Skip Navigation

NAIDnotes Archives

Monday June 27, 2016

Data-related Professional Liability Coverage – Still the Wild West

By: Bob Johnson, NAID CEO

When we first spoke with underwriters about creating a professional liability policy to correct the problems with existing coverages, they freely admitted that covering data protection risks was the “wild west” of the insurance industry.
To us (and them too) that meant two things,
  1. There was a rush on to serve a new need in the marketplace, and,
  2. There was a lot of confusion about what was needed and how to word it. Another thing prevalent in any marketplace labeled the “Wild West” (as we well know), customers often have little understanding of the issues. 

Just last week, a highly regarded insurance professional reminded me that as far as they are concerned, data-related professional liability continues to be the Wild West.

Now imagine yourself running a very large insurance underwriting company. You can pick any major insurance brand. You know them all. There’s a new opportunity to underwrite emerging data-related risk, which means there’s money to be made. Who is the customer? That’s easy. They are the credit unions, banks, hospitals and universities and all of the other thousands of categories of data controllers who are affected by this risk directly. They are the big fish and they pay very big premiums for coverage. 

Oh, yeah, and if we sell a small policy here and there to a service provider, it’s all the better.

And, there’s the rub; they did not see service providers as a different animal but we are. They make products for data controllers and covered entities, and when we call to our broker, who knows even less about data protection regulations, up comes the latest greatest policy with a bow on it.

I can’t tell you how many policies I have reviewed where someone in our industry bought cybercoverage because they shred hard drives even though it is completely irrelevant. Or, they bought it because it was the only way to get breach coverage or extortion coverage, even though neither would be applicable to anything resulting from their destruction or storage services.

And, now we're seeing policies where the data-related coverages require the use of some internal team that manages the breach. It is understandable why they would want such control but it is simply not applicable to service providers. The service provider has little or no control since their regulatory obligation is limited to informing the data controller that hired them. You can’t go to the hospital and say, we’re covered but our insurance company requires your hospital to let our breach management team to take over control.

The Wild West was eventually tamed and so we may see insurance companies come around. Already we have seen them remove sublimits on data breach coverage – something Downstream Data Coverage did 5 years ago.

We’re also starting to see policy language clearly stating that the acts of rogue employees are covered – though even that clarity is still quite rare, again something Downstream led the way on.

Downstream Data Coverage will eventually cut premiums significantly when it converts to a captive program. For now, all we have to offer are very competitive rates and coverage that actually does what is supposed to do.



Comments: 0 | Reply

Wednesday April 27, 2016

Do this! Show professionalism, Build loyalty, Add revenue

By: Bob Johnson, NAID CEO

I am easily distracted. I was in the middle of writing a draft of the 3rd chapter of the forthcoming Information Disposition textbook on the problems associated with the creation of duplicate records when it occurred to me that it’s springtime. It also occurred to me that tax season just ended.

Duplicate records are those that are either direct copies or contain the same information as retained records that are subject to an organization’s records retention schedule. Since one of the reasons for having a records retention schedule is to eliminate information no longer needed, duplicate records are a pretty big problem because the information still exists.

Let’s say a company is served with a discovery order (technically it is a subpoena), which happens in just about any legal proceeding; often in audits too. Of course, any records were appropriately destroyed cannot be produced and everybody understands that.

But what if the sales manager squirreled away those same records unbeknownst to the organization. The organization just perjured its discovery response. Those duplicate records undermined one of the most important reasons for having the retention schedule in the first place.

As an information disposition professional, you have a great opportunity to help your client; to show you are more than just the owner of a piece of equipment.

It goes something like this…

Dear valued customer, as your information security professional we feel obligated to remind you that the paper and electronic records - email printouts, old computers, binders, duplicate forms and reports, etc. - that you and your colleagues may have collected over the past year have the very real potential of undermining your company’s records management and information security program. We are happy to explain further if you’d like.

As your secure destruction service provider, we have an easy solution. Think of it as a spring cleaning.  It’s not expensive and we can do it on our regular route.  In fact, not doing it could be much more expensive. Let me know if you want to discuss it. We simply felt it was our professional responsibility to bring this risk to your attention.

If they agree, you then prepare a communication for the customer’s employees, explaining that the organization has a policy against retaining duplicate copies of controlled records, even though they understand it happens naturally through the course of the year.  It also explains that they first week of next month, there will be extra bins for any paper records and separate bins for old electronics they don’t use anymore.

You might get a windfall if they have never done before, you might not. Regardless, however, you did your professional duty by bringing it to their attention. Raising the issue might put you on the radar of a higher level decision maker who appreciates that you have their back.


Comments: 0 | Reply

Thursday February 4, 2016

Trends in Secure Destruction Around the World

By: Bob Johnson, NAID CEO

It’s rarely a good way to start an article, but I would be remiss if I did not begin with a disclaimer.  My knowledge of what is happening in the secure destruction marketplace around the world is shaped on my interactions with NAID members located there as well as the number of service providers there concentrating on secure destruction as a standalone business. In fact, the ability for secure destruction to exist as a standalone business with dedicated operators focused on it, as is the case in Canada and the United States, is one of the main milestones in market development. Certainly, there will always be a significant number of destruction service providers operating from broader operational platforms, typically recycling or records managements, but the number and success of the dedicated secure destruction service requires a broad customer population indicative of a well-recognized need.  It is the extent to which that consumer market exists which determines for me where that market is in terms of development and opportunity.

Up to now in this series, I have lumped the U.S. and Canada together when addressing market opportunities in North America. That said, it would be a mistake to view Canada being at the same stage of market development as the U.S. even though markets like Toronto and Calgary have known and supported good, well-established, dedicated service providers for decades. In fact, the success of the sector there is largely due to its long history. Outsourced secure destruction services options have simply been there enough that it has grown to a high degree of acceptance. It is that visibility rather than regulation that seems to have led to its popularity.  The regulatory environment in Canada is relatively lax.  As a result, we still do not see the denser route service models in Canada that we see in the U.S. Given a stronger law or a round of severe penalties and it would catch up quickly. I personally think such escalation is inevitable and so I would say the Canadian market is 5 years behind the U.S. market in demand creation.

Space doesn’t permit an in depth examination of the market conditions in a large number of countries. Even looking at regions of the world I am relegated to generalities. 


North Europe is also a well-developed market. That being said, a decades of focusing on recycling, lower incidents of ID fraud, and zero regulatory enforcement have led to stunted demand for secure destruction services. In addition, the aforementioned reasons along with the cost of fuel (historically) and tighter streets, have lowered the adoption of mobile shredding. The United Kingdom is the fastest growing market of demand and expansion in mobile shredding. Germany and the Netherlands has a strong base of service providers, however the majority of demand for most destruction comes from purges leaving much room for development of densely routed weekly service should it arise. Secure destruction in Northern Europe is still primarily provided by companies with major recycling operations and information destruction is an ancillary line of service rather than an exclusive, stand-alone business.

The countries of southern Europe do not yet have a solid customer base, even for purge business. What appeared promising 10 years ago evaporated in tough economic downturn facing the region ever since.

If the proposed European Data Protection Regulations becomes a law, and if it is enforced, demand has room to grow sharply. While the established service providers in the north are positioned to benefit well, the opportunity in Spain and Italy will fall the few there now and the inevitable startups that will result.

Australia and New Zealand

Conditions for secure data destruction to grow in Australia and New Zealand are very promising. Though not many, there are secure data destruction services making a go of it in most major metropolitan areas. Again, there is nothing yet like the densely routed milk-runs in the U.S. but the potential is there. Further, because the firms that are well positioned to capitalize on this future growth are strongly backing NAID Certification standards at an early stage, they may as well have a more stable environment as the industry matures and demand increases to its full potential over the next decade. Certification is quickly becoming a market requisite in the region and it appears this will be the case before the market expansion instead of afterward as it was in the U.S.


Japan is like Europe insofar as decades of heavy emphasis on recycling office paper and an even more pronounced lack of ID fraud have prevented a secure destruction industry from developing. What you have now are recycling companies that view security shredding as minor and almost irrelevant ancillary service.  Furthermore, the long history and large network of paper mills in the region have reinforced the recycling alternative as an option. This is only exacerbated by the fact that there is virtually no current demand for routed, routine secure destruction service.  Purges are not viewed as a security issue but rather a recycling issue. The Japanese government recently created a national identification scheme and data protection regulations are improving as well. There are many good business people looking to develop the secure destruction service model that has emerged in the U.S. but it will take many years and they must overcome the challenges facing them. I get the impression the good operators will carve out a decent living on decent margins, and while developing the routed service model will be more difficult, they will not contend with the avalanche of competition that results when selling the service gets too easy.

I don’t have a good handle on what is going on in the major metropolitan centers of continental Asia, Africa or South America, or in countries like Mexico and South Africa. They have massive potential client bases, however, not much in the way of a visible secure destruction industry.

I often tend to look at the industry around the world at markets in terms of how long ago the U.S. was at the same point. Japan is where the U.S. was 20 years ago. Australia is where the U.S. was 10 years ago. That’s unfair though because it suggests the evolution will be the same; that it is only a matter of time.  That fact is that the U.S. did not have a well-developed recycling ethic. The U.S. did have an ID theft epidemic and as a result, stronger information disposal laws. Just because Japan is where the U.S. was 20 years ago, doesn't mean it will ever be the same as the U.S. market just like it doesn’t mean it that it could not catch up in 5. There are just too many variables.

Electronic data destruction

A word about electronic information destruction before I close. In many ways the evolution of secure data destruction of electronic information has mirrored the evolution of hard copy destruction. Many of same factors apply - the strength or emphasis of the recycling ethic, the data protection laws, enforcement regimes, and cowboys capitalizing on customer ignorance. There is a big difference, however, in the speed of the marketplace and media evolution. Just in the last 10 years, service providers have seen the move from PCs to laptops to tablets and adapt their business models to fit the changing conditions. They have also had to contend with state funded recycling programs and OEM buyback programs and they have seen the value of memory storage nose dive and customers increasingly preferring destruction to refurbishing.

That being said, the market potential for data destruction of electronic media outside North America is largely untapped and will remain so until data security is better emphasized and enforced in regulations.

Europe, decidedly more environmentally focused than security focused, may see that model turned upside down in the coming years if the Data Protection Regulation becomes law. Still, if producer responsibility remains the focus of Europe’s environmental disposal schemes, it is difficult to see how the data destruction element will be implemented.  European data protection officials have been pointing to the counterproductive impact of the WEEE Directive on data security for more than a decade. It remains to be seen how that tug of war will be resolved.

The rest of the world appears to be following the European model at this point in time. All I can say is that given the speed and dexterity of that business, that could change at any time depending on the political and regulatory winds.



Comments: 0 | Reply

Thursday February 4, 2016

Common Denominator - Who attends a NAID Conference?

By: Bob Johnson, NAID CEO

As the secure destruction industry gets ready for another successful NAID Conference - its 22nd, it occurred to me that the thousands of people I have met there over the years share many traits that have led to their continued success.  And, since members’ success is the whole reason for NAID to exist, it would be worth sharing those observations. After all, social scientists have proven that the best way to succeed is to do what successful people do.

They have faith in themselves.  Whenever someone invests in themselves, it means they have confidence in their ability. It’s really neat to be surrounded by people who have that kind of faith in themselves; the bravery to achieve by hard work, improved knowledge and a strong network of others around the country with similar beliefs and ethics.

They are learners. The NAID Conference is a place for people who understand that they don’t know everything and that their industry network could always be improved. It is so refreshing to be with kindred colleagues that realize the one new idea could make or save them tens of thousands of dollars.

They are professionals. Some people confuse being a professional as someone with a diploma or a suit and tie. But being a professional just means taking clients’ trust seriously and it means knowing more than your client does about what they need. I sure like rubbing elbows with people who take an ethical and professional approach to their job. Not just because I do, but because I know they are that way about everything they do.

They value relationships. There is no better sight for me than to see hundreds of industry professionals sharing experiences, defending a position and laughing over a joke. I like it because I know it leads to more business for them. I’ll bet almost every conference attendee can say they have gotten some referral, contract, or subcontract from someone they know through a NAID Conference.

They are positive. There is only one way to say it; a NAID conference is full of the most positive people I have ever met. Lord knows, we all have to deal with negative people. It’s just life. But for whatever reason, I don’t run into them at a NAID conference. Now answer this; who’s gonna be more successful, a positive person or a negative person? Science answered that question a long time ago. The positive person is going to be more successful and you’re more likely to be positive if you surround yourself with positivity.

Is it any wonder I look forward to every NAID conference?

Is there any confusion about why people come back year after year after year?

I can’t wait. Who could?


Comments: 0 | Reply

Thursday January 28, 2016

Emerging Trends in the North American Data Destruction Market

By: Bob Johnson, NAID CEO

This is the second of three articles on current aspects of the secure destruction market we face going into this New Year. The first published in this blog on Jan. 6, discussed the prosperity awaiting service providers assume a professional approach to their services and their marketing.

In this article, I want to elaborate a bit on trends I believe we will see gain momentum over the coming year in North America. I limit the discussion to North America, because the markets in other regions of the world face very different trends and opportunities.

Trend #1: The Professionalization of our Industry: Of course, I spend the entirety of Part 1 talking about this issue, and how service provider expertise and qualifications factor into it. So, rather than repeat myself, I’ll just say that if you haven’t read the first blog, you’re missing the BIGGEST piece of the picture. 

But, if you already read Part 1, here are some other trends I see unfolding in North America….

Trend #2: Customers’ increasing reliance on certifications - for NEW reasons: Customers have been relying on service provider certifications for years. Up to now, however, it’s because they got peace of mind from it. But now they need more than peace of mind; they are required to make sure vendors are compliant with things like incident reporting, risk assessments, employee training, whistleblower and breach notification policies. That is the real value of certification and it leads to another trend that will emerge from it; customers will now be doing due diligence on the Certification Program as their primary vendor selection criteria. The number of calls and emails I get from customers asking if NAID Certification verifies compliance in one area of another has increased 5 fold in two years.

Trend #3: Particle size will become more of an issue: No data protection law on books specifies a particle size for paper or hard drive destruction. Instead, they state that particle size must be reasonable. And, while it is common knowledge among industry professionals that the closed-loop and large processing capacity of commercial services makes a larger size a reasonable solution for destruction, many customers don’t understand or accept that logic. Faced with increasing pressure due to data protection liability, they will increasingly be drawn into the particle size discussion. Some service providers will have the wherewithal to make those customers comfortable with the larger particle size, but many will not. Furthermore, there will be some service providers who actually want to encourage a smaller particle size as a market distinguisher. No matter where you are in the continuum, it is safe to assume industry professionals will be dealing with this issue more in the coming months and years.

Trend #4: Acquisitions will speed up: One or more large companies in the secure destruction arena are poised to grow through acquisition; in fact, you could argue they are under pressure to do so. As a result, it is safe to assume there will be renewed interest in acquiring good service providers. It is also reasonable to think that regional alliances could lead to mini-roll ups in an effort to create a more valuable acquisition target for those larger firms. It’s not rocket science; it would be very valuable to a large firm to do one deal of integrated operations than to do 15 separate deals with disparate operations. The only question on the speculation regarding mini-rollups is whether or not anyone has the wherewithal to pull it off.

Trend #5: Those in windshield markets will continue to do well: While the number of competitors in the continent’s metropolitan areas compete intensely, many service providers have built great businesses in rural markets; markets that, up until 10 years ago, could not even support a destruction business. Left unfetter while demand steadily increased, these farsighted prospectors have built solid businesses on good margins and continue to grow. Better yet, due to the nature of those markets, the territories are well defended and not attractive to new entrants. It was the same strategy Walmart used back in the day and it worked.

Trend #6: Customers will become more receptive to destroy-all programs:  Many customers still give employees discretions on what should be destroyed and what can be tossed or recycled. Of course, it is very risky, even fool-hearty, to give every employee the ability to put the organization in jeopardy. The increase in data protection liabilities will result in management replacing employee discretion with a policy that requires all discarded information to be destroyed.

Trend #7: The quality of a service provider’s professional indemnification will become of increasing importance in the buying process: Clients are beginning to understand that transferring unlimited liability to the service provider is not in their best interest. However, as they realize the more sensible approach is to set a reasonable liability limit for which the service provider is indemnified, the quality of that indemnification becomes their new focus. The trend is well underway and will continue in earnest over the coming months and years.

That’s it for now. I’m happy to hear from anyone agreeing or disagreeing with me. I’ll be back soon with Part 3 on industry market trends around the world.


Comments: 1 | Reply

Thursday January 21, 2016

Coaching Sales People into Sales Champions

By: Ray Barry

Two of the main reasons some salespeople fail are:

  • Lack of initial sales training and support
  • Lack of ongoing support and COACHING.

Every great athlete believes in having a coach to help them get better and improve their game every day. Look at top tennis professionals and golf professionals. Sales and business is no different. The best sales people are the ones who have been coached to become great and want to become the best at what they do. They have an “inner drive” to want to get there. If you are a destruction business owner, you can be that coach!

It all starts though with finding the right candidates for your organization or asking yourself, “Does your existing sales staff have what it takes to become great with the right coaching?” 

What are the qualities of sales superstars?

Sales superstars are:

  • Coachable
  • Goal oriented
  • Internally motivated
  • Have a positive attitude
  • Likeable
  • Good listeners and good communicators
  • Professionally persistent
  • Challengers

If you or your sales team members have any of these qualities, then they can become better and produce more with effective coaching. There is a huge difference between managing and coaching.

Also, how you manage their activity and hold them and (yourself) accountable plays a pivotal role on coaching your sales person into a sales champion.

Sales training is what’s needed to become a salesperson; Sales Coaching is what’s needed to become a Sales Champion.

  • If you are interested in learning:
  • How coaching is different than managing?
  • What to listen for with your sales team?
  • What type of Sales professional performs the best in the information destruction industry?
  • What activity should we manage and how?
  • How to hold sales people accountable and responsible for their results
  • How to create top performers
  • And much more……..

Then join me for my session at the NAID Annual Conference on Friday April 8th at 10:00AM and also receive “The top coaching questions to ask your sales professionals today” as a take- away! 


See you there!

Ray Barry


Comments: 0 | Reply

Wednesday January 6, 2016

2016 Holds Great Promise for the Prepared Data Destruction Professional

By Bob Johnson, NAID CEO

In the book “Powerful Times” by Eamonn Kelly (Wharton School Publishing), the author describes our era as one of great paradoxes; great wealth-creation and great poverty, great abundance and great scarcity, and great opportunity and great challenges.  It reminds me of the first line of the Dickens’ classic, A Tale of Two Cities, “It was the best of times; it was the worst of times.”

It also accurately represents the conditions I see in the North American commercial secure destruction market. (It is important to specify the region, since there is such a vast difference in market maturity around the world.)

For established operators who know their way around digital marketing, who understand the regulatory requirements, who have upgraded equipment, and have the right qualifications; things are good and will only get better.  Even those who are not quite there yet but understand that they have to move in that direction have the opportunity to do very well.

It’s even true for someone new to our industry, as long as they are willing to do those things and they have resources to stay in business long enough to get traction. Established businesses that add information destruction to their line of services and that are willing to step up are best suited, however, there is no market in North America where a new service provider could not succeed if they properly commit to doing what it take. 

On the other hand, service providers who are unwilling to embrace digital marketing, regulatory issues and proper qualifications will increasingly find things more difficult. Due to dramatically increasing data protection liabilities for customers, it will no longer be an environment where one can just own a piece of equipment and have a webpage.  Oh, they will still get some customers, but that will happen less and less, and those customers they attract - customers who don’t care about qualifications - will only care about price.

It’s not gonna happen overnight, but it will happen…and by the end of 2016 that will be more apparent than it is now.

So, if you ask me if I am bullish on the North American market for secure destruction services, I have to say, “That depends.”  I am extremely bullish for the independent operator who is committed to operating like a professional – professional pricing, professional marketing, professional qualifications.  They are going to see some of the best success and best margins ever. On the other hand, I am not so very bullish for those who just want to wait for the phone to ring.


Part 2: Emerging trends in North American data destruction

Part 3: Data destruction market in other regions of the world 


Comments: 0 | Reply

Return to Current Blog | Select Another Blog Archive