With identity theft on the rise and costly data breaches in the headlines, most companies understand the importance of properly storing sensitive documents.
The importance of destroying those documents, however, is often overlooked. Just as sensitive records must be securely stored while in use, they must be securely disposed of at the end of their life cycle. When discarded improperly, both paper files and digital records are at risk of falling into the wrong hands.
Partnering with certified information management companies can help ensure that documents are disposed of safely and in compliance with state and federal privacy regulations. But, how do you know which vendors are qualified to handle your employees’ and customers’ most vital personal information?
That’s where NAID comes in.
What is NAID Certification?
The National Association of Information Destruction—or NAID, for short—is an association responsible for setting standards for the data and information destruction industry. Recognized internationally by both the private sector and government organizations, NAID provides guidance for the disposal of paper and digital records.
NAID members are invited to apply to the NAID AAA Certification Program, a rigorous process that ensures destruction companies are in compliance with the complex web of government regulations surrounding information security.
“By using a NAID AAA Certified company to destroy your information, you are performing your due diligence in selecting a vendor, which is required by all data protection regulations,” says Katie Mahoney, the Director of Certification for i-SIGMA, NAID’s parent organization.
How Companies Get NAID Certification
Certification isn’t simply a matter of paying a membership fee and attending a seminar. To become NAID AAA Certified, data destruction companies must undergo the following:
- Scheduled inspections by NAID auditors to assess the security of confidential material throughout all stages of the destruction process, from handling to storage to disposal
- Unannounced audits to ensure ongoing compliance
- Extensive, three-level background screenings to verify that no employee has a criminal record related to information theft
If a company is discovered to be noncompliant, the Certification Review Board institutes remedial training. However, repeat violations and serious infractions result in dismissal.
“NAID AAA Certification gives the customer peace of mind,” says Mahoney. “The customer knows that their material is being handled by a company that has been audited by the foremost standard setting body for the information destruction industry.”
Why NAID Certification Matters
So, why does NAID certification matter? Simply put, failing to properly secure data is expensive.
When you hire an under-qualified vendor, or take on the responsibility yourself, you do more than put your employees and customers at risk—you jeopardize the financial wellbeing and future of your business.
As we’ve seen in recent years, data breaches involving employee and customer information can result in costly lawsuits. In 2018, Yahoo infamously agreed to a $50 million settlement—after spending $35 million in lawyer fees—for a breach that compromised the identities of more than 200 million people.
While the Yahoo case made headlines for its extreme numbers, even smaller-scale breaches can be debilitating for businesses. According to a recent study by IBM and the Ponemon Institute, the average cost of a data breach is $3.86 million.
Anthem’s 2015 breach resulted in paying a $16 million settlement, breach hit 79 million people. In 2017 they settled the class-action suit for $115MM. This was due to hacking as well as a physical theft due to improper disposal.
Rite-Aid suffered a similar setback in 2010 and had to pay a $1MM settlement when they failed to meet HIPAA requirements for improperly disposing of documents and PHI. Simply because ‘dumpster divers’ were able to access that information.
Even in the absence of a breach, lax data destruction policies can be expensive. From HIPAA to the Fair Credit Reporting Act, a number of state and federal laws mandate that companies properly dispose of data, and missteps can result in steep fines and penalties. To maintain compliance, it’s essential that your data destruction partner is up-to-date on all government regulations.
The Future of Data Destruction
In the digital age, we’re creating more data than ever. With every form completed, order placed and application submitted, companies gather unprecedented amounts of information about their customers and employees.
The data influx isn’t slowing down. In 2018, Google conducted 3,877,140 searches every minute of every day, according to a study by DOMO. By 2020, it’s estimated that for every person on Earth, 1.7MB of data will be created every second.
While this information can yield valuable insights for companies, it’s more important than ever to properly manage data over the entire course of its life cycle. By working with a NAID AAA Certified data destruction vendor, companies can take an important step in maintaining compliance and protecting their employees and customers.
Stay tuned for our upcoming blog around maintaining data privacy standards through the PRISM Privacy+ certification program. The PRISM program is vital for companies why rely on partners to help manage their physical storage, hard-copy records, and offline removable computer media.
About the author
Jordan Peace serves as the Vice President of Corporate Development for Access. As Vice President of Corporate Development, Mr. Peace leads all mergers and acquisition activity, assisting with the on-boarding of new acquisition partners and clients.
Mr. Peace has also been an active board member for PRISM International, now I-Sigma, promoting Privacy+ and NAID standards to members, companies and colleagues in the RIM space since 2017.
Mr. Peace has worked in the records and information management industry for 8 years, where prior to joining Access, he worked as an advisor in the investment banking industry to shredding and records management companies.