Shred America | Shredding Industry Knowledge

Improper document disposal can have serious consequences for businesses of all sizes. From customer records to employee files, sensitive information that ends up in the wrong hands can lead to costly lawsuits, regulatory fines, and long-term damage to a company’s reputation.

Educational institutions are responsible for protecting sensitive student information under theFamily Educational Rights and Privacy Act(FERPA). This federal law safeguards student education records and requires schools to take appropriate steps to prevent unauthorized access—including when records are no longer needed.

In today’s data-driven world, simply deleting files from a hard drive doesn’t guarantee that sensitive information is gone for good. For businesses handling confidential data, understanding proper destruction methods isn’t just best practice—it’s a compliance necessity.

When it comes to protecting sensitive information, businesses face critical decisions about how to handle document disposal. Two common approaches arescheduled shreddingandone-time purges. While both methods aim to securely destroy confidential data, they differ significantly in compliance risk and audit defensibility.

The Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule is designed to reduce the risk of identity theft by requiring businesses to properly dispose of sensitive consumer information. But what exactly falls under this requirement—and who needs to comply?

When choosing a document destruction provider, you’ve probably seen the termNAID AAA Certified— but what does that really mean beyond a logo on a website?

Tax season increases the volume of highly sensitive documents moving through your business, and unfortunately, it also increases the risk of identity theft.

W-2s, 1099s, payroll reports, and draft tax returns contain confidential financial and personal data. If these documents are improperly discarded, they can quickly become tools for fraud.

Secure destruction is not optional — it’s a critical part of compliance and risk management.

Everyone knows that April 15 is the final day to file taxes. Sure, some years it falls on a weekend or holiday, but ask any working adult, and April 15 means one thing. It is D-day, or rather T-day, and everybody knows it.

Shred America: Your Compliance Partner
At present, there are six federal data protection regulations, all of which have very specific requirements for vendor selection, breach notification, and information disposal. Adding to the complexity, virtually every state has one or more data protection regulations, many with unique requirements related to people's rights. These new state laws don’t just apply to organizations located in the state, but to any organization doing business there no matter where they are located. 

January & February: Start the Year with an Easy Win!

At a time when protecting information is more important than ever, ensuring its security
is a gift organizations give themselves, their customers, their stakeholders, and their
employees. Here at Shred America, we are both humbled and proud to help our clients
consistently deliver on those commitments.

Every year, we set aside November 11 as the day we formally celebrate and honor the vital contribution of our military veterans. Here at Shred America, we not only want to join in that celebration, but explain how our dedication to veterans and the values they represent benefit both our company and our clients.

How Shred America Helps Clients Fulfill ESG Commitments

How Shred America’s global approach to compliance helps major corporations live up to their compliance claims.
_______
Question: What do the following US corporations have in common?
Airbnb, Adobe, Amazon, American Express, Apple, AT&T, Boeing, Chevron, Citibank,
Cisco, Coca-Cola, Dell Technologies, Dropbox, eBay, ExxonMobil, Ford, General
Motors, Goldman Sachs, Alphabet, HP Inc., IBM, Intel, Johnson & Johnson, JP Morgan
Chase, LinkedIn, Mastercard, Meta , Microsoft, Netflix, Oracle, PayPal, PepsiCo,
Pinterest, Procter & Gamble, Qualcomm, Red Hat, Salesforce, Snap Inc., Spotify,
Stripe, Tesla, X, Uber, Verizon, Visa, Walmart, Zoom.

Why and How Shred America is Responding to New State Privacy Regulations

Shred America’s clients are rightfully focused on their core competencies. That’s how it's supposed to be. All organizations should be.

Our focus at Shred America is on providing state-of-the-art, compliant, secure data destruction services, which, from our point of view, includes staying on top of relevant, changing regulatory requirements. Not only is this integral to our ability to provide compliant services, but it also means our clients don’t have to worry about it. When it comes to the secure disposal of sensitive information and regulatory compliance, it is our job to keep our clients informed, not the other way around.

Almost overnight, as regulations go, nineteen states have enacted new data protection and privacy regulations that grant individuals (data subjects) control over their personal information and impose a number of new obligations on the businesses to whom they have entrusted it. This trend has such momentum that we expect every state to follow suit in short order.

Our first response to any new data-related regulation is to evaluate its impact on our compliance and how we interact with our clients.  More broadly, we also look to how it impacts our clients’ overall compliance. This latter consideration extends beyond data destruction and allows us to advise clients more generally to keep them on the right side of things. Of course, this is only possible because Shred America closely tracks regulatory changes and has the acumen and credentials to meaningfully conduct such evaluations and provide such advice.

For Shred America, the response to new state regulations required that we modify our public-facing privacy policy and our operational (processing) policies to acknowledge and cooperate with clients’ new data subject rights obligations. Secondly, it required that we execute the Data Processing Agreement (DPA) with all our affected (state-specific) subcontractors. The DPA, which ensures processors assistance in providing data subject rights, is a specific new requirement (not unlike HIPAA’s business association agreement).

For our clients and prospects, depending on the states in which they operate, their size, and the nature of their business, Shred America’s is actively offering tools, such as a sample DPA, which is now required of all their data processors, and is offering to answer any questions and help them determine how to prepare for all their new obligations and the fulfillment of new data subject rights.

Is this above and beyond our duty to our clients? Clearly, we don’t think so. We believe our clients and prospects should expect no less.

Contact Shred America today. We’d love to answer your questions and explain how we can help.
________

New State-Level Privacy Regulations

The California Consumer Privacy Act, as amended by the California Privacy Rights Act
Colorado Privacy Act
Connecticut Data Privacy Act
Delaware Personal Data Privacy Act
The Indiana Consumer Data Protection Act
Iowa Consumer Data Protection Act
The Kentucky Consumer Data Protection Act
Maryland Online Data Privacy Act
Minnesota Consumer Data Privacy Act
Montana Consumer Data Privacy Act
Nebraska Data Privacy Act
New Hampshire Senate Bill 255
New Jersey Senate Bill 332
Oregon Consumer Privacy Act
Rhode Island Data Transparency and Privacy Protection Act
Tennessee Information Protection Act
Texas Data Privacy and Security Act
Utah Consumer Privacy Act
Virginia Consumer Data Protection Act

When a client hires a service like Shred America to destroy old documents and hard drives, that client is fulfilling their legal and regulatory obligation to protect sensitive information. 

Because of these regulatory implications, (and because clients are held responsible for the compliance of their shredding service), this blog categorizes the 4 typical compliance strategies prevalent in the secure shredding industry and recommends how clients should respond.
_________

In backwards order, from riskiest to the safest, they are:

Category 4: (Highest risk) No compliance strategy whatsoever.
Category 3: (Risky) Fain regulatory compliance without verification.
Category 2: (Safe) Aware of their regulatory standing, and clearly demonstrate their compliance.
Category 1: (Safest) Possess a superior regulatory acumen and serves as an authoritative regulatory compliance resource for their clients.

(If you guessed that Shred America is in Category 1, you’re right. Reading this will explain what that means for our clients.)
__________

Category 4 (Highest risk): No compliance strategy whatsoever.

These secure shredding firms are clueless about their regulatory standing and obligations as Data Processors. In fact, when pointedly asked if they are data processors, Category 4 service providers either have no idea or argue that they are not. Remember, any service provider that has access to personal information is technically a Data Processor and it is their clients’ responsibility to make sure they are compliant. Obviously, since they are clueless about their regulatory standing, the only possible course of action is to move on. 

Recommendation: If you’re using such a service provider, stop ASAP. You’re not getting what you’re paying for and you’re putting your organization at risk. In the event you have a contract with them, their lack of compliance is more than enough justification to terminate it.
On the other hand, if you’re still looking, you’ve got more work to do. 
 
Category 3 (Risky): Fain regulatory compliance without offering the necessary proof.

Category 3 secure shredding services have some idea of their regulatory standing, but instead of taking the appropriate steps to address their obligations, their websites and representatives often use misleading or meaningless claims to make it falsely appear as if they are doing everything right. And, because their compliance is usually a pretense, Category 3 service providers are unable to obtain a legitimate third-party certification. Since none of the legitimate certifications are prohibitively expensive, there is no justifiable reason for any secure shredding service not to achieve at least one of them. Of course, falsely claiming such certifications is one of the tricks of these pretenders, so it is always important to verify that such claims are valid.

Recommendation: If you’re using a Category 3 service provider, stop ASAP. Their deceptiveness speaks to a lack of integrity. Terminating a contract based on their deceptive practices will not be a problem. 
Again, if you’re currently looking for a service provider, you’ve got more work to do. 
___

At this point, readers may be wondering how Categories 3 and 4 stay in business. The answer is that, unfortunately, there are still plenty of clients who are unaware of the regulatory obligations and are simply too trusting. If all clients understood their vendor selection due diligence requirements, Categories 3 and 4 would be out of business tomorrow. Caveat Emptor!
____ 

Category 2 (Safe): Aware of their regulatory standing, and clearly demonstrate their compliance. 

The only practical strategy for determining if a secure shredding service meets this threshold is to verify that they hold a legitimate, audited, third-party certification. These include NAID AAA certification for paper shredding and electronic media. ADISA and e-Steward certifications apply to electronic media and R2v3 certification is also acceptable for electronic media, provided the holder has the additional data security component. As mentioned before, certification claims should always be verified. 

Recommendation: If the option to work with a Category 1 secured shredding firm is not available, the selection of a legitimately certified service provider is a safe (legally defensible) choice. 

Category 1 (Safest): Possess a superior regulatory acumen and serves as an authoritative compliance resource for their clients.

These companies, Shred America included, represent the rarest compliance profile of all. They currently consist of only a handful of secure shredding services who have engaged a highly qualified data protection and privacy officer (DPO) to oversee their own and their clients’ regulatory compliance. This is vastly different from the typical shredding service that may appoint a compliance manager from among their existing employees with no credentials or other evidence of any regulatory expertise. Companies like Shred America have found that the extent of the DPO’s experience and qualifications is directly related to their ability to maintain their own compliance and to be able to assist the client in maintaining theirs.