Skip Navigation

NAIDnotes Archives

Thursday December 17, 2015

Building a National Accounts Network: Following the Bread Crumbs

By Bob Johnson, NAID CEO

Unless you’ve been under a rock for the last year, you know there’s been a major shift in the market for national service providers. Any way you slice it; there are fewer options for customers looking for a one-stop shopping approach to their destruction needs.

But here’s the rub, building a network of independent service providers that can successfully attract regional and national contracts is really, really hard to do. 

...But it has been done before which means it can be done again.  All we need to do is follow the bread crumbs left behind by others.

NAID 2016 will hold a session to do exactly that. A session where people on the inside of successful national marketing efforts of independent service providers have succeeded will share those keys. 

Panelists include representatives from the leadership at The Information Protection Services Association (IPSA), who built a network of NAID Certified service providers. In addition, a member of the National Record Centers (NRC), which has provided independent box storage companies the ability to compete for national and regional business for decades. Beyond that, there are several members who have built their own network of subcontractors to serve the national needs of a local customer.

Anyone in the secure destruction industry who wants to learn what it takes to either build or be part of a national network of service providers that can effectively compete for large accounts will leave this session knowing what it takes to succeed and, just as important, how to avoid the mistakes that prevent success.

Building a Successful National Sales Network: Lessons from Industry Experience on Models that Work will be held Thursday, April 7 at 3 p.m.  I will be joining Ken Williams of Shred Authority who was instrumental in the formation of the IPSA and Eric Haas of A.R.M.S. Inc. and a current member of NRC to explore this important emerging opportunity.

Click here to learn more or to register for the event. The first, most valuable discount expires Dec. 31.


Comments: 0 | Reply

Wednesday December 2, 2015

What's Happening with the Office Papers End Use Market?

By: Bill Moore, President Moore & Associates

Editor’s Note: The author will be speaking at NAID 2016 on the near-term and long-term outlook on recovered office paper, which is such an integral factor in hard copy destruction.

Here Bill shares his take on the immediate factors affecting that value. Those attending NAID 2016 will learn a lot more…


Sorted Office Papers (SOP) has been one of the weakest grades of recovered paper over the last six months. While the whole recovered paper market has been soft, SOP stands out with its falling prices. The bulk, low grades OCC, Mixed Paper, etc. had a strong upward price surge in the second quarter of 2015, but SOP was stable at best during the period. And while OCC and others have given up most of those price gains, SOP prices have fallen even further.

So what’s going on? Most keen watchers of the market have not reached a consensus of why the SOP market has been so soft, but there are a series of factors many agree on. Exports of SOP have been down, based on weaker global demand for the grade, Mexico generating more recovered office papers in their own country, and the strong US dollar versus the other major world currencies, making US material more expensive.

Another factor that is a reality is the use of more virgin based fiber in the tissue sector and a printing/writing papers sector that is declining steadily in the US. The market for recycled fiber content printing.writing papers has never matured much and the need for recycled pulp from SOP has been fairly flat for years.

Several tropic regions (e. g. Indonesia) of the world are rapidly increasing capacity to produce bleached market pulp from fast growing tropical hardwood trees. These capacity increases, coupled with reduced demand globally for printing/writing papers have moderated virgin pulps prices, making it an attractive alternative to recycled fiber for the tissue sector (an important market for SOP).

So a combination of things have led is to where we are at right now. The big question is where does the market go from here? With China’s overall demand for recovered staying weak, the market outlook in not a good one for sellers. However given the low prices for SOP, it is likely that the bottom of the current pricing cycle is at hand.


Click here to register for NAID 2016. Substantial discounts are available to those who act before Dec. 31.

Comments: 0 | Reply

Thursday July 30, 2015

Thank you, NAID!

By Ray Barry, NAID Deputy Director

As my time as a NAID staff member is drawing to a close, I wanted to take this opportunity to reflect on how NAID has helped those of us who have utilized NAID’s tools and resources.

I have a bit of a unique perspective since I have been employed by active and associate members of NAID, elected to the NAID Board of Directors as a member and president, and employed by NAID for the past two years. At the end of this month, I will be working for a supportive associate member of NAID, Vecoplan, so I am not really going away, unfortunately for you!

As I move on to my next role, I will continue to champion the mission of NAID because I have always believed that the companies that utilize their memberships to the fullest are the fastest growing companies in the industry. Bob Johnson and the rest of the staff at NAID work tirelessly to continue to add value to the members and the industry. If you are curious about what you can do to fully utilize your membership, here are some ideas:

  • Volunteer on one of NAID’s committees, like the Public Relations or Conference Committees, as examples.
  • Listen in on a monthly NAID Board of Directors conference call. These are open to all members. Hear what is being discussed to stay up to date on the industry.
  • Attend one of the two face-to-face NAID board meetings. If you are already at the annual conference, it is easy to attend the meeting at the end of the conference. It is open to all NAID members.
  • Attend the NAID conference every year. It is the “Super Bowl” of shredding. You owe it to yourself and, most of all, your business.
  • Make sure all key team members get shreducated! The regional Shred School workshops are perfect for you and your team members to get better at what you do. They are accessible and affordable for everyone.
  • Earn your CSDS accreditation. Knowledge is power and knowing how you can help your clients become compliant is an essential part of your trusted adviser status.
  • Use the Compliance Toolkit and the NAID Employee Training DVD to help your clients fulfill their compliance obligations. I am surprised at how many NAID members have never used these tools.
  • Get NAID certified. Now NAID has a subsidy program to help you get certified.
  • Network, network, network with other members!

Thanks to NAID for the past two years and thanks to all the NAID members for utilizing your memberships. It has been a great ride and I will see you soon!


Comments: 1 | Reply

Thursday July 9, 2015

Not designating an accountable decision maker can be fatal

By Bob Johnson, NAID CEO

From the dawn of sales, sales professionals have struggled with the task of getting to the decision maker. It’s frustrating to discuss the benefits of a solution, if the person is incapable (or resistant) of understanding the need or, too often, incapable of making the decision. But as frustrating as that is from the service provider’s perspective, it is actually a serious risk management problem for the customer when dealing with an organization’s data security and regulatory compliance.

Every data protection law in the world requires organizations to establish clear internal accountability for compliance. In virtually every case, they do that by requiring the designation of a compliance officer. The reason this requirement is universal to every such law is that regulators know that unless there is someone directly accountable for compliance, it will not happen.

So, when there is a violation of the law or a data breach, the very first question the organization will have to answer is: Who is the person assigned with the responsibility for the organization’s compliance? If the answer to that question is “we don’t have anyone assigned with that responsibility,” the fate of that organization is pretty much decided. Sure, there will be plenty of other questions, but the fact that no one was assigned the responsibility of overall compliance means the outcome will almost certainly include the added burden of negligence. In enforcement and public relations, the determination that “negligence” is at the root of the problem is fatal. Regulators and the public are able to forgive mistakes. However, to label a mistake—especially one that puts others’ personal information at risk—as negligence makes it unforgiveable. The fines go through the roof and customers head for the hills.

So, to customers, when your service provider suggests you involve your compliance officer in the discussions related to data protection, they are not trying to be difficult, they are trying to save your skin.


Comments: 0 | Reply

Thursday July 2, 2015

NAID 2016 wants your session ideas, mostly

By Bob Johnson, NAID CEO

Earlier this week, the 2016 NAID Conference Committee sent out a call for presentations for the NAID 2016 Annual Conference. Though the event is still nine months away, the planning starts years in advance. Typically, session content is something we like to get pinned down by September.

First of all, we are primarily looking for sessions you want to attend. Even if you have no idea who might give the presentation, just tell us what your biggest problems are, related to the secure destruction industry, that is.

Maybe you would like to see NAID do some research that would we could present the results at the conference. Maybe there is a topic on business management that applies to all businesses but you cannot seem to find much information on it. Maybe you would like to hear from an actual customer about how they perceive secure destruction services.

Let’s face it, there is no one better than you to design the conference content that will help you operate your business better. In fact, only you can do that. How often do you get the chance to get answers to your most troubling issues? That being said, if there is a session that you would like to present or a panel you would like to serve on, feel free to suggest that as well.

Click here to access the NAID 2016 Call for Presentations.


Comments: 0 | Reply

Thursday June 4, 2015

The market favors stronger qualifications: Success in RIM space comes from more scrutiny, not less

By Bob Johnson, NAID CEO

In the span of 30 minutes of watching TV, there was commercial promoting Angie’s List as a source of qualified service providers from dentists to plumbers, another promoting the Trust Certified service providers for a wide range of consumer services, and finally one from the Better Business Bureau promoting the use of BBB Accredited services.

The point is that consumers are increasingly relying on certifications as their due diligence. In the records and information management (RIM) and IT asset management spaces there are a growing number of such certifications being promoted. They range from those where you simply send in a check and some paperwork, to others, like NAID’s, that are more extensive and require scheduled and unannounced onsite audits.

While inexpensive certifications with less scrutiny can be tempting to service providers, they are not likely to cause any material disruption in the industry or provide a long-term benefit to their adopters. I don’t say this because NAID’s program happens to sit on the higher end of this continuum. I say it because the reality is that the highest standard will always be favored by informed customers. 

Look at it from the customer’s perspective. If I am a customer looking at two providers, and all else is equal, but one undergoes a higher degree of scrutiny, why would I choose the lesser? In fact, if I felt someone was using an inferior certification, I might actually think they were trying to trick me in some way. The only way the lesser certification works is when the customer does not learn of the difference. That’s a pretty shaky strategy.

And, I know this first hand. I have had that very conversation with more than a dozen customers and it takes me less than five minutes to explain it. I look forward to those conversations.

True success and change in our industry will not come from lower standards. They will come from higher standards. To learn about the depth and integrity of the NAID AAA Certification Program, click here.

Comments: 0 | Reply

Thursday May 28, 2015

Are you connecting?

By Ray Barry, NAID Deputy Executive Director

The key to accumulating a long list of loyal clients in the document destruction industry is “relationship-based” solution selling. It is no longer a transactional sale but more of a complex sale with moving parts. Anyone can quote a price for a specific service. If clients just wanted a price quote for your service, than companies would not need sales teams.

As a sales professional or business owner, your job is to educate the clients on the difference between the actual value of using your services versus the competitors’. Many times your price may be higher than your competitors’ prices. However, when you are successful at selling the value of your services, prospects perceive a difference in price and your value compared to that of your competitors. Are you able to show them the absence of value if they do not utilize your company?

In fact, more accounts are won when clients like or have a connection with their sales representatives instead of having the lowest price. Prospects will not become clients until they know, like, and trust you and you remove the risk associated with becoming a client. Your clients need to perceive a difference in you and your company that distinguishes you from your competitors so they can reap more benefits from the relationship. Most buying decisions are made emotionally then justified logically.

The most successful way for shredding business owners or information destruction sales professionals to develop long-lasting relationships with their prospects is to commit to a defined networking strategy. My suggestions are below:

  • Go where the fish are. Identify areas where your prospects are going to be and where you will be able to make a connection (e.g., industry associations).
  • Join industry associations and speak up.
  • Be friendly. Clients want to do business with people they like and trust.
  • Provide value first. The best way to breed likeability and trust is to give something of value to the person(s) you are trying to build a relationship with, such as a lunch ‘n’ learn or breakfast briefing.
  • Identify related services (e.g., records storage, document imaging, medical waste) in your market and match your prospect’s growth strategies to yours.
  • Engage the other person, whether a prospect or a potential partner, about their business, not about yours.
  • Find something that you have in common with your prospect or potential partner. 
  • Lead them to your solution, not with your solution.

If you want to more information about this strategy, consider attending the next Shred School workshop. Click here to learn more.

Comments: 0 | Reply

Friday May 15, 2015

Clients are not data destruction experts

By Bob Johnson, NAID CEO

Unfortunately, some clients have a troublesome and risky perspective on their data destruction requirements. Namely, they think they already know all they need to know. Here are symptoms of that risky perspective:

  • The client is only interested in the price.
  • The client views any discussion about qualifications as an attempt to mislead them.
  • The client feels comfortable deciding that employee training is not necessary.
  • The client decides that developing written data destruction policies and procedures is a waste to time.
  • The client takes a certification program at face value without making sure it is solid.
  • All that matters to the client is that they get a certificate of destruction.
  • The client is confident that all employees have the willingness, ability, and commitment to determine what information needs destruction and what information can simply be recycled.
  • The client feels that all professional liability coverages are the same.

The fact is that most clients are not information destruction experts. Most clients do not have the knowledge they need to make these decisions on their own. The reason for this boils down to one thing: they do not recognize or believe that the service provider has more knowledge than they do. And, unfortunately, in most cases, they are right. When you go to the doctor, you do not tell him/her your diagnosis of your condition. You explain the symptoms, answer his/her questions and accept the advice because you know he/she is better equipped than you to do so.

Service providers who want customers to take them seriously have to take themselves seriously. Look at the list above and ask yourself if you could look a prospect dead in the eye and confidently explain how and why they are misguided in a manner that shows both your knowledge and that you have their best interest at heart.

Clients owe it to themselves and their employer to make sure they are dealing with a service provider who is a subject matter expert. To not do so is both risky and negligent.


Comments: 0 | Reply

Thursday May 7, 2015

Excuses and blame prevent success

By Bob Johnson, NAID CEO

Whose fault is it if a competitor is screwing up the marketplace with low pricing? Who’s to blame if a customer doesn’t care about service provider qualifications?

I know a very successful guy in our industry who will tell you it doesn’t matter. First, he says, whining about things you can’t control is useless. But, more importantly, he says, if the success of your business is not in your control, you should not be in business. 

When you blame and make excuses for lack of growth, you are essentially saying it is not your fault. It’s like saying “there is nothing I can do about it.” But, if that’s the case; if there really is nothing you can do about it, then all hope of success is lost. You can never be successful if that success is someone else’s responsibility.

There are plenty of NAID members who are still growing rapidly. They are in markets with many low-cost competitors and they run into plenty of customers that are only interested in price. They don’t spend time or energy complaining about stuff they can’t control, when that same time and energy could go into finding the next customer. They don’t spend their time obsessing on their shoddy competitors. They simply keep looking for customers who want their services. They find a way to be of more value to the customer. They find a way to make the customer understand the benefits of working with a professional.

Don’t worry about what the other guy is doing. If you do, you will likely watch them pull ahead as they look at you in the rearview mirror.

Comments: 0 | Reply

Thursday April 9, 2015

Address improper data disposal’s weakest link

By Bob Johnson, NAID CEO

Last year I saw a headline reading, “Study shows employees and contractors are biggest cause of breaches.” My first reaction was “that’s interesting.” My second reaction was, “Who else could it be?” Even high profile hacking cases involve employees inappropriately clicking on links and allowing the bad guys in.

When it comes to proper information disposal, or should I say, avoiding a breach due to improper disposal of protected information, the same obvious reality is at the heart of it. Knowingly or unknowingly, it is at the hands of an employee. Despite any amount of training, however, there is one lesson too many data controllers have learned the hard way. In order to maximize compliance, proper disposal of information has to be easy for the employee. 

Requiring employees to use the shredder in the copy room is not easy. So much so that it is not even reasonable to think they will consistently do it. Whether because of carelessness, workload issues, pressures outside work, or laziness, compliance failure is inevitable. Nor is it reasonable to give employees the discretion on what is destroyed or options on where information-bearing media should go. Whenever a recycling bin is next to a shred bin, it is easy to find confidential information in the recycling bin. 

The same goes for IT asset disposal. Since employees are less likely to toss out computers, it can be less of an issue. However, leaving the decision to the IT department instead of dictating the procedure through security and compliance can cause a problem. IT departments are less likely to understand the devastating consequences of missing or untracked electronic assets that could later come back to haunt the organization.

The point is that easy, failsafe; decision-free solutions developed and implemented by the appropriate and accountable department leaders is the only way to assure consistent, proper, compliant, secure information destruction.


Comments: 0 | Reply

Tuesday March 10, 2015

Feel the burn to build your business

By Amy Larrimore, Chief Executive Officer of The Gamechanger

If you wanted to get into shape and you followed the path that most people pursued, you'd join a gym. The reason people join gyms is because a gym has some version of everything needed to supercharge the human physique in multiple variations to spark motivation. Gyms realize that people are looking for the total health solution in one place so they also include things like juice bars, nutrition counselors, chiropractors and spa services. Time is the most precious commodity so the convenience of this type of packaged service greatly increases the chances you'll meet your goals.

The beauty of the gym solution is that it is self-tailoring, no matter who you are, your skill set, or your experience level. You might be the seasoned weightlifter who can rattle off everything there is to know about macrobiotics, enzymes and Tabata intervals. You might be the executive training for your first 5K. You might be a new collegiate who wants to subvert the "freshman fifteen." No matter who you are, you can find what you need to put in a good program for success at the gym.

So why doesn't this exist for building businesses? Why don't we have business gyms where we can go to tone up, shape up and supercharge our professional goals? 

I think that most executives, business owners and champion salespeople suffer the cultural idea that if a business gym existed, it would only be for people who have no idea what they need to do. I think some people might believe this the purpose of an MBA. I think, mainly, when your job is to grow a business, to grow this economy, the last thing you have is time to do is go to the gym, business or otherwise. You already know what to do; it's just a matter of doing it.

You can pat yourself on the back now because this concept is completely true. Most businesses are led by people who have a good idea of what to do and are faced with the daunting task of collecting both the time and materials into one place in order to execute the doing of it. This challenge was made famous in the South Park episode featuring entrepreneurial underpants gnomes who knew they had a great business model and that there was a path to profit, they just needed a bit of help determining and implementing the right strategy to get there. 

Rest easy, the answer to what fits in Phase 2 for you and your professional goals exists and is easily implementable. Mark Twain tells us: 

“There is no such thing as a new idea. It is impossible. We simply take a lot of old ideas and put them into a sort of mental kaleidoscope. We give them a turn and they make new and curious combinations. We keep on turning and making new combinations indefinitely; but they are the same old pieces of colored glass that have been in use through all the ages.”

We've assembled our combined hundreds of years of experience working with businesses large and small to put together a program to help you find these solutions and implement them quickly and effectively. Whip your business or professional goals into shape at or at the “How to Supercharge Your Smart Business” session at the NAID 2015 Annual Conference and leave with a personalized plan and the tools you need to get back in the game.


Comments: 0 | Reply

Thursday February 26, 2015

How to prepare your customers for disaster

By Heather Shimala, Document Recovery Account Manager

“Prepare for the unknown by studying how others in the past have coped with the unforeseeable and the unpredictable.” - Gen. George S. Patton

If only we truly learned from our mistakes. What a novel idea, right? I’ve spent the last 15 years in the information management evolution, from the intoduction of HIPAA to the recent security breach you read about on your LinkedIn feed. You’d think that we would have learned the importance of securely disposing of a record. Sadly, that isn’t always the case.

It isn’t uncommon for me to get a call from someone saying, “you haven’t seen anything like this before.” Sometimes I am caught off guard, like when I got a call about a racoon masacare taking place in a storage container behind a client’s building. There was blood and other unmentionables on all of the records that were under a legal hold. I get those types of calls. Or, the time a psychiatric hospital called me about a patient (frustrated by the day’s activites) who poured bottles of bleach all over onsite records. I get those calls too, and usually I can help them.

The calls that I look forward to getting are the calls that we can all help with. These are the day-to-day losses that occur that we hear about on the news or read about in the paper, including a local office that caught fire or a pipe that broke on the 10th floor of a building damaging all of the company records. These are the calls that your customers need to be making to you. Unfortunetly, often we find out after the fact, when it’s too late to help them, that records were inproperly disposed. Often, it’s an anxious facilites manager or a janitor that does not know better and sends the records to the local landfill. 

Your customers know that secure records need to be properly destroyed using NAID’s guidelines. They comply with the compliance laws for shredding. However, something changes when a loss occurs, things become emotional and caotic. Your customer might tell you that the wet or charred records do not have identifying information on them. Or, they might tell you that the records were damaged in an “event” and can be disposed of. Would they dispose of secure records normally? In almost every case, the answer is no. 

As information management professionals it is our job to educate our customers. We need to help our customers think about the unthinkable and how they should prepare for these events. Who is notified when documents are affected? Who do you call? What do they need to do? We can help them plan and prepare so they aren’t dealing with something much worse after the loss occurs.

The situations I mentioned above came from real clients who weren’t sure what to do. Should they destroy everything? Destroy half and recover the rest? You can help them. You just need to start the dialogue between your customers and your team to provide solid solutions. 

To hear more about this topic, attend Heather Shimala’s session, “Disaster Strikes, Now What?,” at the NAID 2015 Annual Conference on Friday, March 20 at 4 p.m.


Comments: 0 | Reply

Thursday February 19, 2015

Stuck on the hamster wheel?

By Tom Adams, Chief Marketing Officer for Flourish Press

Do you feel like you live on a hamster wheel every day in your shredding and destruction business? Do you run and run and run just to keep up with the endless barrage of things you need to deal with such as operations, staff, ongoing certification and compliance, marketing, sales, and financial management?

And then, there are the unexpected occurrences like equipment breakdowns, staff departures or ugly financial surprises. If you are like many other entrepreneurs, you’ve undoubtedly got the never-ending, always-growing to-do list in your head augmented by all of the other things you want to do and accomplish in your life.

To stay on top of it all, you keep running; there seems to be no other way. And a lot of the time it feels like the constant running, long hours and stress associated with it all is too high a price to pay in exchange for the results you are getting. Somehow you know there’s a better way. But the hamster wheel is habitual. And it’s scarier to get off than to stay on it. It’s certainly not the life you hoped for when you started your business.

The difficult realization is that you are on the hamster wheel because of the way you’ve been thinking until now. Your thinking affects the actions you take every day. The act of getting on the hamster wheel and running around in circles is a result of a belief you have about what you should be doing in your business - a belief that is not serving you very well right now.

To get off the hamster wheel requires a different type of thinking about your role in the business. To get the results you want, you have to make a change.    

On Saturday afternoon at the NAID 2015 Annual Conference, I’ll share my own struggle with the hamster wheel and provide some of the important lessons I’ve learned along the way. If you are frustrated with what’s happening to you, please join me for my presentation, “Results Expected,” and some candid conversation about practical ways to change the outcomes you’ll get in your life and business. My goal is for you to leave this session invigorated and inspired with a clear agenda for moving forward. In fact, it just might change your life.

Tom Adams is an executive coach and adviser. He is also the author of the Amazon bestseller, “You are the Logo.” He owns a web marketing company, WebVitality, and is the founder and Chief Marketing Officer of Flourish Press.


Comments: 0 | Reply

Monday February 16, 2015

Keeping it simple: Plan, execute, evaluate

By Joe Harford, founder of Reclamere

All machines need some sort of oil to run. This is no different when it comes to the machine that produces revenue for your company or organization – sales and marketing. The oil of your sales and marketing is your plan. Each sales call and marketing task needs to be calibrated so it can work with maximum efficiency. By identifying certain challenges ahead of time, you can plan accordingly. Planning, executing and evaluating your resources allow you to move forward as a properly calibrated sales and marketing machine.  


A relationship forges between marketing efforts and sales growth when you start with a plan. A well thought-out, written plan will reveal areas of opportunity and predict potential gaps (or areas for concern) in growth. That way you can allocate money and resources accordingly.  


Once the strategy is agreed to, you have to begin executing the plan. The plan or strategy certainly acts as a guide, but sticking to it is something else completely. Get excited about your plan and picture the outcome. Schedule tasks as benchmarks to make sure you hit your goals. Share with your entire team (not just sales and marketing) to create accountability.


And lastly, be sure to step back and evaluate your plan in action so you can recognize successes and make necessary changes. Look in the mirror to get a true assessment of how things stand. By taking an honest look at where you are, you will be able to identify where you are not, and how to proceed. 

There are many challenges in sales and marketing, with no quick fixes. Knowing how to plan, and then how to work your plan, is your best bet for growth. Planning will take out the guesswork and keep you on track running your business. Have the guts to follow through and you will succeed.

“A goal properly set is halfway reached.” – Zig Ziglar

Join me at the NAID 2015 Annual Conference in my session, “Building the Marketing and Sales Machine,” at 11:30 a.m. on March 21.


Comments: 0 | Reply

Thursday January 29, 2015

Data breaches: Are they good for business?

By Tom Dumez, President of Prime Compliance

We have all read the stories: a large retail store has a data breach, a large home improvement store has a breach, a large U.S. post office has a breach, a large motion picture company has been hacked, and this list goes on and on. Nowadays, data breach news stories are almost passed over by consumers because they happen so frequently. Nobody really pays attention to them unless they are directly impacted. And, even then most people have an “Oh well, it’s not really a surprise” attitude about them. But, are these breaches good for your business? They should be.

If the staff of your organization is educated in the importance of really protecting data, then it is likely you have seen an uptick in your revenue as a direct result. Regardless of whether you are in the records management business (protection of information) or the document destruction business (proper disposition of information), or your company happens to do both, if compliance is used as an integral part of your sales process, then you likely have seen some good (and related) growth. If you haven’t seen growth in your business, then it doesn’t necessarily mean that your sales staff is undereducated. It merely means that, positioned properly, you can in fact grow your business as a direct result of some well publicized data breaches.

Here are some questions to ask yourself in regards to your sales staff. Does my sales staff:

  • Know the damage that the bad publicity as a result of a breach can cause? If not, then they would likely have a hard time convincing a prospect of this.
  • Know the costs of the associated legal fees? If not, then they would likely have a hard time convincing a prospect of this.
  • Know that each state’s attorney general (SAG) is now financially incentivized to investigate all HIPAA complaints? Know that the lion’s share of the fines and penalties (the SAG’s incentive) recovered largely stays within that state? This is why they will go after companies that cause breaches. If not, then they would likely have a hard time convincing a prospect to trust you and use your services. Why? Because they may be unable to convince other people that your company truly knows the laws, that your company knows how to protect themselves from data breaches as much as possible, that the company’s employees have been properly trained, and they know and understand the responsibilities and potential liabilities for failing to do so.
  • Know your state’s requirements (or federal requirements, whichever applies) for record retention? If not, then they will likely have a hard time convincing prospects to choose you.
  • Know that shredding has repeatedly been stated as a proper form of disposition of information? If not, then it is unlikely that they will be able to convince a prospect that shredding is important.
  • Know how to intelligently speak of an incident response plan that should be in place at every company? If not, then it is unlikely that they will be able to convince a prospect of this.

The reason that I bring up the incident response plan is this: I have been asked to do a session about it at the NAID 2015 Annual Conference coming up in March. It will be held in Grapevine, Texas. Look me up in Texas in my session, “How to Create an Incident Reporting Process” on Friday, March 20 at 3 p.m.


Comments: 0 | Reply

Thursday January 22, 2015

It’s illegal to hire data destruction services on price alone

By Bob Johnson, NAID CEO

Let’s just say ABC Corporation hires a data destruction service because they are the lowest price. It does not take a lot to imagine that scenario, right? It happens all the time – maybe most of the time.

It also would not surprise anyone that the lowest bidder might also cut corners on security. As fate would have it, our low bidder causes a data-related problem for ABC Corporation and now the state attorney general and other state and federal regulators are investigating. 

In every one of the inevitable interviews and depositions that follow, one of the first questions will be: “On what basis did you select the company that caused the problem?” If the answer is that the service provider was selected because they were the lowest price, “it’s all over but the crying,” as they say. The proverbial “book” is about to be thrown. Why? ABC Corporation violated one of the most important requirements of all data protection regulations, namely, the legal requirement to demonstrate due diligence when selecting vendors to handle personally identifiable information.

On the other hand, had ABC Corporation done their vendor selection due diligence, although they might not be held harmless, there is little doubt that things would go a lot better for them. As it stands, however, ABC Corporation violated the law by hiring a service provider on just price and will likely experience the full measure of the regulatory consequences.

Comments: 0 | Reply

Thursday January 15, 2015

Mission critical: Examination of new data protection laws

By Dr. Ross Federgreen, CSR CEO, CIPM, CIPP, European Privacy Association

More than half of U.S. states today have enacted data protection laws and regulations, growing from just 15 states a year ago. Federal and international authorities also impose obligations on organizations to provide security for the legally protected personal information or personally identifiable information (PII) of their residents.

Warning for your business customers

Failure to plan can destroy reputations and severely hurt productivity and future sales. Penalties for noncompliance can include fines, civil and criminal prosecution, even leading to jail time and business closure.

Business opportunity for NAID members

As providers of information governance solutions, including destruction, NAID members are in a unique position to provide their customers with new offerings that create recurring monthly revenue streams as part of a package of security services to help their customers meet ongoing, mandated legal requirements. Risk assessment, remediation, and incident response planning are just a few turnkey services that can be incorporated to meet the needs for comprehensive plans to safeguard data.

Customers must develop information security programs now

Your business clients all have employees, customers or vendors. The majority of states have data protection laws and your business client should quickly review these and continue to watch for evolving legislation to determine their best response strategy.

Forty-seven states, three U.S. territories and the District of Columbia all have laws that address issues ofdata loss, including penalties, customer notification, and reporting requirements. Realizing that breach laws didn’t make a significant impact, most states have also passed data protection legislation.

Federal laws include HIPAA/HITECH, Gramm-Leach-Bliley, and COPPA have a broad impact on data protection. State data protection laws apply to all industries interacting with residents in their states.

These state laws vary in detail and definition of PII across dozens of types of PII data, from social security and driver’s license numbers, birthdates, credit/debit card and bank information to ZIP codes and email addresses, for instance.

Common requirements of state laws

Other state laws share these requirements in the Massachusetts data protection law:

  • Designation of a responsible individual or group
  • Risk assessment
  • Policies and procedures
  • Employee training
  • Restricted access
  • Regular monitoring

Penalties for noncompliance

Here are just a few examples that might give us an indication of future enforcement of data protection laws:

  • A former UCLA Medical Center employee was sentenced to jail time for accessing and looking at private medical files.
  • Massachusetts General Hospital reached a settlement for $1,000,000 after an unencrypted laptop was lost, which contained only 192 patient records.
  • A loss of 100 records from one location of Lifetime Fitness could mean $120,000 in fines between the Texas State Attorney General’s enforcement of the Identity Theft Enforcement and Protection Act and the Deceptive Trade Practices Act.
  • Recent court rulings in Massachusetts mean retailers collecting ZIP codes in card transactions can be open to class action lawsuits.
  • A hospital in Rhode Island paid a $150,000 fine for failing to protect the information of Massachusetts’ residents.

See CSR’s “Best Practices for Managing Personally Identifiable Information” for a free step-by-step guide with guidance on processing PII. Dr. Federgreen is CSR’s CEO and founder. He is honored to present “The State of Data Breach Reporting,” Saturday, March 21, at 8 a.m. during the NAID 2015 Annual Conference and Expo.

Comments: 0 | Reply

Thursday January 8, 2015

Why a 'destroy all' data disposal strategy is the only reasonable option

A "destroy all" data disposal strategy is the only safe and reasonable option. For instance, at our organization, I have no control over our firewall. Emails are scanned to remove harmful links. It would be very difficult for any employee to circumvent these data protection measures. I think most people would agree the more automatic or foolproof we can make data protection and, take out the human element, the better. 

I am always surprised by the number of organizations that leave it up to the frontline employees to decide what discarded media should or should not be destroyed securely when it is discarded. Information disposal is an area of data protection where every employee has the capability of inadvertently putting an organization at tremendous risk. It’s borderline negligence to have a policy that allows every employee to determine what needs to get shredded or what computers need to destroyed. And yet, as secure destruction professionals, we see this all the time. Employees are told where the shredder is located and advised to use it when necessary. Or employees are given a waste basket, a recycle bin, or confidential shredding console and instructed to make sure the right stuff goes in the appropriate bin. 

Under this scenario, the organization is literally putting its regulatory compliance, client privacy, and intellectual property rights in the hands of employees, who are usually not held accountable for their decisions, who have no stake in their choices, who have little understanding of the risks, and who are pressured to be as productive as possible. 

In this day and age, that is not even borderline negligence; it is pure negligence. Imagine being audited or deposed after an incident and having to admit that every employee has the discretion to make such an important decision with no way to hold them accountable. This response would be devastating to the organization. 

Given the risks, given the regulatory consequences, given the loss of reputation and intellectual property rights, the only reasonable course of action is to destroy all discarded media. The cost is so low, especially when compared to the consequences, any other choice would be deemed reckless at minimum and almost certainly legally negligent.


Comments: 2 | Reply

   Phil Markert    January 20, 2015 4:47 pm | Reply | 0 Agree | Flag Abusive

I would be interested in hearing your results in obtaining agreement to sanitize (vs destroy) from federal government customers.

Return to Current Blog | Select Another Blog Archive