. Think of your own purchasing decisions. You probably pay more to do business with those companies and people you trust. Low-cost bidders eventually go out of business while the most trusted companies thrive.

Comments: 0 | Reply

Thursday November 21, 2013

If you aspire to great success, a coach is a necessity

By Bob Johnson, NAID CEO

Athletes, especially professional athletes, provide one of the most obvious examples of human beings who have to continually focus on improving their performances. Their livelihoods depend on it. And, whether they are the front lineman on a professional football team or a star tennis player, they have a coach. Think for a moment if you know of any professional athlete who does not have a coach. You may but, off hand, I don’t.

Acting is another area that requires exceptional personal performance, and actors, even the most accomplished, have acting coaches.

Why? What do coaches provide these professionals? They provide encouragement. They provide honest, useful feedback. They provide a point of accountability that urges them to stay on track. They provide expertise on their subject matter, ideally honed from years of practical experience in their respective fields.

Now let’s talk about you. Do you want to be an exceptional performer? I can’t imagine anyone aspiring to mediocrity. Wouldn’t you benefit from the encouragement, accountability and expertise of a coach? Sure you would. The fact is that anyone whose livelihood depends on personal performance would benefit from coaching. 

Of course, this is not a new concept in business. Many, if not most, top business executives have a coach. It’s a mistake to think you don’t need one too and now there’s a great option for NAID members who act quickly. Last week NAID announced the availability of a mastermind sales coaching program that will be run by Chief Shreducation and Member Relations Officer Ray Barry. At the moment, space is limited and we hope to expand the program next July.

I realize there’s a tendency to think that a coach is for other people with more important jobs. I understand there’s also the likelihood that some people might be worried about allowing a coach into their lives. I know these things because that is what I thought before I found my coach. In my case, those concerns proved to be baseless and the benefits boundless. Just saying…


Comments: 0 | Reply

Thursday November 14, 2013

Call me after the holidays

By Ray Barry, Chief Shreducation and Member Relations Officer

Ahh, the good old “call me back after the holidays” stall. I am sure you have heard this stall or objection a million times and, maybe heard it as you read this post as we approach Thanksgiving.

Although some of your prospects may actually need to wait for January to move forward because of internal procedures or budgets, the majority of prospective buyers know it is one of the best stall tactics in history. This stall tactic is really an objection and what the prospect is telling you is “I do not see the value to move forward with you yet.” Or, maybe you did not do a good job of qualifying them as a valid sales opportunity.

At this point you have not established a sense of urgency to buy today. The know, like and trust feelings are not there yet. The risk of doing business with you is greater than the possible rewards at this point.

Does the prospect really want your destruction services? Have they recognized they have a problem that can be aligned with your solution? Is this person the real decision maker?

It is an easy way to get rid of the salesperson because most sales people will say “OK, I will call you back then” and go away without asking any questions. Instead of being a puppet or pawn to the prospect, find out what the true objection is or at least make it more difficult for him or her to stall. It is time to get the guts to ask why.Here are some suggestions on how to handle this stall tactic:

  • What will be different in January?
  • Is there a specific reason you prefer I get back to you then?
  • What is preventing you from taking action today?
  • Do you see yourself buying after the holidays, etc.?
  • Could you start now and pay after the holiday?
  • When I call you back in January, what happens next?

It is the responsibility of the sales professional, not the prospect, to show how a delay can cost more than purchasing now.

Comments: 0 | Reply

Friday November 8, 2013

The challenge of operating with integrity

By Bob Johnson, NAID CEO

From the beginning, NAID has held the position that a fully informed customer is the best strategy for improving conditions for reputable secure destruction service providers and the industry overall. This is based on the premise that the only way disreputable operators can function is by preying on customer ignorance and apathy. 

The challenge of this strategy extends beyond simply educating the customer; it requires an educated membership. And, in the case of educated members, it goes beyond simply educating them on industry issues. Members also need to be aware of and appreciate the value of the integrity that lies behind NAID’s structure and function. That structure prohibits NAID from coming up with a certification program that is not supported by a Certification Rules Committee to develop specifications, a Certification Review Board responsible for the integrity of the program, and an elected board of directors to approve everything. Such structure and function requires that ethical investigations unfold in a manner that allows all participants due process and that can stand up in court. And, it requires that members realize and insist the organization is operated under legal bylaws and that its corporate structure is completely transparent.

This is a challenge. There will always be customers who will be misled by disreputable service providers. There will always be service providers who do not appreciate what it takes to run an association with full transparency and integrity. It’s just the way it is. Luckily, as long as there are service providers who are smart enough to appreciate and support transparency, integrity and legitimacy, NAID will be there to represent them.

Comments: 0 | Reply

Thursday October 31, 2013

Why do some salespeople fail?

By Ray Barry, Chief Shreducation and Member Relations Officer

When I speak with business owners in the information destruction and records management industries, one of the biggest issues they face is finding the right sales professionals for their businesses. And, once they find a good sales professional, they struggle with helping him/her maintain a certain level of success. Many business owners think that hiring salespeople is like rolling a dice. It doesn’t have to be that way.

If you identify the main reasons that some salespeople fail, you can qualify the best candidates moving forward and then put the right process in place to ensure success for your sales professionals. There are many reasons why some salespeople don’t work out, even if you felt you made a good hiring decision. Here are the top 10 reasons salespeople fail:

  1. Most salespeople don’t prospect effectively and efficiently and they end up spending valuable time with prospects who most likely will not buy.
  2. Lack of proper training: Sales superstars don’t happen by accident. Just like athletes, it takes practice to become great. No one gets good at anything by doing it just once.
  3. They don’t utilize a consistent step-by-step sales process; therefore, their results are inconsistent and each opportunity is handled differently, creating a hit-or-miss scenario.
  4. They try to persuade and convince their prospects to buy their services using manipulative tactics, which turns prospects off and creates sales resistance.
  5. Most salespeople talk too much in the sales call. They also talk too much about their company and prospects often feel disrespected and neglected. Top sales professionals invest at least 80 percent of their time letting the prospect talk.
  6. They do sales presentations instead of finding out what their prospects really want and the reasons why.
  7. They don’t understand their prospect’s buying and decision-making processes so they end up spending too much time with non-decision makers.
  8. They try to close the sale using manipulative tactics. On the other hand, sales superstars start closing at the beginning of their sales process by using a great line of questioning.
  9. They learned the old school way of handling objections, which don’t work anymore. Customers are used to the same old sales pitches. Old school tactics blend into the crowd and don’t make you stand apart. Top sales professionals eliminate most objections proactively within the sales process.
  10. Lack of guidance from ownership and management: Sometimes salespeople fail because they are micromanaged or not properly guided by their managers. Frontline sales reps, managers, and owners need coaches, not managers. To become a salesperson, you need sales training. To become a sales champion, you need sales coaching.

If you or your sales professional want to become a sales champion, make sure you avoid these common mistakes so that hiring sales professionals in the future will not be a roll of the dice.

Comments: 0 | Reply

Thursday October 24, 2013

Selling versus consulting

By Ray Barry, Chief Shreducation and Member Relations Officer

People will pay more if they perceive there is greater value or a deeper reason for buying from one provider over another.” ‑ Chet Holmes, “The Ultimate Sales Machine

This quote from the late great Chet Holmes tells me one specific thing: It’s not always about price. People will buy value from your destruction company if you can show them a deeper reason as to why they should.

What do I mean by “a deeper reason”? It certainly is not just matching or beating prices. The best way to show a prospect the deeper reason for doing business with you is to teach them something or be perceived as a trusted adviser, much like a business consultant. If you sell your service to your prospects, it becomes less about value and more about price.

On the other hand, if you offer to teach them something valuable, you will find that price is not the deciding factor. Most prospects would rather do business with an expert as opposed to a salesperson. Below are a few reasons why teaching something to your customers instead of selling them something works:

  • By offering education that helps the buyer, you create buyer interest.
  • If the information is useful, it positions you in the mind of the prospect as an expert compared to your competitors.
  • The information you teach will in someway relate to your destruction service that will ultimately sell your services much better than pitching your company or service.

Here are some ways to teach your prospects:

  • Offer to write your prospect’s information destruction policies and procedures (put a value on this service).
  • Offer to train their employees to help them maintain compliance with all data protection regulations and use the NAID employee training DVD.
  • Become a Certified Secure Destruction Specialist (CSDS) so you have the knowledge base to help your customers with protecting their information. They deserve it!
  • Develop a story or message that applies to your market.
  • Speak at tradeshows and seminars.
  • Write for industry publications.
  • Conduct lunch ‘n’ learns. 

Remember, if you share your industry knowledge, you will earn the sale by providing value first.

Comments: 0 | Reply

Thursday October 17, 2013

HIPAA compliance for NAID destruction services

By Bob Johnson, NAID CEO

In my last blog, I wrote about the strong-arm tactics being used by some HIPAA compliance consultants to coerce destruction providers into using their services. In this follow up, I offer my perspective on what compliance with the new HIPAA actually looks like.

I say “my perspective” because no one knows exactly how the U.S. Department of Health and Human Services (HHS) or their contracted auditors will determine what compliance for the new HIPAA requirements will look like. This uncertainty exists across the board but is particularly acute when you consider that secure destruction services have so few points of overlap. When your only job is to get the material from the customer to the mouth of a destruction unit (or connection to sanitization software), the overlap is relatively small.

For instance, the risk assessment required under the Security Rule actually only applies to electronic protected health information (ePHI), so if you are only destroying paper, it arguably would not apply at all. (Note: I would not advise anyone to rely on this technicality. If you had a data breach or HIPAA violation and did not do a risk assessment, though it may not be technically a requirement, as a business associate it would be hard to defend why you did not assess your organization’s security vulnerabilities.

I also want to reiterate a point I made in the last blog. HIPAA compliance does not require or necessitate the use of a third party to conduct a risk assessment, write policies or train employees. It is not necessarily a bad idea but it is not required and, in the case of secure destruction services, not critical. It is perfectly acceptable, in theory, to do them internally or rely on a set of self-assessment tools. Some of those tools are even provided by HHS.

Before I can talk about compliance for secure destruction services, I need to highlight the points of overlap. As I said, compared to a covered entity or any other type of business associate, the compliance overlap with HIPAA is nominal. Here are the overlap areas:

  • Risk assessment (with both the process and result documented)
  • Employee screening
  • Employee training, which is documented and based on HIPAA-relevant written security policies and procedures that include the appropriate whistle blower, breach reporting, and a specified breach incident recording and remediation process
  • An incident report log
  • Business associate agreements with any downstream subcontractors used to process PHI

If a data destruction service provider can check off these items, they should be, in theory, safe. Only time and actual audit results will determine if this is true. For now, this is my best guess.

Over the coming weeks, NAID will be some adding some features to NAID Certification that should cover all these bases. The goal is to have them in place by the end of the year. To be clear, of these few changes to the program, most are subtle and will not affect the actual certification specifications themselves. As for enforcement of the new HIPAA rule, it is a waiting game to see how HHS and its auditors will interpret the definition of compliance.


Comments: 0 | Reply

Tuesday October 8, 2013

Unintended consequences: Consultants using HIPAA to strong-arm business associates

By Bob Johnson, NAID CEO

When the U.S. Federal Trade Commission (FTC) contacted NAID to help write the FACTA Final Disposal Rule, their main concern was what they called “unintended consequences.” It seems every new law has side effects. The FTC’s goal was to anticipate the bad side effects and minimize them when creating new rules. Of course, they don’t always anticipate every bad side effect and those are what they refer to as “unintended consequences.”

Over the last couple of weeks, one such unintended consequence of the new HIPAA final rule (as amended by HITECH) has surfaced: aggressive compliance consultants coercing vendors into using their services. Before reading further, please keep in mind, NAID counts among its members a number of highly reputable HIPAA consultants. To the best of our knowledge, they are ethical and provide high quality services. They should be considered trusted advisers and not among the bad actors I describe below.

That being said, here is how the bad actors are showing up. 

A compliance consultant contacts the business associate (BA) providing services to the health care customer, say for instance a data destruction service. The consultant explains they provide compliance consulting services to hundreds of covered entities (CEs) in the marketplace and they are reaching out to prequalify the service provider as a BA they can recommend. But first, however, the service provider must subscribe to their risk assessment and compliance training services because that is the only way they will know the BA is worthy of being recommended. Further, and far more troubling, they say they have no choice but to blacklist the service provider if they do not use their consulting services (or those of a third party they will accept).

Forget for a minute this is a form of blackmail and consider these other troubling issues that make this tactic even more disturbing:

  1. Anyone can be a HIPAA compliance consultant. Sure there are plenty of legitimate ones, but there is no law restricting such claims.
  2. There is no way to know whether the consultant actually represents a large number of CEs or not.
  3. They have a tendency to only accept their risk assessment and training as a legitimate validation, meaning they will not accept alternatives. We submitted the NAID BA Agreement to one of these consultants, which was created by Kirk Nahra, one of the most well-known and highly respected HIPAA/HITECH privacy attorneys in the country, and it was kicked back as unacceptable (i.e., it was not theirs). This consultant might have taken a course on HIPAA compliance and has no credentials after his name.
  4. They have been found exaggerating or even fabricating the rules to suit their goals, stating or insinuating that it is required to use a third party to provide the BA with risk assessment and training. That is not true, it is perfectly appropriate to conduct your own or rely on already existing risk management measures. In fact, the U.S. Department of Human and Health Services (HHS) provides a template for conducting self-assessments. Using a third party is not necessarily a bad idea, but it is inappropriate to misrepresent the law by stating it must be a third party. Also, it is inappropriate to claim a range of specific services and documents are required when, in fact, HHS is relatively non-prescriptive about what they require. Until case histories are accumulated, we have no way of knowing how to fully interpret their intent.
  5. They are using these same inappropriate and unethical tactics, including extortion, on health care providers. In this regard, they have a real potential for contaminating a marketplace.

Anyway you dice it, this is certainly a bad unintended consequence of the new, tougher HIPAA rule. NAID is currently exploring how it might report such tactics to the authorities and/or provide tools to combat it in the marketplace. In part two of this blog, I will explain what HHS actually says about HIPAA risk assessments, training, and compliance and provide links to the actual HHS documents. Also, tomorrow, NAID will post the recording of last week’s webinar about HIPAA/HITECH in our NAIDDirect e-newsletter.


Comments: 0 | Reply

Thursday October 3, 2013

It’s all about the reps

By Ray Barry, Chief Shreducation and Member Relations Officer

In sports, life and business, there is a pretty simple rule: the more we do something or the more time we spend learning something the better we get at it. Repetition is the key to retaining knowledge or to improving a skill. Something a baseball coach told me a long time ago that still sticks with me today is, “Ray, there is a simple rule, no one gets good at anything, without repetition. Now hit the bench.” It’s definitely true in baseball, golf, or any other sport but it is especially important in business and sales.

How are you doing your reps to get better at what you do or retain knowledge to make your business more profitable? According to an article in the Harvard Business Review, only 10 percent of the population has what’s called “the learning mindset.” These are the people that seek out and enjoy learning. Coincidentally, they are also the top 10 percent in their industries. The other 90 percent of the population will not look to improve their skills unless it is part of their job requirements. This is probably the reason there is mandatory continuing education for accountants, doctors, lawyers, etc. Could you imagine going to a doctor or lawyer that hasn’t learned anything new in the last 20 years? Yikes!

Our industry is one where there isn’t mandatory training. It’s a choice that you, the information destruction professional, must make to sharpen your skills and tools to enhance your resources to become the most productive you and your company can be. As my baseball coach said years ago, “You can’t get good at anything just by doing it once; it’s all about the reps!”

You can’t lose weight after one workout session. You can’t hit a curveball by taking one swing a week. You can’t hit three pointers in basketball by shooting hoops once a year. You can’t shoot an 80 on the golf course by playing once.

It’s hard to grow your business significantly without training yourself and your team. The real key to sustained growth and a master skill level is to train your staff members not only once but over and over so they retain more knowledge. Success will follow.

See you at Shred School or our new Continuing Shreducation Webinar Series! And, guess what? It’s not mandatory!


Comments: 2 | Reply

Thursday September 26, 2013

What’s your number: A strategy for publicity

By Bob Johnson, NAID CEO

I spend a little time in the Shred School workshops talking about the use of press releases to get publicity. Over the years, I have found that most secure destruction companies miss the opportunity to use them effectively due to a number of misconceptions.

  1. They aim at the wrong target.
  2. They don’t properly frame them as news.
  3. They don’t feel they have anything that is newsworthy to report.

Neither time nor space permit a full exploration of these issues but I want to share a trick I learned long ago that can help you with the first two points above. It’s called “What’s your number?” Here’s how it works. All businesses have their number. It could be you added your fifth mobile truck. It could be that you shredded your one millionth pound of documents. It could be your tenth year in business or you served your one thousandth customer.

Properly framed, your number can be positioned as newsworthy, making it more likely to be seen by media outlets, especially local news outlets and industry buying groups (e.g., local ARMA, ASIS, IFMA chapters). It’s a way of promoting your success without appearing too self-promotional.

Now that does not mean your number allows you to publish a release that is blatantly self-serving. In fact, editors quickly dismiss releases that are primarily promotional. Something like “ABC Shredding, the largest and most reliable data destruction service in the city, destroys its one millionth hard drive,” will be summarily tossed. However, something like, “ABC Shredding destroys its one millionth hard drive, as electronic media disposal becomes an increasingly important issue,” is far more likely to be seen as news worth reporting. The rest of the release would then focus on the problem of improperly discarded computers.

No organization gets all their press releases published. However, distributing press releases still has a good payoff, too good to be disregarded.


Comments: 0 | Reply

Thursday September 5, 2013

Is your competition giving you the weapons you need to prevail?

By Bob Johnson, NAID CEO

Reading Sun Tzu’s “The Art of War” became popular in business management circles in the 1990s. You still hear it referenced today, though certainly less often. The thinking at the time was that the 3,000-year-old treatise on the conduct of war had keen insights for competition in the business world. I can’t say I completely agreed but I have recently come to appreciate at least one of Tzu’s observations.

Among the book’s basic tenants was the principle that your enemy will provide you with the instrument by which you will defeat them. As you would expect, I have talked to a lot of NAID members throughout my career. Sometimes they’re calling to discuss their difficulties in attracting new business or getting the customer to take destruction seriously. As we briefly brainstorm solutions I’ll ask if they are writing articles in the local ARMA or ASIS chapter newsletters, advertising in those same publications, or serving on their boards. I’ll ask if they have tried setting a goal of speaking to at least one business group in their metro area every month. We discuss the depth of their industry-related network of associates in the moving business, office furniture, management consulting, or the dozens of other local professionals that can help them. 

As you may have guessed, those members asking for help usually are not doing these things (or any of the other half a dozen simple network building activities they should be doing). I don’t say that directly but they get the point. I am very bullish about the opportunities in the secure destruction industry precisely because most service providers still seem unwilling to do the necessary networking activities. This leaves the door wide open for those who are willing to do it. The only question is, will you accept the weapon they are giving you?


Comments: 0 | Reply

Thursday August 22, 2013

A message to consumers about misleading marketing claims

By Bob Johnson, NAID CEO

I’d like to think the increasing regulatory liabilities for data protection would make customers less susceptible to misleading or false marketing claims but the truth is it hasn’t.

That’s a frustrating realization but it understandable. The fact is that as demand for data protection solution goes up, competition intensifies. At the same time, customers in need of solutions are looking for reassurances that they have a reliable solution, making it difficult to detect false or misleading claims. Of course, the irony is that the company capitalizing on the false claims is exactly the type of company to avoid. False or misleading claims are the red flag and, in backwards way, create a compelling reason for eliminating those firms from consideration.

Here are some of the questionable or false claims found on a recent Internet search:

  • U.S. Department of Defense (DOD) certified
  • National Institute of Standards and Technology (NIST) certified
  • Health and Insurance Portability and Accountability Act (HIPAA) certified
  • North American Shredding Association (NASA) certified
  • U.S. Environmental Protection Agency (EPA) certified

Always verify! The safest and most prudent policy is to validate any and all certification claims made by a service provider.

  • Do they really have the certification in the first place? Unfortunately, some providers claim to hold certifications they don’t actually have.
  • Is the certification itself real or meaningful? There are a growing number of certifications that have no substance offered by opportunists looking to capitalize on consumer confusion. It is wise to make sure the certification is offered by a reputable organization with a solid track record. In addition, consumers should make sure the certification requires ongoing audits and unannounced audits. Believe it or not, some vendors simply make up the certification. As I wrote earlier, there is no DOD certification for data destruction, shredding, or electronic destruction operations and, yet, you can find such claims on many websites.

Data protection regulations are clear; organizations have a responsibility to ensure their data-related service providers are qualified. Doing so includes making sure the vendor’s certifications are legitimate as well.



Comments: 0 | Reply

Friday August 9, 2013

At NAID, the door is always open

By Bob Johnson, NAID CEO

With NAID member locations nearing 2,000, I am sure it won’t surprise anyone to learn that between emails and phone calls, I personally communicate with scores of industry professionals every week. And, even though colleagues and consultants have told me that being so accessible in an organization of this size is not the norm and a big drain on time, I have insisted on answering my own emails and taking (or returning) every call for me without a gatekeeper. Once in a while someone will even say “I never expected to talk to you directly.”

Would members understand if I did filter my phone calls and emails? Maybe, maybe not. For me, that is not the real issue. I view those calls and emails, whether they are compliments, complaints, suggestions or questions, as invaluable insights into our members’ world.

And, it’s not just me that feels that way. NAID board members, both officers and directors, feel the same way. They don’t get as many NAID calls and emails as I do, but they sure appreciate it when they do.

There is no reason for any member to feel uncomfortable or bothersome when they want to talk to me or a NAID board member about an issue that concerns them or a question they have. It is not just an obligation, it is our privilege to get those calls and emails. And, as for such interactions being a burden; nothing could be further from the truth. Members are doing the industry a service when they reach out to discuss such issues and questions arising in the trenches. 

My direct line is 602-788-6243, ext. 2001, and my email is Contact information for your elected board members is on the NAID website. So, don’t be shy and don’t be a stranger. NAID is here because of members’ support and its board of directors and staff are here to support you. We appreciate and value your input greatly.

Comments: 0 | Reply

Tuesday July 30, 2013

The NAID Board of Directors is you

By NAID President Tom Huth, Allshred Services, Inc.

As NAID president I have the opportunity to talk to a lot of members. For the most part, I am encouraged by the feedback I receive. Even when a member calls with a complaint of some kind, generally their criticism is constructive and they are supportive of the association’s work.

One thing I have noticed, though, is that members sometimes seem to forget that the NAID Board of Directors are, by and large, people just like them with the same issues and concerns. When we approve something, we have to live with it too, and it will affect us exactly the same way as it affects other members. So, on the eve of the NAID Board of Directors annual meeting tomorrow, I thought I would share the demographic of the board as it stands today. The 12 voting NAID board members include the following:

  • Five offer mobile-only services
  • Three offer both mobile- and plant-based services
  • Five offer only plant-based services
  • Eleven of the 12 board members eligible to vote are private, independent operators facing the same issues, challenges, marketing threats, and motivations as 99.9 percent of all NAID members

We volunteer our time and are subject to the rules we approve. Our sole motivation is to do what is best for the industry and organization. To think otherwise defies common sense. Here are the details:

  • I am the Vice President of Operations for Allshred Services, Inc., a private, regional, independent company in Maumee, Ohio. We offer plant-based and mobile destruction services.
  • My colleagues on the board include:
    • Scott Fasken, NAID’s past president, owns Colorado Document Security, a mobile-only service provider based in rural western Colorado.
    • President-Elect Chris Isabell owns iSecure, a mobile-only service provider in Grants Bend, Ore.
    • Treasurer Steve Richards owns Richards & Richards, a full-service, records management firm in Nashville, Tenn., that offers plant-based destruction services.
    • John Mesrobian, NAID secretary, owns Loss Protection and Investigations, Inc. in Fresno, Calif., offering both plant-based and mobile destruction services.
    • NAID Director Angie Singer Keating is a partner and CEO of Reclamere, Inc., which is located a central Pennsylvania and offers a range of electronic data protection and destruction services.
    • NAID Director John Anderson owns Shred 360. It is based in the Carolinas and Georgia and is a mobile-only data destruction service provider.
    • Renee Keener is a NAID director who owns American Document Securities, Inc. based in Carrolton, Ga., and offers plant-based destruction services.
    • NAID-ANZ Director Tony Tanti operates a plant-based secure destruction service in Sydney, Australia.
    • NAID-Canada Director Kevin Perry runs a mobile-only destruction service in St. Johns, New Brunswick, Canada.
    • NAID-Europe Director Grahame Watson runs a plant-based destruction service based in the U.K.
    • NAID Director Don Adriaansen partner and co-founder of Titan Mobile Shredding in Pennsylvania, which is a mobile destruction company. (See the comment below.)
    • NAID Director Mike Massaro is Vice President of Transportation and Shred Plant Operations for Iron Mountain, which offers records management services, including plant-based and mobile destruction.
    • NAID Vendor Liaison Paul Garfunkel of Intek Truck and Equipment Leasing is the vendor liaison to the NAID board and NAID CEO Bob Johnson is an ex-officio member of the board. Neither Paul nor Bob are eligible to vote.

Having worked on the NAID board now for more than four years, I can honestly say the professionals I have worked with are extremely conscious of how their decisions impact members and the integrity of the industry. After all, they are affected by those decisions like everyone else. They are you.


Comments: 1 | Reply

Thursday July 25, 2013

If not NAID, then who?

By John M. Mesrobian, J.D., C.P.P., C.F.E., C.I.P.P.

Recently, there have been a few events that remind us of the important role NAID plays in the marketplace.

Readers may have already heard that NAID’s leadership opposes flow control legislation in a New York county that’s attempting to divert all business wastepaper to the county’s recycling centers. This law completely disregards other data protection laws and the principle of free trade. As a result, the NAID Board of Directors dedicated considerable economic resources as well as written arguments, appealing to the courts to reconsider their support of the misguided law. In making this stand and addressing it quickly, the NAID board wanted to make sure flow control would not spread across the country.

The NAID board acted because that is what trade associations do. They direct their consolidated clout, both economic and subject matter expertise, to defend and promote the interests of their industries. Of course, this can only happen when there are resources and industry expertise to use. Fortunately, NAID receives a sufficient level of support from its members and the industry to engage in these activities. Its non-profit, trade association status gives its members the authority to aim those resources where they can do the most good.

In a variation of this concept, the NAID staff headquartered in Phoenix, Ariz., offers similar benefits to members who have an immediate need for industry expertise and credible influencers to specific situations. It is not uncommon for NAID staff to provide guidance directly to members and consumers when confusing or false information in the marketplace causes marketing or compliance problems. Access to this type of guidance has prevented many members from losing accounts and save customers from making bad decisions. Without the industry’s ongoing support of NAID, members and consumers with these questions would have nowhere to turn. 

Further, if it were not for NAID, who would be holding members accountable? It is a remarkable thing when an industry comes together with the expressed intent and agreement to hold each other accountable for their behavior. It is a responsibility that the NAID Complaint Resolution Council (CRC) and the NAID Board of Directors take very seriously, and is often viewed as the association’s primary directive. Of course, this ambitious goal, requiring elaborate and intense due process and formal procedures, is not easy to do. The volunteer members of the CRC and board, the vast majority of which represent the average NAID member, have resolved hundreds of problems over the years and remain the only credible mechanism for members to deal with such issues in the marketplace. No, it’s not perfect. But it remains an effective and important role for NAID, a role that would go unfulfilled if the organization were not here to do it.


Comments: 0 | Reply

Thursday July 11, 2013

Throwback Thursday

By Kristina Carlberg, NAID Director of Communications

Next month will mark the one-year anniversary of NAIDnotes. At the beginning, this blog was started to give a voice to NAID and the industry it serves and put a face to the professionals who are solving problems and handling secure destruction issues every day. Over the last year, it has evolved into a library of valuable information and insights that gives context to those issues and offers solutions to those problems. And, as NAID, its members and the industry continues to grow so will the importance of discussing these issues. The NAIDnotes audience can count on an engaging, informative post once or twice a week, making it a consistent, reliable source for expert opinions, NAID information, industry news, tips, and best practices. So where was NAIDnotes a year ago? Well, here are the first two posts in NAIDnotes. My how the time has gone by!

August 7, 2012 – Welcome to NAIDnotes

According to, a “blog” is a website containing a collection of writer’s or group of writers’ own experiences, observations, opinions, etc., and often having images and links to other websites. Read more

August 9, 2012 – Remembering what NAID is all about

NAID has one mission: to promote the proper destruction of discarded information by outsourcing to a qualified service provider. That’s it. In service of that mission, NAID engages in a wide range of activities such as producing publications, holding conferences, commissioning research, speaking at industry events and advocating for regulations. Read more


Comments: 0 | Reply

Wednesday July 3, 2013

NAID’s CEO names his favorite blog entries

By Bob Johnson, NAID CEO

Having reached the midpoint of 2013, I thought I’d use this time to point out some of my favorite blog postings from the past six months. With over 50 to choose from, it was not an easy task because it was like choosing between my children.

We have also heard from many guest bloggers over the last six months, all of which have made great contributions. Here are just a couple posts I enjoyed but I could have easily listed all of them.

But rather than take my word for it, why not check out all the titles in this year’s NAIDnotes. You will undoubtedly find many worth reading and many that will help your business. And, if you like what you see, go wild and check out last year’s blog posts as well.


Comments: 0 | Reply

Thursday June 27, 2013

What if NAID had been an institute instead of an association?

By Bob Johnson, NAID CEO

Way back when the idea of creating a secure destruction industry organization came about, I originally envisioned it as an institute rather than a trade association. The idea was that industry participants would contribute to a non-profit institute, which would use those contributions to fund research, raise awareness of the importance of destruction, and lobbying government for stronger data destruction laws. Actually, “stronger” is the wrong word. The right word would be “any.” Back then, there were no such laws on the books.

It was apparent very early in the planning that the institute idea was a little too conceptual to get any traction. The founding members moved forward with a conventional trade association approach, creating a non-profit organization that was owned and managed by its members. It was actually quite an easy thing to do. In fact, I filed all the paperwork myself for a few hundred dollars.

As an association we, of course, held the obligatory conferences, created committees, and developed standards like any other trade association does. And, the good part was that people were comfortable with this approach. They were familiar with trade associations, and conventions, and all the other stuff that goes with running an association. Had I been allowed to proceed with the institute idea, I am sure it would have fallen flat.

The ironic thing is that we ended up in the same place. I sometimes worry that members lose sight of the fact that NAID has always spent a significant portion of its revenue conducting research, doing studies, handling government relations and promoting its principles to policymakers and decision makers around the world. Of course, that is as it should be, and that’s the beauty of the non-profit structure.

I am proud to say of all the organizations that have come and gone in the industry, NAID above all others has put its money where its mouth is. I truly believe it is that purpose-driven mission that has resulted in any success NAID and its members enjoy today.

Comments: 0 | Reply

Thursday June 13, 2013

Compliance and data security are not the same things

By Bob Johnson, NAID CEO

On Tuesday, I described how privacy and data security, though often thought of interchangeably, are two distinct and separate concepts. Today, I will show how data security and regulatory compliance, concepts often thought of as synonymous, are actually significantly different as well.

For instance, if an organization destroyed their discarded paper records using a conventional strip shredder and then tossed the bagged shreds into the dumpster behind their building, they would be in compliance with the data protection regulations. You see, the regulations say they have to take reasonable steps to prevent unauthorized access (under HIPAA and GLB) or to destroy the paper before being discarded (under FACTA and Reg. S-P). The key phrase is “take reasonable steps,” otherwise known as the “Reasonableness Principle.” Even though most readers of this blog realize tossing shredded material does not provide data security, it would be hard to say they did not take reasonable steps to prevent unauthorized access or destroy the material, as the regulations require.

As industry professionals, we realize shredding material in the office and tossing them in the trash only tell the bad guys what to take and, in fact, lessen the security. But the reasonableness standard is not determined by what the experts think; it is determined by what the proverbial reasonable man would think. Keep in mind, even the FACTA Final Disposal Rule advises that shredding material prior to disposal would be considered reasonable.

Why is this distinction important? It’s important because when a client makes a decision on any destruction process, they confuse compliance and data security as the same issue. Their selection of a particular process for destruction, or a particular vendor, could be markedly different if they understood the difference.

Comments: 0 | Reply

Tuesday June 11, 2013

Privacy and data security are not the same things

By Bob Johnson, NAID CEO

When I address an audience of privacy professionals, especially an international audience, I often point to the fact that the U.S. has the strongest data protection regulations in the world. In such occasions, I get two reactions: confusion, as if they are struggling to understand how I could possibly be so misguided or blatant disagreement. The issue is usually resolved quickly, as I point out the difference between strong data protection laws and strong privacy laws.

Over the last decade there have been many more costly fines assessed to organizations allowing private information to fall into unauthorized hands in the U.S. compared to anywhere else in the world. Data breach notification laws are on the books in 48 of the 50 states and, under HIPAA since HITECH, the country now has a strong national health data breach notification law. Europe, Canada and Australian do not. Sanctions, fines and breach notification laws indicate a high regard for data protection.

Developed regions of the world have stronger privacy laws, there is no doubt. In the U.S., if I want to require you to give me your shoe size before I sell you a sandwich that is my prerogative. In regions that originally concentrated on privacy, it is illegal to collect information that is not necessary to the transaction. In the U.S., I do not have to inform you that you are under CCTV surveillance in my store. In Europe, I must inform you. These different approaches are the reason for the misconceptions about data protection and privacy.

Current U.S. data protection laws are strong because of the ongoing specter of identity theft, not privacy. Breach notification requirements do not protect your privacy, they warn you to be on the lookout for fraud. On the other hand, laws such as the Patriot Act in the U.S., drive the international privacy community nuts. In many cases, the privacy laws of other countries will not allow them to do business with U.S. organizations. My guess is that the recent fallout from the National Security Agency monitoring all international Web browsing going through a U.S.-based network will have many privacy-centric countries asking a lot of questions.

The evidence is clear, while the U.S. has inferior privacy regulations. However, when compared to other developed nations, it has a much stronger data protection regime in place. With revelations such as the cellphone and Internet monitoring over recent days in the U.S., I am guessing privacy may get a little more focus. And, with identity theft increasing dramatically in all developed nations, data protection laws will undoubtedly become more intense.



Comments: 0 | Reply

Thursday June 6, 2013

A message that’s ready for any business group

By Bob Johnson, NAID CEO

In preparing to serve as Friday’s opening speaker at the Ontario Occupational Health Nurses Association’s (OOHNA) Keeping Workers Well event, it occurred to me how far the issue of proper disposal has come over the past decade. Most of the other sessions revolve around the quality of care issues and working within the country’s health care insurance regime; topics that are typically found only at occupational health care conferences. In fact, of all the sessions, proper data disposal is a topic that could be presented to any group of business people. I could just as easily be opening for the Association of Baltimore Apartment Owners or the California Association of Pizza Franchise Owners. Don’t get me wrong, the need for proper data disposal advice is not new. What’s new is the fact that these groups are starting to realize its importance. And, they are more than just curious, they are interested and concerned.

It has been said that success is when preparation meets opportunity. Are you prepared to meet the opportunity to provide this expertise in your area? It is certainly not too late.



Comments: 0 | Reply

Tuesday June 4, 2013

Is it time for a new sales strategy?

By Bob Johnson, NAID CEO

At one point in my career in the secure destruction industry, before NAID, I made my living as a consultant. One of the proudest moments in my life came when the largest company in the industry at that time, Document Services, Inc. (DSI), in Detroit, Mich., hired me for a turnaround in their Atlanta, Ga., facility. Founded in 1961 and operating in six cities, DSI was a direct competitor of mine before I struck out on my own so they had firsthand experience of my work ethic and effectiveness. They also knew that I did not compete on price. Therefore, I considered it a badge of honor when they sent me into a tough situation.

However, there was another reason I was excited to work with DSI. As the largest secure destruction company in the U.S. at that time, I was expecting to see behind the curtain. After all, I thought, they must have some secret sauce after 30 years in the business (this was 1991). Imagine my surprise when I learned that they had no sales training or sales methodology at all. On the first day of work, the salesperson was issued a telephone book, a call report sheet and a handshake. They relied solely on eight hours of smiling and dialing. It was at that moment I started writing a sales training manual specifically for the secure destruction industry.

As I sit here today, I can’t help but wonder how many NAID members are operating under that same sales strategy. Or worse, having given up on outbound sales, they wait for the phone to ring or buy leads from an Internet marketing firm. With the right perspective, outbound sales efforts are still very important but they need to be nested in an environment constructed to support that activity and to drive traffic to the organization. Incoming service inquiries are great if they are specifically looking for your services but they are a waste of time if they are just calling for a price. 

I am really looking forward to the upcoming NAID Shred School workshops. Though they will not focus on sales and marketing exclusively, every bit of the information conveyed in the workshops plays a role in an organization’s success. I sincerely hope readers take advantage of this program. If one is not currently scheduled for a city near you or if the workshop near you is sold out, please be patient. More are dates and locations are coming soon.


Comments: 0 | Reply

Thursday May 30, 2013

The NAID management team expands

By Bob Johnson, NAID CEO

Today it is my pleasure to write a little about the NAID management team and its latest addition, Michele Goodman. Michele joins Kathy Goldman as the second member of our accounting staff. When Kathy joined NAID six years ago as the only member of the accounting department, NAID membership was about half the size it is today. Getting her some help was long overdue.  

In the end, given the complexity, growth and opportunities that lie ahead of NAID, the executive members of the NAID Board of Directors decided the association would benefit the most by adding someone with a relatively high level of experience and financial acumen, which is exactly what Michele brings to the table.

NAID is a mission-driven organization and is generally held in high regard on that front. It also needs to be a data-driven organization, making sound strategic decisions based on the fiscal realities. I am proud to say we have always approached it that way. Also, I am proud to say we will continue to do that with the addition of Michele.


Comments: 0 | Reply

Tuesday May 28, 2013

Knowing desired outcome is critical to preparing properly

By Bob Johnson, NAID CEO

My commute from home to the NAID headquarters office is an enviable three miles and usually takes less than seven minutes. For the next two years, however, my typical route down 19th Avenue is one big construction site as they prepare to extend the Phoenix light rail four miles north. They are about four months into the project and – despite the obvious inconvenience – I have enjoyed watching the project unfold.

One thing I noticed is that most of the current activity does not show obvious signs of a light rail structure. There are a lot of holes in the street into which a half a dozen different-sized pipes are being laid. In fact, if I did not know the original light rail project that Phoenix residents approved several years ago would eventually extend into my neighborhood, I would never be able to guess what the end result will be just by looking at the construction activity.

But I do know the end result and I trust that everything they are doing is now aimed directly at that result. This construction activity reminds me of what is too often missing in how I pursue my goals: a vision of the result and how to proceed with the planning and preparation stages that should follow. Without a clear understanding of the result I want, I cannot create a plan or make preparations to accomplish my goal. And, ultimately, I do not get where I want to go, on light rail or by any other form of transportation.


Comments: 0 | Reply

Thursday May 23, 2013

It takes a lot of industry professionals for NAID to work

By Bob Johnson, NAID CEO

For better or worse, it is appropriate to consider NAID an industry institution, which is a good- and bad-news situation. The good news is that the organization carries enough credibility and momentum to ensure its ongoing relevance. The bad news is that institutions are often viewed as distant organizations that are disconnected with reality and the needs of those it governs. The problem is, though it may be understandable, nothing could be further from the truth for NAID.

One look at the scores of industry professionals involved in the leadership (the boards and committees) of the organization and it is apparent that it is run by people who overwhelmingly share the same issues, concerns, and challenges of the average member. This is especially true of the Board of Directors. Only one of the 11 voting seats is occupied by a large firm representative. Also, NAID is fortunate that no single company represents more than about two percent of its revenue.

So, while people may think of NAID as an institution where members do not have control or representation in its management, nothing could be further from the truth. Lastly, I can confidently say that neither I nor any board member has ever turned down a call from a member wishing to air his or her opinion. When that happens, as it often does, the issue generally makes its way on the board agenda where the issue can be addressed.



Comments: 0 | Reply

Wednesday May 22, 2013

When bragging is a good thing

By Bob Johnson, NAID CEO

I am betting something has happened at your organization in the last couple of months that was worth bragging about. Maybe your company had its 5th anniversary. Maybe it shredded its one millionth pound of records or its 10 thousandth hard drive. It could be that you added a new sales person or operations manager or added a new truck (with the latest and greatest technology, of course). It does not matter what it was. I promise that if we spoke for 10 minutes, you would find something worth crowing about.

I have another bet to go along with the first one. I am also betting that whatever milestones or event happened at your company recently, most of you let it pass without claiming your bragging rights. There was no press release sent to the local business journal, ARMA chapter, chamber of commerce, ASIS chapter or IFMA chapter newsletter.

I would be delighted to be wrong and kudos to you if you have taken advantage of those opportunities. Why doesn’t your company do more bragging? I am sure there are many reasons. It could be that everyone is too busy doing more urgent things. It could be that it contradicts your personal sense of humility and modesty. It could be that you are not used to thinking in those terms. Whatever the reason for not doing it, it is hogwash. Do it. Brag away. Of all the characterizations for the “times” we live in, the one I like best is the “attention economy.” People with no talent are celebrities just because they command attention. Your company actually has a talent, or rather a value. It deserves any attention it can attract.

One press release is not a silver bullet. All your publicity together is not even a silver bullet. However, mixed in with all the other elements of your sales and marketing efforts, it can sure improve the results over time.

Comments: 0 | Reply

Thursday May 16, 2013

Inclusiveness is critical ingredient to NAID’s success

By Bob Johnson, NAID CEO

In Tuesday’s blog post, I wrote that one of the ingredients to NAID’s success, or any association for that matter, is the appropriate corporate structure and status as a non-profit 501(c)(6). It is the only way to ensure transparency, member control and fiscal propriety. This ingredient is a must for a credible organization. Today, I want to talk about an ingredient for NAID’s success that might not be so clear to some people: inclusiveness.

Ideally, associations are created to serve a purpose. In NAID’s case, it was to increase the outsourcing of information destruction services to reputable service providers. Recently, I wrote about the history of NAID’s founding (to appear in the spring NAIDnews) where I listed the six firms that came together for the first NAID planning meeting. The year was 1992 and there were only a few mobile services. As a result, the companies represented were plant-based for no other reason than I did not know anyone in the mobile destruction business at the time. When the discussion turned to member qualifications, many restrictions were considered. Everyone at the meeting competed with recyclers, which was not used as a term of endearment. During the brainstorming it was suggested that only dedicated secure destruction companies be admitted. Then someone asked a question, “Why should we assume that just because a company operates a recycling company they cannot also offer high quality destruction services?” Just because we knew a lot of bad apples did not mean they were all bad apples. In fact, reputable recyclers who were offering legitimate secure destruction services would surely get behind an industry association. Another representative brought up records storage companies. Sure, there were some who were charging for destruction and then selling the paper without having it shredded. But there were a growing number that were actually providing the service directly. There was even a short-lived discussion about whether NAID should be an association to promote plant-based services in the face of the growing mobile trend. While quickly dismissed, this example shows how new associations can lose their way.

Obviously, none of these exclusion provisions survived and NAID stayed true to its purpose of increasing the awareness of the importance of secure destruction and vendor qualifications. Had the organization been more finely focused on a particular service platform (mobile or plant-based), its credibility in the industry and with customers would have been undermined. Just ask the American Mobile Shredding Association, a short-lived association in the late 1990s.

By not fighting for a particular business model and staying focused on education and standards, NAID avoided the internal industry squabbling that otherwise would have fragmented the industry. Industry professionals agreed then that what we needed education and standards and it remains the same today. As a result the whole industry, with small exceptions, has supported NAID and its mission around the world.


Comments: 0 | Reply

Tuesday May 14, 2013

Why NAID’s structure is critical to its success

By Bob Johnson, NAID CEO

Although most members are not aware of it, four or five other industry trade associations have been attempted to share the same space as NAID in the past 20 years. To date, none have been successful.

When reflecting on those failures, one of the leading reasons is that founding members of those associations did not establish any legal structure. When NAID was created, the founding members understood that it had to be a non-profit, 501(c)(6) corporation that would be under the total ownership and control of its members. Legally, every NAID member is an owner and no single person or entity owns it otherwise. 

This legal structure is important for a number of reasons including transparency, control and the legitimacy of its mission and existence. First, there can be no credibility with potential members if they do not have ultimate and total control of the organization. Why would they invest in an organization that someone else would ultimately have control? Second, there is a clear conflict of interest if NAID were a for-profit organization. Any money that is raised from the association’s efforts should go to promoting the industry not into someone’s profit margin.

To look at it from the other side, an organization that portrays itself as an association but is not formed with non-profit, 501(c)(6) trade group status is attempting to fool the public by masquerading as an association. No member would benefit from being associated with an organization that is misrepresenting what they are to fool the public.

It is impossible to say whether we have seen the end of people trying to profit from pretending to be a trade association when they are actually a for-profit business. The best way to avoid being fooled is to make sure they post their bylaws that detail their legal structure. Also, any such organization should clearly define its bylaws, governance and structural elements as well as publicize the names of board and staff members. 

On Thursday, I will outline the second ingredient of NAID’s success.



Comments: 0 | Reply

Thursday May 9, 2013

Shred event liabilities are worth considering

By Bob Johnson, NAID CEO

In Tuesday’s NAIDnotes post, I tried to delineate the evolution, relative merits and divergent perspectives on shred day events. Today, I’d like to delve into the liabilities related to such event, some of which are often overlooked.

As long as this blog is, it provides only a summary perspective on liabilities associated with shred days. I am sure some will see this post as intended to discourage such events. That is not necessarily so. It is designed to make members think about issues they may overlook. But it is also my way of saying, “Look, if you are going to offer these events, conduct them as a professional.” That means you are aware of the liabilities of all parties to the event and that you do what you can to limit them.

Of course, the nature and extend of the liabilities of shred days or e-scrap take-back programs are varied and dependent upon the circumstances of the event. Those liabilities, whatever the circumstances, fall into two basic categories: liabilities related to the fiduciary responsibility inherent in handing others’ personal information and liabilities related to holding an event in a public, uncontrolled environment. In the latter case, the event-oriented liabilities revolve around crowd/traffic control and personal injury. What if cars back up into the street and an accident results? It could be argued that someone should have anticipated this and arranged for traffic control by the local police. And, further, the failure to do so caused the accident. We all know the ambulance chaser is going to name everyone who is a party to the event. While it would have been prudent to establish responsibility for such issues in a contract with the property owner and event sponsor, that contact is not going to keep your company’s name out of the lawsuit. That said, I do not get the sense that secure destruction services offering these event are executing the advisable contracts and indemnification protections required.

The only intimate involvement NAID ever had with shred day events was a decade ago when we coordinated a national event in partnership with OfficeMax. NAID held itself to a relatively high standard of protection for that event, including an elaborate contract between NAID and OfficeMax. Separately, NAID and OfficeMax had contracts with each property manager/property owner of the hundreds of shopping centers involved. NAID also obtained releases from every member participating, which included a requirement that NAID and OfficeMax be named “additionally insured” on a certificate of insurance issued by the member’s general liability insurer. Also, NAID required members participating in the event to use a specific receipt with each person delivering material for destruction, which held the member and all other event sponsors harmless from the general liability issues as well as the data-related liabilities.

That brings us to the second major category of liability: unclear and/or unspecified acceptance of fiduciary responsibility and transfer of custody. No one should ever consider taking boxes of records from a paying B2B client with no paperwork, no clear transfer of custody and no clear acceptance of fiduciary responsibility. It would be legally untenable, borderline negligent and demonstrate a flagrant disregard for regulatory requirements. Unfortunately, it appears to me that many shred events operate that way, as do most electronic take-back programs. Ok, these are not businesses. And, I understand they are not paying for it. Still, it so far out of line with the proper way of accepting regulated personal data, it is hard to defend that approach.

A better approach is to create signage and a document that establishes liability limits, harmless agreements, and responsibilities. Further, such agreement should have language stating the participant understands and accepts there is no way for the service provider or the participant to establish what was or was not in the materials that were destroyed, and that being the case, any right to claim to an item was not properly destroyed would be baseless, unreasonable and, therefore, is forfeit. Also, acceptance of materials at a shred event does not fall within the requirements of NAID Certification, meaning NAID Certified members involved in such events are require to post notice or provide disclaimers to participants stating that the service provided is not NAID Certified.

Comments: 0 | Reply

Tuesday May 7, 2013

How free shred days have evolved and how they haven’t

By Bob Johnson, NAID CEO

Free shred days have become a polarizing issue in the secure destruction arena. For anyone outside the secure destruction industry, these are events, usually on a weekend, where the public can bring a reasonable amount of confidential records to a collection point and have them shredded at no cost. Shred days have been around in the paper document industry for more than 20 years but now they are also common, maybe even more so, in the electronics area where consumers are encouraged to drop off old computers at community take-back events.

Years ago when secure destruction services were still uncommon, we viewed shred days as a way to expose people to the concept, thinking they would then hire the service when they needed it for their businesses. This was the logic used when NAID coordinated national events with OfficeMax and the Better Business Bureau. Member companies participated in these events for the same reason and also to brand their services.

Over the last 10 years, businesses have become far more aware of the availability of commercial services. Such events are no longer necessary to expose the concept of outsourcing secure destruction. However, that doesn’t mean shred days can’t be used to promote a specific company. Exposure gained from a shred day, whether it is limited to those who drop off material or print or broadcast media coverage, can be very helpful. For better or worse, I get the sense that free shred days are no longer as attractive to local broadcast media as they once were.

More recently a new trend in shred days has emerged. In this new scenario, there’s a commercial sponsor, such as credit union or bank branch that pays the service provider to give free shredding services to consumers. In this case, the service provider gets a fee, hopefully more than the cost of expenses, and some exposure to consumers who attended the event. Of course, they also build loyalty with the event sponsor, who is most likely a paying customer. 

Opinions vary widely varied about the impact of shred days or electronic take-back events. Those who still promote them obviously feel the cost is worth it. Those who are sponsoring them are responding to the needs of their customers and may actually be truing a profit. Also, there are service providers who vehemently oppose the concept, stating that it devalues the service. By offering destruction for free, it sends the wrong message to all customers and, therefore, undermines the industry’s ability to charge a fair price. Obviously, every service provider has to make their own decision. In reality, however, the decision to offer the events affects every service provider in their market.

In Thursday’s blog, I will discuss some of the liabilities and subtleties of shred days that are often overlooked.

Comments: 0 | Reply

Thursday May 2, 2013

The days of worn shoe leather are over

By Bob Johnson, NAID CEO

I was recently thinking about how much the B2B sales have evolved over time, probably prompted by my fondness for the TV show “Mad Men.”

Remember three-martini lunches? Most of you are too young for that. What about when contacts were rewarded with extravagant gifts and exotic trips? Or when people stayed at the same company, sometimes in the same job, for an entire career? Remember the time when a contact shopped for a new service and it required them to get out a big yellow book, leaf through the pages, and individually dial up every competitor. Or when the proudest badge a salesman displayed was his worn out shoe leather? There was a time when a salesperson actually took pride in bragging that he/she could “sell an ice cube to an Eskimo.” I remember when using blast faxes was a sign of cutting edge marketing? I am not too proud to admit I did blast faxes.

Nowadays your contact or prospect for an account changes every six months. Or your contact is not a single person but a committee. Now your contact can access every competitor in his/her vicinity. And, if they so choose, they can learn as much as you know (or more in some cases) about data destruction by spending 30 minutes on the Internet. If you call or arrive unexpectedly, without some kind of introduction, you are an unwelcome intrusion.

My sense is that most secure destruction service providers know the old way of selling does not work anymore, so they don’t do it. On the other hand, because they are not quite sure how to execute the new ways of selling, which will attract new business, they don’t do that either. Or, if they are, they are randomly or sporadically doing it, which is not much better than nothing. If you find yourself in this situation, the only thing you can do is wait for the phone to ring or for the RFP to arrive in the mail.

I hope I am wrong. I know some members offer value first, distribute e-bulletins, become the local experts in their field, hold their own educational events, embrace social media and content marketing, and give presentations in their markets. That’s what the new selling looks like. Please take heed if you have not already.


Comments: 0 | Reply

Wednesday May 1, 2013

Tough, unannounced audits critical to any security certification program

By Bob Johnson, NAID CEO

Of all the lessons learned over the 14 years of the NAID AAA Certification Program, the single most important lesson was the critical importance of unannounced audits.

Many will remember that we launched the certification program with three levels: “A,” “AA,” and “AAA.” The “AAA” used in the current program is simply a holdover from those early years. The two lower levels were eliminated in 2005 because the structure was confusing to customers. Also, many will remember that the association initially hired a national security contractor to conduct the audits. We switched to independently contracted, accredited security professionals when we determined they were able to offer a higher quality audit.

As valuable as those early lessons were, without a doubt, the most significant lesson we have learned over the years is how critical random unannounced audits are to promoting compliance. Yes, NAID started with the annual scheduled audit and we understood the limitations of announced audits at the time. Any company can be ready for an audit once a year when they know it is coming. We went in that direction because that is what we saw in other programs.

After a number of years living with this fallibility, NAID introduced random unannounced audits. As you might expect, the non-compliance issues discovered on unannounced audits were significantly higher. In fact, they were six times as high. So we doubled the frequency of unannounced audits and cut the scheduled audits in half. We also created the Certification Review Board (CRB) to monitor non-compliance incidents, recommended program changes and issued sanctions. As a result, over the past six years, the number and severity of non-compliance issues on unannounced audits has been reduced significantly.

As you can imagine, NAID’s experience calls into question any certification program that relies on scheduled audits to validate compliance. In an era when customers are in need of certifications to validate vendors’ qualifications, relying on scheduled audits or self-certifications is simply too low of a standard to set and misleading to the customer.


Comments: 0 | Reply

Thursday April 25, 2013

Why NAID doesn’t certify equipment or software

By Bob Johnson, NAID CEO

At this point, I am comfortable saying the NAID AAA Certification Program is a success. Don’t get me wrong, there is plenty of room for improvement, growth and acceptance of the program. But, I estimate that about 80% of outsourced secure destruction capacity in North America is NAID Certified, which is pretty darn good. However, I am quick to point out this success is far more due to the efforts of the companies promoting their certification than anything NAID has done.

Based on this success, NAID routinely receives inquiries from equipment manufacturers and software developers to certify their products. While the association is grateful and humbled by the idea that a NAID endorsement is considered a credible seal of approval, we can not do it and for good reason.

Proper secure destruction is a process not an event. From this perspective, it is completely inappropriate for a customer to select a vendor simply based on the fact that equipment or software is certified. The equipment could be doing exactly what is supposed to do but that is irrelevant if the employees are not screened or the doors are not locked. The software could be delivering the best sanitization in the world but it will not matter if the technicians are not properly trained or the quality control procedures are inadequate.

Certainly, it is appropriate to use equipment and software that are tested to verify they do what they are supposed to do. On the other hand, it is completely inappropriate for a customer to select a vendor simply because their destruction equipment or wiping software has been certified. As a result, NAID certifies the entire process, including employee screening, training and documentation, access control, operations, quality control, policies and procedures, and the specific equipment or software deployed at the individual location. Of course, you have to add that the program primarily relies on random unannounced audits, which is another critical element I will discuss in my next blog entry.

Comments: 0 | Reply

Tuesday April 23, 2013

It is not the work that counts most; it’s the body of work

By Bob Johnson, NAID CEO

As I set out to write this blog, as I have done virtually every Tuesday and Thursday for the last six months or so, I understand that only a handful of people will likely take the time to read it. This begs the question: Then, why do it? And, believe me, I have asked the question many, many times. I have come to learn that just about every blogger (or content developer) has to come to terms with this same issue. 

Persistence and credibility certainly come into play. Persistence is obviously critical to building a following. Very few blogs start off with a good following and history shows that time and consistency increase that following. Credibility stems from the fact that you continue to do what you said you would do. How would it look if we said we would have two blog posts a week but only did one or none? 

But there is another aspect of successful blogging that has only recently occurred to me. When someone recently asked me a question, I realized I had addressed it in a recent blog. As I reviewed the entries looking for the title to send her the link, I was blown away by both the number of articles and subjects I had covered. Surely, anyone looking at this body of work would conclude that NAID is truly the voice of the secure destruction industry.

So, while I still believe that having a large number of immediate followers of any blog is a worthwhile pursuit that may or may not develop over time, I am convinced that it is the long-term body of work that results from routine blogging that is the real benefit, at least for NAID.


Comments: 1 | Reply

Thursday April 18, 2013

Tools to make your social media job easier

By Kristina Carlberg, NAID Director of Communications

In the wake of two tragedies this week, I wanted to write a lighthearted post, something that could inspire creativity and improve business processes. This post is for social media novices and influencers looking for ways to stay ahead of the curve. This post is for businesses just starting to make their mark in the social media world and for those that are branding behemoths.

Since the rise of social media platforms in the early 2000s, hundreds of software developers have created tools that integrate social media platforms with various communities and technologies. There is a community, social media platform and tool to connect them to just about every topic, problem and person. Here are just a few that I have experimented with or researched recently with viable business applications:

HootSuite: According to Mashable, 20 percent of the top brands use HootSuite as their preferred management system. HootSuite is an online social media dashboard that helps individuals and businesses schedule messages, monitor conversations and track results across multiple social media platforms. Users can chat with other users in the dashboard, create Storify posts, and upload Instagram profiles among other things. Pricing for this tool depends on the size of your organization, your marketing and advertising goals and how many features you would like in the dashboard. Like many tools, HootSuite has a free 30-day trial period for those that would like to try it out first. For the small secure destruction companies or those with a small marketing department, this tool is a great way to stay organized while freeing up some time for other tasks.

Vine: In 2013, Twitter acquired Vine, which is a mobile service that allows users to create and share short videos online. Posts on Vine are about brevity and as cofounder Dom Hofmann put it, “We believe constraint inspires creativity, whether it's through a 140-character Tweet or a six-second video.” One of the best methods for catching attention and engaging customers on your social media sites is using visually appealing content. By being short, simple and creative, short videos can generate interest in your product, business or cause quickly. This mobile app is free.

Slideshare: Slideshare is the largest online community for sharing presentations that easily integrates with most social media platforms. By logging into Slideshare, you can upload Microsoft PowerPoint presentations, Adobe PDFs, Microsoft Word documents, audio, and images as well as embed videos, blogs, websites, company intranets, and more. Also, you can decide whether the Slideshare presentation you create is public, private or shareable on social media platforms. Successful social media marketing plans always incorporate solid content marketing and brand awareness strategies. This tool lends itself well to any content marketing strategy. Slideshare allows you to finally share those presentations and documents you have been wanting to on your Facebook, LinkedIn and Twitter pages.

Nimble: Nimble is a social relationship and sales management tool. This dashboard allows businesses and sales people to manage client contacts, communications, tasks, sales history and funnel, and other related activities in one place. By connecting this dashboard to your social media accounts, you can meet new people that could be potential clients, advocates, or influencers and stay in contact with current clients. The key to this tool is being proactive. You need to sync your calendars, import information, set up tasks, schedule activities, become familiar with the sales automation function, integrate your business social media accounts, and regularly log into the Nimble dashboard to be effective and efficient. According to Social Media Examiner, “As you grow your presence on social media, it becomes increasingly difficult to maintain relationships with all of your fans, followers and contacts. It is a very effective tool that will help you nurture those important relationships and ultimately develop leads and sales.”


Comments: 0 | Reply

Tuesday April 16, 2013

What to do when you find illegal items in materials sent for destruction

By Bob Johnson, NAID CEO

Over the years, I have received a number of calls from members asking about what they should do when they find illegal items in materials sent for destruction. Sometimes it is contraband such as marijuana, other times it is evidence that a crime has been committed such as finding child pornography or photos of weapons.

It is very understandable why secure destruction service providers would be concerned because they are hired to protect information from being exposed. Therefore, informing the authorities of such materials seems a bit like betrayal. Further, any investigation that would be launched afterward could be extremely uncomfortable for not only the service provider, but for any account that may be subsequently contacted. What if the word gets out to the public about how the items were discovered? Does it bring attention to the fact that you or your employees are actually looking at the items you destroy? And, what if it is a fluke? What if there is really no crime and you’re making too much out of it?

Despite all of the concerns, there is only one course of action if such items are found: Inform the authorities immediately. You or your employees cannot unknow something. If a crime has been committed and you did nothing, you are an accessory to that crime. More importantly, if there is evidence that some is being harmed, as in the case of child pornography, the ethical imperative alone is far more important than any concerns you may have.


Comments: 0 | Reply

Friday April 12, 2013

Which side of Pareto’s principle is your company on?

By Bob Johnson, NAID CEO

I assume that anyone in business for more than a few years has heard some variation of the 80-20 rule. One common iteration states that 80% of your business will come from 20% of your customers. Another says that 80% of your profits come from 20% of the time you spend. There’s another version that claims 80% of your sales come from 20% of your products and that 80% of your sales are made by 20% of your sales staff.

Believe it or not the concept is actually based on quasi-scientific postulation known as the Pareto principle, which states that roughly 80% of all effects come from 20% of the causes. For example, 80% of the land in Italy is owned by 20% of the population.

With this in mind, I guess I should not be surprised that roughly 20% of NAID members are capitalizing on NAID marketing programs. Nor should I be surprised that the same percentage seems to be thriving while the larger proportion is simply surviving.

However, while I should not be surprised, I can’t help but be curious. If a significant minority of NAID members is having dramatic success with the Customer Employee Training Video, what are the others missing? If it works, it works, right? Why would any business ignore a program that helps them grow? Of course, the same question could be asked of any of the NAID marketing tools, conference attendance, or this blog’s readership for that matter.

While it would be easy to simply attribute the lopsided use of NAID’s programs as an example of the Pareto principle, the association has decided to take a different perspective. I am sure a good portion of members not realizing the full potential of these programs simply lack the training and confidence to use them effectively, which is the core mission of the new Shred School that starts this summer.

The Shred School website will be up soon with full details. In the meantime, I encourage you to read the article in the winter edition of NAIDnews. The Shred School workshops are affordable enough to send your entire staff and provide both a comprehensive overview of secure destruction and specific advice on the successful use of NAID programs.

If Pareto was right, I suspect that 20% of you will be there. The 20% who want to thrive.


Comments: 0 | Reply

Tuesday April 9, 2013

NAID 2013 demonstrated that non-traditional content works

By Bob Johnson, NAID CEO

There were so many sessions at NAID 2013, it would be impossible to say one was more valuable than another. I am sure any session may have been viewed as particularly valuable to attendees, depending on what they were looking for or their particular interest at the time.

There were two sessions in particular that NAID was considering for many years but never quite made the cut in the past, namely Small Business Security Awareness and How to Get Along with Family and Partners in a Business. It was, therefore, particularly gratifying to see that both sessions were so well received at this year’s event.

Angie Singer Keating of Reclamere, Inc., did an amazing job describing the electronic and Internet-related risks that small businesses are exposed to in today’s world. While there is no silver bullet, she gave some great advice on how to mitigate those risks. Keeping in mind, of course, that data security firms, such as NAID members, have an elevated standard for data protection. The audience hung on every word and furious notes were taken throughout the standing-room-only auditorium. It is obvious that Angie deserves every one of the credentials that follow her name. 

Similarly, the panel discussion between Bob Dornich (Reclamere, Inc.), Tim Oberst (Ohio Mobile Shredding), and Chris Ockenfels (Data Destruction and Recycling Services) describing how to get along with family members and business partners was a great success. Most NAID member companies have these issues and the audience was riveted by the discussion.

For many years, conference planning committees passed on these ideas because they were not directly related to data destruction services. Turns out they were wrong. The subject matter absolutely relates to data destruction services, which the attendees demonstrated with a large presence at both sessions. It is great lesson for future NAID conference planners. As it turns out, these two sessions probably yielded information that could prove to be the most valuable insights of all.



Comments: 0 | Reply

Friday April 5, 2013

Follow up is the key to NAID 2013 ROI

By Bob Johnson, NAID CEO

During the NAID 2013 Annual Conference, even with over 30 years in this business, I along with the rest of the attendees heard at least a dozen ideas that were worth the price of admission.

In addition, the show floor and networking events were all bustling. I’ll bet there was not a person there who did not meet several attendees, panelists and exhibitors who would be great new industry friend and resource.

There is only one thing you need to do to get an exponential return on investment (ROI) for NAID 2013 participation. You have to follow up. Please do. Just take one or two good ideas you heard during the presentations and implement them. And, sort out those business cards too. Call someone. Send them an email. Take the next step to get your ROI on NAID 2013.

All you are really doing is fulfilling the commitment you made when you decided to attend.


Comments: 0 | Reply

Tuesday April 2, 2013

Downstream Data Coverage is the next big market differentiator

By Bob Johnson, NAID CEO

Many NAID members originally participated in the NAID AAA Certification Program to set themselves apart from their competitors. Now that the program is nearing 1,000 participants, it serves a more important role by verifying the customer’s vendor selection requirements. However, while its role has become more important, it no longer serves as the market distinguisher to the degree it once did.

NAID launched Downstream Data Coverage for two basic reasons.

  1. The E&O policies currently available in the marketplace did not effectively address service provider liability, leaving both the service provider and their customers inadequately protected.
  2. To create a member-owned insurance product that would reduce costs, put members in charge of loss control, and have the ability to respond quickly to an ever changing insurance environment.

Eventually, Downstream will set an accepted standard for professional liability, just as NAID Certification does now for operations security. But, for the time being, it is proving to be a reliable market distinguisher that offers a unique opportunity, just like NAID Certification did for the first five years of its life.

The most telling evidence of this comes from those who have obtained Downstream. Not only are they reporting great results, they often actually ask that NAID not be so aggressive in marketing Downstream. It turns out they would rather have as long of a run as possible before their competitors have the same marketing tool.

Imagine the effect of having a policy that actually includes training and collaterals to use it as a sales tool. Imagine being able to really speak intelligently with clients about the difference in your coverage and how it backed by the industry trade group. And imagine what happens to the competitor called on to address those same issues without any answers.

Professional liability is in your future. That is a fact. The only way you can make any money on this inevitable trend, is to get ahead of it. There is no money to be made by waiting until the market forces you to act.

Comments: 0 | Reply

Friday March 22, 2013

Sitting at the center of the secure destruction universe

By Bob Johnson, NAID CEO

As I sit in my hotel room preparing for NAID 2013 to begin, it dawns on me how unique and valuable this event really is. For the next three days, it will represent the highest concentration of secure destruction knowhow, innovation, education, equipment, networking and professionalism anywhere on the planet.

The event represents the center of our professional universe. We are in our element; surrounded by our peers, sharing the keys to our successes and lessons from our mistakes.

The rest of the year, we are alone. We compete furiously. Accounts are won and accounts are lost. Fires pop up and are put out. At this event, we realize we are not alone.

For the almost 800 of you joining us at the center of the secure destruction universe, thank you for helping to create a unique space and time where we can concentrate on improving our industry as well as our professional careers.

Comments: 0 | Reply

Thursday March 14, 2013

Depth of NAID structure often overlooked

By Bob Johnson, NAID CEO

Many NAID members are unaware of the depth and complexity of the association’s operating structure. That’s unfortunate because it is a big deal and speaks to the seriousness with which association staff takes their roles.

Take NAID Certification, for instance. There are two chartered bodies in NAID that are responsible for overseeing the program’s integrity. There’s the Certification Rules Committee, which is responsible for developing the program’s security and operating specifications. There is also a separate body, the Certification Review Board, that is responsible for enforcement of the program. Both are comprised of representatives from member companies as well as paid, outside advisers. Both meet once or twice a month. Those serving on these committees are subject to board approval and term limits, and are required to sign confidentiality agreements.

If an issue arises that requires due process related to the enforcement of the association’s code of ethics or the protection of NAID trademarks, it is goes to the Complaint Resolution Council. Again, all members of this body must be approved by the board and are subject to term limits. They are also bound to the association’s confidentiality agreement. These industry professionals meet once or twice a month, depending on the workload, and have to process anywhere from two to five ethics complaints in each meeting. While every association has a code of ethics, few actively pursue enforcement with the diligence of NAID.

NAID’s accreditation program for Certified Secure Destruction Specialists (CSDS) is overseen by the CSDS Board of Regents. And, yes, these members are also approved by the NAID Board of Directors, subject to term limits, and bound to a confidentiality agreement. And, while it is a relatively new body within the NAID structure, they maintain an aggressive meeting schedule as they continue to develop the program’s foundation.

The point is that there is a lot of substance and structure in the programs NAID develops. Without exception, industry peers are in control. Even though all recommendations must be approved by the NAID board, the expertise and focus of these councils and committees is both remarkable and necessary.

To fully appreciate the extent of the NAID management structure, I encourage all readers to take a look at the Leadership Page on the association’s website. Knowing the depth and seriousness with which these issues are handled should be a source of great pride and considerable comfort to all members.

Comments: 0 | Reply

Tuesday March 12, 2013

Social media is online networking for your business

By Paul Garfunkel, Intek Leasing

I have been asked several times why social media is beneficial to my business. The answer is simple, social media is the online equivalent of a networking event. These days it’s harder and harder to meet with prospective clients face to face. In my case, I service clients all over the United States so social media is the best way to get my message out to a large audience.

When you say “social media,” most people think of Facebook, LinkedIn, Twitter and the like. But social media does not end there! For instance, I serve multiple markets. To reach professionals and customers in these markets, I use eBay, Craigslist, Dealer Car Search, Truck Paper, Shred Truck Outpost and Constant Contact to get my messages out there. The truth is all of these sites are credibility builders. Currently, I have 329 friends on Facebook, 253 contacts on LinkedIn, 153 followers on Twitter and 2,337 people on my newsletter lists. That might not sound too impressive but I have no filler because my contacts are industry specific people. I try to make sure I don’t communicate with those who cannot benefit from my message.

I think the biggest issue with social media is the belief that it works overnight. Now, you may be lucky and get results quickly. But it’s like a seed you plant. It will sprout but, without light and water, it will die. So when you find something that works, continually feed it. If Facebook yields more results than Myspace, then put your attention toward your Facebook page. But, remember, everything you do on the Internet yields results. And, whether you like it or not, people can see what others have to say about you through a simple Google search.

Your motto should be keep your friends close and keep you customers as friends. Now I am serious as a heart attack that you have to be a friend, not just play one. You need to be an adviser and be there 95% of the time when it has nothing to do with business. Take calls on the weekends and evenings and give your clients access to you. My saying is that I am available 24/7 but, if it’s not urgent, no calls after 10 p.m. Your biggest deal may be decided on a Sunday afternoon while you are with family and friends because your clients know you will answer even on a Sunday afternoon.

I am not suggesting that sales is the only reward. The relationships you form can help you professionally, and your social media outlets are ways to keep in touch with your customers and friends. Social media gives you a place to put you and your business out in the world and build networks of friends. The more friends you have, the richer your life is. Wouldn’t you agree? On Friday, March 22, be sure to check out Learn it or Lose it: An Interactive Social Media Intensive at the NAID conference where I will be hosting the panel discussion.

Comments: 0 | Reply

Friday March 8, 2013

This year’s conference has some killer sessions

By Bob Johnson, NAID CEO

Anyone who has worked on a NAID conference committee knows that the event often starts with as many as 80 potential sessions. In fact, selecting the short, final list of sessions, about 25, is one of the committee’s biggest challenges.

The point is a lot of thought and debate goes into creating the sessions that end up in the conference schedule. So for me to pick out a handful of favorites is a little like asking a father to pick his favorite kid. In reality, I think all the sessions are really good and deserve consideration. None of them ended up on the schedule by accident or to fill time.

The reality is though, there are some sessions that have been in the works for years and I am really excited about the following:

  • Using Route Driver to Drive Sales: I previously blogged about why this session is so special. My interest in developing this content goes back more than 30 years to my early days in the industry.
  • Developing the Residential Market: Again, I have already written about the ongoing exploration of this vast, yet elusive, potential market for secure destruction services. The session is the outgrowth of a two-part discussion group held at last year’s conference. Those who attended last year’s discussions reported it was one of the most interesting and valuable sessions.
  • Interactive Social Media Workshop: Some readers may remember when secure destruction industry professionals would debate about whether a website had any value. Now, you’re not taken seriously without one. Becoming savvy in social media has proven to be an effective customer loyalty, local branding and growth tool. This session represents the most intense and interactive session on the subject and features industry professionals who have proven expertise in the area.

Anyone of these sessions could potentially be worth more than the entire investment to attend NAID 2013 Annual Conference in Nashville and yet I could just as easily list three more for which I could make the same claim.

I personally have little sympathy or understanding for those who do not attend the conference. The only reasons that could make sense to me is that their businesses are already so well run, so well networked and so successful that they have nothing else to learn. When you think about the value of one great idea, or of new customer that comes from using that idea, the ROI of attending not only makes sense, it is downright compelling. Those who do not attend NAID 2013 are leaving money on the table.


Comments: 0 | Reply

Tuesday March 5, 2013

What is the role of subject matter expertise in relationship selling?

By Bob Johnson, NAID CEO

Anybody in sales is all too familiar with sayings like “people do business with people,” “all sales are based on relationships,” and “people buy emotionally and explain it intellectually.”

The reason we are so familiar with these sayings is that they are largely true. Sometimes the relationship is between two people but just as often it is between a person and a company. When someone buys a computer or smartphone, especially an Apple product, how they feel about Steve Jobs is part of their buying decisions even if they did not know him personally. Nonetheless, there is still a relationship.

By now, most NAIDnotes readers know I believe subject matter expertise plays a big role in success. Knowing that HIPAA was not primarily a data protection regulation or that only two of the 19 provisions of FACTA impact the secure destruction industry can improve sales for secure destruction businesses.

So the question occurs to me (and others), if selling is about relationships, why do I need industry expertise? After all, being a know-it-all can actually be a big turn off. In reality, there is absolutely no conflict between the dynamics of relationships in the sales process and the role of expertise. In fact, they are in complete harmony.

The relationship your customer or prospect has with you or, more importantly, their relationship with your company is definitely the key ingredient in sales. That relationship is what separates you from being a commodity. The trick is to use subject matter expertise to strengthen that relationship. People are attracted to companies and professionals who know what they are talking about and know what they are doing. The confidence exhibited by those professionals elicits the emotional connection needed to get the sale. Apple, BMW, Bose and companies like them, are not just commodities, they are experts in their fields.

So, yes, it is critical that you or your company (I stress the latter) build relationships but relationships should be based on more than a good personality or creative corporate image. Subject matter expertise should be one of the primary ingredients in that relationship – maybe the most important one.


Comments: 0 | Reply

Thursday February 28, 2013

Light your hair on fire!

By Bob Johnson, NAID CEO

As the NAID 2013 Annual Conference nears, I find myself reflecting on last year’s event. More specifically, I was thinking about two points made by our keynote speakers last year.

Tom Adams, who has spoken at many NAID events, spoke on day two of last year’s event. One of the reasons Tom is asked back so often is that just about every sentence he utters contains profound and useful observations. And, it certainly doesn’t hurt that he delivers those gems so eloquently.

The particular gem that came to mind this morning was Tom’s observation that there is no excuse for you to not run an amazing company. That’s not verbatim so my apologies to Tom if I misrepresented it. The point is if a company is boring, lackluster, mediocre, or stogy, it is not because of the type of business, lack of money, or anything else other than the mentality, vitality, and perspective of the people in charge.

Along the same lines, Jeffrey Gitomer reminded us of the importance of being interesting, both as individuals and as companies. At the conference last year, you could actually see people thinking about his questions “Are you interesting?” and “Is your company interesting?” Nobody wants to talk to or do business with someone who is boring.

I already know most industry professionals are extremely interesting people. Anyone who strikes out on their own to start a business and lives to tell about it has got to be interesting.

The photo in this blog is similar to one that Tom uses in his presentations. Who doesn’t get a smile on their face the first time they see this photo? Before even talking to this guy you know he has a good sense of humor and is probably not boring.

No, you don’t have to light your hair on fire (in which case I’d be screwed) and you don’t have to pose for a photo of you sitting on toilet. But, I bet you can come up with a dozen appropriate, affordable, sensible and fun (or even serious) ways to communicate how interesting you and your company are.

Who knows, in addition to your bottom line improving, you just might have a little fun too.

Comments: 0 | Reply

Tuesday February 26, 2013

Common small business security risks threaten your business

By Angie Singer Keating, Reclamere CEO

As professionals in the secure destruction business, we must project an image that conveys trust and expertise at all times. While we focus on the best equipment, people and processes for managing our client's data and/or paper, how often do we think about the public relations nightmare that a data breach of our organizations would cause? Many of my fellow destruction pros think they have no cyber-risk since their clients' data for destruction isn't on their network. This is true. Many destruction pros think they don't have data that's of any value to hackers. This is patently false.

If you are in business today and have a computer, your company is a target. If you are a business that uses online banking, you are a high value target. If you are a business that sends or receives money through ACH transfers, you are the highest value target.

Every year, small businesses are attacked by cybercriminals trying to steal data or money. Many of these criminals are successful in getting in to the networks. This is because the large companies have become so well protected and monitored that, for all but the most talented of hackers, it is too challenging to successfully breach a large company and get data out before being detected and stopped.

The media may give the impression that cybercrime and hacking today are only being perpetrated on very large companies and government agencies, by super-smart hackers, using very complex methods from faraway countries. The reality is that countless organizations are victims everyday, large and small, by a hacker who downloads a free exploit from the Internet and uses it on weak security and untrained employees.

Many of these attacks start through a legitimate looking email with a malicious link embedded within it. By tricking the reader into clicking the link or downloading an attachment, a piece of software code is downloaded and executed. This malware runs wild on the host computer and may spread through local networks until every open computer is infected. These kinds of attacks are simple to defend against but do the most damage because there are so many of them. They can wipe out bank accounts through stolen credentials to online accounts. They can copy customer data such as payroll, HR and accounting information. They can prevent normal day-to-day operations of business through encrypting mission critical systems and holding them hostage until ransom is paid for the keys to decrypt the data.

There are also Denial of Service (DoS) attacks or Distributed Denial of Service (DDoS) attacks. These involve sending information from one or more computers to a target and overwhelm its ability to respond. These kinds of attacks can take down your website or even your local network, preventing customers or employees from pursuing business with your company.

Reclamere’s data breach incident response and incident response training repeatedly demonstrates that small and mid-sizes businesses have the following serious risk factors:

  1. Unpatched operating systems, software and firmware
  2. Web facing servers and devices running services that are not ever used by the business but are easy to exploit for remote access
  3. Running obsolete versions of software that are no longer supported with security patches by the manufacturer
  4. Staff using accounts with administrator privileges
  5. Internally hosted websites that were developed without sufficient security controls
  6. Untrained or poorly trained staff who fall victim to email phishing or social media exploits

The bad news is that I'm certain that every person reading this article has at least one or more of these risk factors active at this very minute. The good news is that there are free and low cost ways to solve them. But the very best news of all is this: At the NAID 2013 Annual Conference in Nashville this year, I will be teaching a seminar called "Watch Your Six: Small Business Security Awareness" so that attendees leave with the solutions to these risks and others. I have to admit that, not having a military background, I was a bit confused by the title when it was first suggested. Turns out, it's an old military expression, especially among fighter pilots. If an adversary gets "on your six" it means he's behind you and you're toast in a couple of seconds. For position, 12:00 is dead ahead, and 6:00 is directly behind you. The title is very appropriate because I've got your six. I've got solutions for your cyber-risks so you don't get toasted by a cybercriminal. See you in Nashville!


Comments: 0 | Reply

Thursday February 21, 2013

You made it; now get ready to grow

By Bob Johnson, NAID CEO

Optimism is returning, and rightfully so! We are surrounded by signs that the economies of the world have turned the corner. Construction is consistently increasing. Credit is available to worthy borrowers. Stock markets around the world have rebounded. Job creation is trending up globally. Scrap value and demand is healthy.

In short, all indications are, you made it. To make a finer point, you made it when many didn’t. Around the world, we are slowly emerging from the most dramatic economic downturn of the last 70 years. It is the proverbial “light at the end of the tunnel.” 

Now, that does not necessarily mean things are booming. They aren’t and they probably won’t for awhile. Personally, I think that’s a good. Rapid recovery and unbridled growth are rarely stable or healthy.

The point is, you have reached the other side of the downturn and it is now time to expect growth. Take a minute to think about that. It is over, or close to over, and you’re still standing. I’d tell you the road ahead won’t be easy but you already know that. You’re here and you wouldn’t be here if you didn’t already know that. See you in Nashville!


Comments: 0 | Reply

Tuesday February 19, 2013

Improve your sales productivity by 5% in 2013

By John Boyens, Owner of The Boyens Group

If a salesperson or business owner wants to get off to a quick start in 2013, they can’t confuse sales activity with sales productivity. As a matter of fact, the most successful salespeople and business owners I know establish processes that are repeatable and scalable. That way they know what they did when things are going well and they know what to address when things didn’t go well. One process I suggest they consider is to take my 5% Challenge:

  • Improve customer retention by 5%
    • Track customer retention numbers on a monthly, quarterly and annual basis.
    • Thank your customers for their business they’ve given you in the past. Tell them you want to continue to earn their business today and ask what you can do to delight them in the future.
  • Upsell or cross-sell 5% of your customers
    • Offer additional products/services to your customers.
    • Establish upsell or cross-sell goals on a daily, weekly and monthly basis.
  • Get referrals from 5% of your customers
    • Make a list of five customers from which you’d like to ask referrals.
    • Create a script (or email template) for them to use when introducing you.
  • Win back 5% of your former customers
    • Make a list of five customers that haven’t purchased from you in the past 12 months.
    • Create a list of what’s new (i.e., new products and/or services, new locations, new people) since the last time they bought from you.
    • Reach out to them (e.g., phone, email, letter) and let them know you’d love to earn their business again.
  • Improve your close rate on new business by 5%
    • Profile your best customers and sell to more potential customers that look like them.
    • Leverage referral selling since referrals close at a significantly higher rate than cold calls.
    • Improve your negotiating and objection handling skills.

So what can a 5% increase in these areas mean to you? It’s not a linear projection, meaning it’s not just a 25% increase.

  • A 5% increase in customer retention could mean a 20%, 30% or 40% lift in performance.
  • Winning back5% of former customers (and getting them to buy at previous levels) could double your business.
  • Improving your close rate by 5% could mean thousands of additional commission dollars in your pocket.

I’m positive you will successfully complete my 5% Challenge. 2013 could become your bestselling year ever! Also, be sure to join me in Nashville for the NAID conference March 22-24!


Comments: 1 | Reply

Thursday February 14, 2013

Your attendance at NAID 2013 is newsworthy

By Bob Johnson, NAID CEO

For this year’s NAID conference, attendance numbers are looking very strong. Most of the advance promotion for the event stresses the topical subject matter, high quality presenters, the networking opportunities and the amazing trade show. Obviously, many industry professionals are attracted to the event as a result.

Something we don’t talk about much is what attending the NAID 2013 Annual Conference says about you and your company to the marketplace. Industry professionals attend the NAID conferences because they are serious about their businesses. Sure they are looking for better ways to succeed but that usually translates into better serving their customers and their market.

Customers and prospects need to know that about you. It’s good (and reassuring) for them to know their service provider takes their responsibilities seriously enough to attend the industry’s annual educational events. NAID members need to capitalize on anything that shows your customers that you are striving to serve them better. Those opportunities don’t grow on trees.

If you are attending NAID 2013, that’s newsworthy to your customers and prospects. Put it in your newsletter. Send out a press release. Write an article about a session you liked for your local ARMA or ASIS or IFMA chapter. Get pictures of you with your colleagues or one of the speakers to use after the conference.

Who knows? The simple fact that you are participating in the secure destruction industry’s only major educational and networking event may lead to a new customer or strengthen loyalty in others. That only needs to happen once to make the return on the investment for the conference more than worth it.


Comments: 0 | Reply

Tuesday February 12, 2013

Today’s changes are no more or less dramatic than yesterday’s

By Bob Johnson, NAID CEO

Over the past couple of years, there has been a lot written about how the secure destruction industry has been changing, including how the market has matured, how customers’ behaviors are evolving, and how regulatory challenges and opportunities are increasing.

Often comments like these imply that before these changes happened, things were pretty static, almost as if the current market is now moving away from a status quo. However, nothing could be further from the truth. The secure destruction industry has been in a state of constant and dramatic change for a long as I can remember. Status quo has never existed. And, I seriously doubt a status quo has ever existed for any business.  

As another NAID conference approaches, I remembered how every year someone on the conference committee suggests “change” as the theme for the event. Why? Because the reality is things are always changing. For those who are attentive and nimble, this is actually great news. Nowhere is the phrase “you snooze, you lose” more applicable. 

So, the next time I find myself about to profoundly say “the industry is really changing,” hopefully I catch myself. Yes, it is changing, but it’s been changing all along at every point. It’s like making an observation that the sun rose this morning. Our job is to understand and get ahead of those inevitable changes.

Comments: 0 | Reply

Thursday February 7, 2013

Why you should use NAID tools designed for the industry

By Bob Johnson, NAID CEO

In the not-too-distant past, some members would say they were not getting NAID Certified because many customers were not aware of it. Similarly, I recently talked with an industry professional who was considering becoming a Certified Secure Destruction Specialist (CSDS). The thing holding him back was that it was not recognized like the more well known CPA or MBA credentials.

But what would you think if a mechanic walked into the hardware store and said, “I need to return this screw driver.” When the clerk asked why, he said, “Because it doesn’t work unless I pick it up, insert it into the screw and turn it.”

Sounds ridiculous, right?

NAID AAA Certification and CSDS are tools for secure destruction professionals. They are meant to be used.

NAID Certification verifies appropriate regulatory language in service providers’ policies and security through its built-in, routine audits. In doing so, it fulfills the clients’ legal responsibility. This gives service providers an amazingly powerful tool: it provides client compliance.

As I have written before, the CSDS accreditation acknowledges an understanding of a broad range of industry issues. At this point in time, the initials are not where the real value is; the value comes from the ability to apply the knowledge. The confidence that comes from knowing what you are talking about is invaluable to the sales process. Further, whether seeking out speaking or writing opportunities (which is part of your job, like it or not), your credentials add to your credibility.

The same goes for the Doctors’ Office Marketing Program, the Customer Employee Training Program, the Compliance Toolkit and other NAID programs. As I said, they are tools. They are meant to be used, not just to hang from a peg board behind the workbench.


Comments: 0 | Reply

Wednesday February 6, 2013

NAID 2013 session to discuss route drivers in sales

By Bob Johnson, NAID CEO

There is a great discussion unfolding on the unofficial NAID LinkedIn group page where industry professionals are sharing ideas about involving route drivers in the sales process.

As many of you know, I have always felt that route drivers have been underused in the sales process. To be fair, there are some service providers who incentivize drivers to turn in new leads. Some even provide drivers with business cards and brochures. 

Also, many NAID members started out as both the driver and the salesperson. Many are still are. That is exactly how I got started. Back in the day, (and, no I did not have to walk two miles in the snow every day), when I was on the route, I was always on the prowl for new opportunities. I had to be. It was very common for me to do a pickup at a multitenant building, and then spend 20 minutes dropping of my cards and brochures. I even remember my line. 

“Hi, I am not a salesman, my company just signed up one of your neighbors for our shredding service. We’ll be around twice a month in case you ever need a service. Can you give this to the office manager?”

And, it worked like magic.

Of course, things changed. Once I got out of the truck, I wanted drivers to be as productive as possible. I kept the sale role, and later hired salespeople. I often wonder if it would have been better to hire a better caliber of drivers, give them intense training and incentives, and maybe even get them to invest in their routes like the milkman was (am I really that old?).

Stemming from this burning question I have carried with me all these years, NAID decided to include a session at the NAID conference in Nashville about route drivers. Len Rashkin has built a career advising businesses that rely on route driver sales to create and improve programs. I am personally working with Len to understand how our industry works. In the process, I am coming to learn we have more in common with those other office service industries than at first glance. Who knows, maybe the question on route driver sales that I have carried for all these years will be answered. All I know for sure is that anyone attending the session will leave with a much better understanding of the dynamics and a handful of actionable ideas.

If you want to see Len’s presentation, make sure you’re registered for the conference. There's still time to take advantage of the conference registration discount so sign up at


Comments: 0 | Reply

Thursday January 31, 2013

2013 board candidates represents average members

By Bob Johnson, NAID CEO

Yesterday, the NAID Board of Directors approved the slate of candidates competing in the upcoming general election. This election is to fill board positions that will be vacated in March. The candidates competing in the general election are listed below. I am happy to report that everyone nominated who wanted to compete appears on the approved slate.

When an organization like NAID gets to a certain size, there’s a tendency to think of it as somehow separate from the industry, like it’s an institution governed by forces not concerned with the average member. The one thing that jumps out from the list below is that it is made up of typical destruction service providers. For the most part, the list shows representatives from single market, privately owned destruction companies that face the same challenges as other members. And, you see the same thing when you look at the current or past board members.

Every decision, action or strategy made by NAID directly emanates from these volunteer leaders who have the same concerns and issues as every other member. Will everyone agree? No, and rarely do all board members completely agree on everything. That’s how it works. However, it doesn’t change the fact that NAID is run by industry professionals who are doing their best to improve the industry.

To think of NAID as something separate from the members makes no sense. It is owned and run by the members who were elected by their peers. No board member ever voted to do something that would harm the industry. Again, you might not always agree with them (and they often don’t agree with each other), but their individual decisions are based on what they feel is ultimately best.

So, congratulations to those listed below and good luck. Information on the candidates can be found in the Members’ Only section of the NAID website starting tomorrow. Next week, NAID will be posting questions on NAID’s LinkedIn group page for candidates to respond to and engage in discussions with members. Also, ballots will be distributed to eligible voters via email on March 1. This year voting will be conducted electronically.

For President-Elect

Chris Isabell, i-Secure

Ken Williams, The Shred Authority

Lloyd Williams, Shredall Ltd.


For Treasurer

R. Stephen Richards, CSDS; Richards & Richards


For Director

Dag Adamson, Lifespan Technology Recycling

John Anderson, Shred 360

Patrick DeVries, DeVries Information Management

Jeffrey Green, AccuShred, LLC

Eric Haas, A.R.M.S., Inc.

Scot McFarland, CSDS; Ray's Trash Service, Inc.

Chris O'Handley, MS, PHR; Eggleston Document Shredding (EDS)


Comments: 0 | Reply

Tuesday January 29, 2013

Don’t be left behind: Adding scanning services increases shredding revenue

By Andy Sokol, Owner of CopyScan and Dean of Scanning School

More businesses than ever are changing the way they think about their paper records. From environmental pressures to cheaper alternatives, document scanning and imaging can revolutionize the shredding industry.

Shredding companies that don’t diversify and offer scanning to their existing and future customers will suffer, especially as managing data in the cloud becomes the standard for business document management. What’s more, they’ll miss out on a once-in-a-business-lifetime opportunity to explode their business!

In order to get more shredding customers, you need to also be in the document imaging business. Ray Barry, formerly of Shred School, used to ask, “Are you really in the shredding business?” If you only offer shredding to your storage customers and you don’t know how to sell it on its own, you are not in the shredding business. Andy Sokol, the Dean of Scanning School, was Barry’s third graduate of Shred School and can attest to that. In the same way, if you don’t know how to sell document scanning as its own service and your imaging revenue is based only on archive imaging, you are missing the most profitable imaging business out there, and here's why.

In 1995, I built CopyScan as a document copying and scanning company without any other services. It was profitable all by itself, and in 2003, I added shredding as an additional service. Although I added other services over the years, document imaging is still the most profitable service I offer.

In order to sell imaging on its own, shredding company leaders need to learn a lot of new vocabulary. If you don’t understand what your customer will do with the images, how they will access them, and what system and software they are using, it will be impossible for you to do the consultative selling required to sell imaging. Archive scanning competes with box storage, which is much less expensive and is usually the most cost-efficient alternative to scanning. The misconception that most shredders have is that document scanning is not profitable. That’s because they don’t realize that document imaging is not about storage, it’s about the customer having instant access to their files. Archiving is only about storage and is the lowest margin work you will do.

In order to do the lucrative imaging of litigation documents for example, you need to be able to speak the litigation language. Selling imaging requires selling trust. Your prospect doesn’t trust someone that doesn’t know their lingo. You will need to learn the language and process of litigation so that you can have a conversation with a law firm like a pro. Since people will be suing other people for many years to come, don’t you want to create this revenue annuity?

In order to sell to corporations, you need to understand the vocabulary of business systems and the workflow that they use within their company. There is an entire language for business processes. You need to know it to confidently have the business process conversation like a pro.

And, yes, there are medical records. Perhaps you are wondering why this subject is last. Medical record scanning is hot right now and will be for some time to come. But document imaging was profitable long before the health care bill provided electronic medical record benefits to doctors, and it will be for many years. Remember, knowing the lingo means gaining trust.

And here’s the best part: All of these industries, and many others, will provide built-in shredding revenue because once the documents are scanned, they need to be shredded. There is nothing to lose by learning the document imaging business. You have everything to lose if you don’t learn.

CopyScan’s scanning customers never bid their shredding work and the local shredding competition doesn’t even know about the job; it’s already taken care of before the documents are ready for shredding. For more information about how to add document scanning as an additional service to your shredding company, come to our workshop at the upcoming NAID conference in Nashville, or check us out on the web at


Comments: 0 | Reply

Thursday January 24, 2013

Why is our approach to sales and marketing often illogical?

By Bob Johnson, NAID CEO

Would you trust a contractor to build you a house without a plan? Would you set out on a long road trip without a good understanding of how to get to your destination? Why then, do so many of us think we can build a company without a plan or a map? It is completely illogical.

The problem is, even though we realize the importance of a plan, it is amazing how willing we are to fly by the seat of our pants when it comes to marketing. And, the symptoms of this malady are so obvious. 

  1. Not knowing where your next customer will come from
  2. Showing up for work without knowing what your next sales or marketing step is
  3. Not being able to describe the type of customer you are trying to attract or what you doing to attract them
  4. Constantly being in a reactive sales and marketing mode versus initiating the activity

Peter Drucker famously said, “The purpose of every business is to create a customer.” Sales and marketing is how we do that and, yet, it is just about the only thing we think we can build without a plan. The reason it works at all is because so many others are operating the same way.  

Woe to you if your competitor has a plan. And, woe to your competitor if you have one.

I have gotten better at understanding (and having) a sales and marketing plan in recent years, so I guess you could say I am in recovery. My concern about this is one of the reasons NAID has focused more on marketing programs for members than just brochures. The Customer Employee Training Program, the Compliance Toolkit and the Doctor’s Office Marketing Program may not be “marketing plans” per se, but they are certainly important elements of marketing plans. I wish more NAID members were using them.

As they say, admitting you have a problem is the first step to recovery. We’re going to be spending a lot of time on NAID marketing programs at the NAID 2013 Annual Conference in Nashville, Tenn., and at future Shred Schools. Please think about attending these events, and, in any case, let’s all agree not to build our businesses and futures without a plan.


Comments: 0 | Reply

Tuesday January 22, 2013

NAID can help members address questions in the sale process

By Bob Johnson, NAID CEO

Sometimes, though not enough as far as I am concerned, I am asked to use NAID’s pulpit and expertise to help members in sales situations. This usually happens when a member needs to coax a client into recognizing their responsibilities or provide some type of proof statement correcting a misconception.

Having a letter from NAID correcting a client’s misconception can work wonders in tough situations. Whether it is a prospect questioning why they need to shred, what particle size to specify, or how NAID Certification factors into PCI compliance, a response from NAID can be very helpful. In fact, I am happy to provide such responses on any records information management issue where correct information is all that’s needed.

I do have one note of caution for members requesting such help. If the customer is arguing a point simply to justify not doing business with you, no letter is going to help. Such a letter can make them more defiant. You may have proved your point, but you will not end up with the business. 

The letter below resulted when a member asked me to clarify a health care client’s need for a contract. My understanding was that a competitor was telling the client they did not need one, thereby putting customers at risk. When the member came to me for clarification, I provided the following response:

Your question about contracts is a good one and one that is often fraught with misconceptions. It is also especially timely, since the U.S. Department of Health and Human Services (HHS) just released their final ruling on how the Health Information Technology for Economic and Clinical Health (HITECH) Act will amend the Health Insurance Portability and Accountability Act (HIPAA).

First, while some data protection regulations such as the FACTA Final Disposal rule are vague on the requirement for a contract, HIPAA is not. From the beginning, HIPAA has required covered entities (CE) – which are the health care organizations – to have a written contract with any third party vendor that will have potential access to protected health information (PHI). Within HIPAA, these third parties are known as business associates (BA) and the required contract is referred to as a Business Associate Agreement (BAA).

The required BAA serves a number of purposes, as described within HIPAA. First, it contains language linking the BA to the Security Rule and Privacy Rule, which are two of the five rules that form the backbone of HIPAA. In addition, the BAA should clearly delineate the policies and procedures of the BA, so that any deviation from such can be monitored and/or documented.

Also, the recent release of the HITECH Final Rule amends HIPAA in many ways, some of which apply to the BAA. Most significantly, HITECH includes a breach notification requirement. Since this is new, HITECH also requires that a BAA includes language where the BA verifies they understand their responsibility to notify the CE of any potential data breach. Realizing that this would require a new BA to be executed, HITECH now specifically requires a new contract be written with such verification included. The deadline for the implementation of this language has already passed.

HITECH also includes a far more serious provision that needs to factor into this discussion. HITECH Final Rule directs HHS to impose mandatory investigations and fines where a HIPAA violation rises to the level of “willful neglect.” There is no doubt in my mind that a health care organization’s failure to have a properly executed contract, as clearly required by the law, would rise to that level. Should HHS or the state attorney general learn of a health care organization not having a BAA in place, the law would require an investigation and the CE could get fined between $10,000 and $50,000 per incident (in this case, an incident would be for every BA that did not have a BAA).

Let me know if you need further information.



Bob Johnson, CEO

National Association for Information Destruction, Inc.

Comments: 0 | Reply

Thursday January 17, 2013

HITECH will ignite great opportunities in the secure destruction industry

By Bob Johnson, NAID CEO

One of the country’s most prominent and respected privacy experts, attorney Kirk Narha, reported the HITECH Final Rule may be released soon, possibly by the end of this month. As many of you know, it was originally supposed to be released last summer and has been postponed several times since then.

So, even though it is reasonable to have some healthy skepticism about the speculated release, U.S. Department of Health and Human Services (HHS) can’t put it off forever and it is long overdue. Other professionals have speculated that HHS was waiting for the election results to release the rule because the winner could influence the tenor of future enforcement. Nonetheless, Narha would not have made his suspicions public, if there was not a strong feeling the release was imminent.

Why is the release of the HITECH Final Rule so important? It is important for a lot of reasons but mostly because it will mark a new era of data protection enforcement; an era where regulators are legally required to impose strong fines where both covered entities and business associates violate the law.

I have long maintained the HITECH Final Rule will mark a significant turning point for the secure destruction industry for the following reasons:

  1. The mandatory requirements to investigate reported violations, combined with whistle-blower incentives, will dramatically increase fear in covered entities and business associates as well as investigations.
  2. The reality of mandatory fines (along with mandatory investigations) will serve as a proverbial slap across the face to all health care providers, dramatically turning their attention to risk mitigation, including service provider qualifications, training, policies, and indemnification.
  3. Coverage of the new rules will be furious and universal in the health care media for years; just like we saw when HIPAA hit. Even the general media (e.g., USA Today, Wall Street Journal, New York Times, Newsweek) will be covering it initially, but reports of fines and articles about compliance strategies will be everywhere in health care media publications for years to come.
  4. The NAID Doctors’ Office Marketing Program was designed to capitalize on the furor resulting from the HITECH Final Rule. By postponing the release, HHS did not hold up there part of the bargain. Now that it is likely to hit soon, the market will be primed and members need to embrace this program for all its worth. The good news is that there will be plenty of opportunities to capitalize on the program once the rule hits. Also, you might want to visit, which is a NAID-sponsored resource for covered entities.
  5. The HITECH Final Rule will create an opportunity to put all health care customers into play whether there is a contact in place. This is bad news for those who just want to sit back and keep what they have but good news for those willing to increase their qualifications and capitalize on the new regulatory environment.
  6. My personal opinion is that HITECH is a trial balloon for what will be a national data protection law covering all personal and health data. It may take years to come but those who learn how to navigate in this new regulatory environment will be positioned nicely when the same rules apply to all businesses.




Comments: 0 | Reply

Tuesday January 15, 2013

Real improvement is based on small victories

By Bob Johnson, NAID CEO

Maybe I am wrong, but I think few people would argue they are running their businesses (or doing their jobs) as well as they possibly could. Stated another way, few would argue there is no room for improvement. For one thing, we’re all human and, to some degree, we are defined as much by our frailties as our strengths. In short, we’re not, nor can we ever be, perfect. Great observation, right?

Still, even with imperfection, we want to do better. The new year is naturally a good time to evaluate and take action.

As with any project, including a project to improve how you run your business, you’re better off concentrating on one thing. I have read that credit counselors usually have debt-ridden clients focus on paying off the small debts first. This seems counterintuitive because eliminating those obligations seems like it would not make a big difference. However, I learned later, that is not the point. The point is to build momentum by experiencing small victories. Each retired obligation gives those clients the strength to fight for the next milestone, which is just a little tougher.

Now, let’s get back to me and you.

All my readers know that I preach about the benefits of using industry expertise as a market differentiator and relationship builder. That said, getting there can be – strike that – HAS to be broken down into a series of smaller victories. But only you can pick the small victories that will lead you to where you want to be. It could be setting aside time to read industry-related articles. It could be earning you CSDS accreditation. It could be deciding to give two educational presentations to business groups. The important thing is to start somewhere.

This year, NAID will be offering more opportunities than ever for secure destruction professionals to build their expertise, including a record number of opportunities for service providers to add significant value to the services they offer. I truly hope that whatever small victories you plan for yourself in 2013, that you take advantage of the NAID commitment to help you achieve your goals.



Comments: 0 | Reply

Thursday January 10, 2013

Simplicity and focus: Force multipliers

By Joe Calloway, Author of “A Category of One”

Like just about every other business in the world, the secure records destruction industry has and is experiencing unprecedented change and challenges. It’s easy to fall into the trap of “I’m doing everything I can think of to improve business, but it’s not working.” Remember, top performers aren’t the people who do the most things. Top performers are the people who do the most important things. 

You don’t have all the time in the world, nor do you have unlimited money or people. Whether your focus is a hyper-competitive commercial market, or relatively new markets like residential, to win with finite resources requires that you leverage every single resource at your disposal. What you need is a force multiplier. 

“Force multiplier” is a military term that is the effect produced by a capability that, when added to and employed by a combat force, significantly increases the combat potential of that force and, thus, enhances the probability of successful mission accomplishment.

Steve Jobs once said “My mantra is simplicity. You have to work hard to get your thinking clean enough to make things simple, but that it’s worth the effort, because if you can make things simple, you can move mountains.”

Simplicity and focus are your force multipliers, but they aren’t easy to achieve. It’s so much easier to come up with 20 priorities than it is to come up with three priorities. The obvious problem with 20 priorities is that it’s a bogus concept. You can’t focus on everything. Twenty priorities means no priorities. 

If you blast a steel wall with the relatively large flame of a flame thrower, you’ll create a lot of heat, but you won’t get through the wall. If, however, you use the blue tip flame from an acetylene torch, you can cut through the steel like butter.

Here are some questions to consider as NAID members begin this new year of opportunity:

  • Where have we made our business too complicated?
  • What is something we can do immediately, right now, to simplify things and get focused?
  • What do we need tostop doing?
  • Where do I need to apply a blue tip flame?

Comments: 1 | Reply

Tuesday January 8, 2013

Data destruction: The challenge of loaded terminology

By Bob Johnson, NAID CEO

I have often related the story of having traveled all the way to Warsaw, Poland to address a business group, only to be challenged, before I even spoke, with the question, “Was there really no one between Arizona and Poland who could talk to us about shredding?”

The question put me on my heels for a second but then it dawned on me that this is exactly our problem.  For the most part, even people who should know better, think of information destruction as the act of shredding or, more precisely, the act of putting a piece of paper into a machine that creates particles. Concepts such as policies, training, access control, audit trails, employee screening, transfer of custody, acceptance of fiduciary responsibility, contracts and vendor qualifications are nowhere to be seen.

And, unfortunately, we see the same thing on the electronic destruction side. In that world, specifications for proper drive “sanitization” start where the device is plugged into the machine administering the process.

The most telling example of these over simplistic perspectives of destruction can be found in commonly referenced specifications. I have often pointed out that someone could meet the GSA specification for paper destruction, or the NIST 800-88 specification for sanitization using unscreened homeless people in the vacant lot on the corner of Camelback and 19th Avenue here in Phoenix, Ariz. 

Data destruction is widely viewed as an event, instead of a process. There is a perfectly logical reason for how and why it is this way but that’s another talk show. The point is we have to redefine “destruction.”  When we use the word “shredding” or “destruction,” very few people would conjure up the litany of critically important factors listed above. In reality, as it stands today, the use of those words screams “COMMODITY.”

Our task, starting this year, and for many years to come, is to redefine what decision makers consider proper information disposition. I’m in. How about you? Stay tuned.

Comments: 0 | Reply

Thursday January 3, 2013

Delayed HIPAA/HITECH Final Rules promise big changes

By Tom Dumez, President of Prime Compliance

The “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” Notice of Proposed Rulemaking (NPRM) was initially published in July 2010. The Office of Management and Budget (OMB) received the much delayed U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules that had been bundled together in what was called “Omnibus Final Rulemaking.” One of the biggest problems in rulemaking is the delay in the issuance of rules due to legal requirements, bureaucracy, and political influences. For covered entities (CEs, which are your clients), business associates (BAs, which is you), and their agents and subcontractors (the people you outsource a covered service to), things are changing.

The original NPRM read:“The HHS OCR will issue final rules to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules as necessary to implement the privacy, security, enforcement, and breach notification provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH, Title XIII of the American Recovery and Reinvestment Act of 2009), and will modify the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008.” We originally expected the rules to be finalized in early 2012. Right.

We knew the NPRM would contain changes to four of the HIPAA/HITECH related rules. The rules to be included were the following: Genetic Information Non-Discrimination Act (GINA) NPRM, Breach Notifications Interim Final Rule (IFR), Enforcement and Compliance IFR, and HITECH Privacy/Security/Enforcement NPRM. The HITECH changes address areas such as BAs, enforcement, electronic access (accounting of disclosures), marketing, fundraising, no sale of personal health information (PHI) and the right to request restrictions.

Among the biggest changes will be those related to BAs, subcontractors and other parties as HITECH casts a much wider net over millions of organizations. HITECH Sections 13401 and 13404 make BAs accountable to consumers and to HHS for protecting the privacy and security of PHI. These sections also make them directly liable for criminal and civil penalties for violations of certain provisions of the HIPAA Privacy and Security Rules. As it specifically relates to those in the document destruction business (as a BA), the NPRM originally proposed the following:

  1. Requiring that BAs comply with the technical, administrative and physical safeguard requirements under the Security Rule
  2. Prohibiting a BA from making a use or disclosure in violation of the Privacy Rule
  3. Clarifying BAs are liable regardless of whether they have an agreement in place with the CE
  4. Defining subcontractors as Bas, clarifying that BA liability flows to all subcontractors
  5. Higher fines for failing to secure PHI

My opinion is that these amendments will stay true to these suggestions. The lines continue to blur as we look at the differences between BAs and CEs. There are rules that BAs will be expected to follow that have historically only applied to CEs. The four items above will impact BAs. However, these are also simply good business practices. More regulations, more liability, more responsibility, and more risk. A real world, relevant training program for your employees is paramount.



Comments: 2 | Reply

Return to Current Blog | Select Another Blog Archive