Shred America | Shredding Industry Knowledge

The Reason Shred America Takes a Global Approach to Compliance

How Shred America’s global approach to compliance helps major corporations live up to their compliance claims.
_______
Question: What do the following US corporations have in common?
Airbnb, Adobe, Amazon, American Express, Apple, AT&T, Boeing, Chevron, Citibank,
Cisco, Coca-Cola, Dell Technologies, Dropbox, eBay, ExxonMobil, Ford, General
Motors, Goldman Sachs, Alphabet, HP Inc., IBM, Intel, Johnson & Johnson, JP Morgan
Chase, LinkedIn, Mastercard, Meta , Microsoft, Netflix, Oracle, PayPal, PepsiCo,
Pinterest, Procter & Gamble, Qualcomm, Red Hat, Salesforce, Snap Inc., Spotify,
Stripe, Tesla, X, Uber, Verizon, Visa, Walmart, Zoom.

Why & How Shred America is Responding to New State Privacy Regulations

Why and How Shred America is Responding to New State Privacy Regulations

Shred America’s clients are rightfully focused on their core competencies. That’s how it's supposed to be. All organizations should be.

Our focus at Shred America is on providing state-of-the-art, compliant, secure data destruction services, which, from our point of view, includes staying on top of relevant, changing regulatory requirements. Not only is this integral to our ability to provide compliant services, but it also means our clients don’t have to worry about it. When it comes to the secure disposal of sensitive information and regulatory compliance, it is our job to keep our clients informed, not the other way around.

Almost overnight, as regulations go, nineteen states have enacted new data protection and privacy regulations that grant individuals (data subjects) control over their personal information and impose a number of new obligations on the businesses to whom they have entrusted it. This trend has such momentum that we expect every state to follow suit in short order.

Our first response to any new data-related regulation is to evaluate its impact on our compliance and how we interact with our clients.  More broadly, we also look to how it impacts our clients’ overall compliance. This latter consideration extends beyond data destruction and allows us to advise clients more generally to keep them on the right side of things. Of course, this is only possible because Shred America closely tracks regulatory changes and has the acumen and credentials to meaningfully conduct such evaluations and provide such advice.

For Shred America, the response to new state regulations required that we modify our public-facing privacy policy and our operational (processing) policies to acknowledge and cooperate with clients’ new data subject rights obligations. Secondly, it required that we execute the Data Processing Agreement (DPA) with all our affected (state-specific) subcontractors. The DPA, which ensures processors assistance in providing data subject rights, is a specific new requirement (not unlike HIPAA’s business association agreement).

For our clients and prospects, depending on the states in which they operate, their size, and the nature of their business, Shred America’s is actively offering tools, such as a sample DPA, which is now required of all their data processors, and is offering to answer any questions and help them determine how to prepare for all their new obligations and the fulfillment of new data subject rights.

Is this above and beyond our duty to our clients? Clearly, we don’t think so. We believe our clients and prospects should expect no less.

Contact Shred America today. We’d love to answer your questions and explain how we can help.
________

New State-Level Privacy Regulations

The California Consumer Privacy Act, as amended by the California Privacy Rights Act
Colorado Privacy Act
Connecticut Data Privacy Act
Delaware Personal Data Privacy Act
The Indiana Consumer Data Protection Act
Iowa Consumer Data Protection Act
The Kentucky Consumer Data Protection Act
Maryland Online Data Privacy Act
Minnesota Consumer Data Privacy Act
Montana Consumer Data Privacy Act
Nebraska Data Privacy Act
New Hampshire Senate Bill 255
New Jersey Senate Bill 332
Oregon Consumer Privacy Act
Rhode Island Data Transparency and Privacy Protection Act
Tennessee Information Protection Act
Texas Data Privacy and Security Act
Utah Consumer Privacy Act
Virginia Consumer Data Protection Act

The Four Compliance Profiles of Shredding Services (and which to avoid)

When a client hires a service like Shred America to destroy old documents and hard drives, that client is fulfilling their legal and regulatory obligation to protect sensitive information. 

Because of these regulatory implications, (and because clients are held responsible for the compliance of their shredding service), this blog categorizes the 4 typical compliance strategies prevalent in the secure shredding industry and recommends how clients should respond.
_________

In backwards order, from riskiest to the safest, they are:

Category 4: (Highest risk) No compliance strategy whatsoever.
Category 3: (Risky) Fain regulatory compliance without verification.
Category 2: (Safe) Aware of their regulatory standing, and clearly demonstrate their compliance.
Category 1: (Safest) Possess a superior regulatory acumen and serves as an authoritative regulatory compliance resource for their clients.

(If you guessed that Shred America is in Category 1, you’re right. Reading this will explain what that means for our clients.)
__________

Category 4 (Highest risk): No compliance strategy whatsoever.

These secure shredding firms are clueless about their regulatory standing and obligations as Data Processors. In fact, when pointedly asked if they are data processors, Category 4 service providers either have no idea or argue that they are not. Remember, any service provider that has access to personal information is technically a Data Processor and it is their clients’ responsibility to make sure they are compliant. Obviously, since they are clueless about their regulatory standing, the only possible course of action is to move on. 

Recommendation: If you’re using such a service provider, stop ASAP. You’re not getting what you’re paying for and you’re putting your organization at risk. In the event you have a contract with them, their lack of compliance is more than enough justification to terminate it.
On the other hand, if you’re still looking, you’ve got more work to do. 
 
Category 3 (Risky): Fain regulatory compliance without offering the necessary proof.

Category 3 secure shredding services have some idea of their regulatory standing, but instead of taking the appropriate steps to address their obligations, their websites and representatives often use misleading or meaningless claims to make it falsely appear as if they are doing everything right. And, because their compliance is usually a pretense, Category 3 service providers are unable to obtain a legitimate third-party certification. Since none of the legitimate certifications are prohibitively expensive, there is no justifiable reason for any secure shredding service not to achieve at least one of them. Of course, falsely claiming such certifications is one of the tricks of these pretenders, so it is always important to verify that such claims are valid.

Recommendation: If you’re using a Category 3 service provider, stop ASAP. Their deceptiveness speaks to a lack of integrity. Terminating a contract based on their deceptive practices will not be a problem. 
Again, if you’re currently looking for a service provider, you’ve got more work to do. 
___

At this point, readers may be wondering how Categories 3 and 4 stay in business. The answer is that, unfortunately, there are still plenty of clients who are unaware of the regulatory obligations and are simply too trusting. If all clients understood their vendor selection due diligence requirements, Categories 3 and 4 would be out of business tomorrow. Caveat Emptor!
____ 

Category 2 (Safe): Aware of their regulatory standing, and clearly demonstrate their compliance. 

The only practical strategy for determining if a secure shredding service meets this threshold is to verify that they hold a legitimate, audited, third-party certification. These include NAID AAA certification for paper shredding and electronic media. ADISA and e-Steward certifications apply to electronic media and R2v3 certification is also acceptable for electronic media, provided the holder has the additional data security component. As mentioned before, certification claims should always be verified. 

Recommendation: If the option to work with a Category 1 secured shredding firm is not available, the selection of a legitimately certified service provider is a safe (legally defensible) choice. 

Category 1 (Safest): Possess a superior regulatory acumen and serves as an authoritative compliance resource for their clients.

These companies, Shred America included, represent the rarest compliance profile of all. They currently consist of only a handful of secure shredding services who have engaged a highly qualified data protection and privacy officer (DPO) to oversee their own and their clients’ regulatory compliance. This is vastly different from the typical shredding service that may appoint a compliance manager from among their existing employees with no credentials or other evidence of any regulatory expertise. Companies like Shred America have found that the extent of the DPO’s experience and qualifications is directly related to their ability to maintain their own compliance and to be able to assist the client in maintaining theirs.

Freedom, Independence, and Data Security

Independence Day is a pretty special occasion here at Shred America, and we hope it is just as special for all those who love and appreciate this amazing country.

The Shredding Advice Mom Would Have Given

Our mothers were our first care givers, our first teachers, our first defenders, and the first person who loved us unconditionally. We turned to them the first time we skinned our knee and the first time our heart was broken. They will always be our most ardent champions.

The Naughty and Nice of Business Records Retention

The Naughty and Nice of Business Records Retention
Organizations store business records to meet regulatory requirements, to refer to for business
purposes, and, in very rare cases, for their historical value.