It’s Illegal to Hire a Shredding Service based on Price
It’s Illegal to Hire a Shredding Service based on Price
Though Shred America has a reputation for competitive pricing, it’s important for our current and future clients to know that selecting a secure shredding company should never be based on price alone. On the surface, the following scenarios sound like every day, run-of-the-mill buying
decisions.
An office manager wants to hire a company to destroy old computer equipment.
The boss tells his assistant to find a company to shred their daily flow of confidential wastepaper.
The Human Resources department is looking for a company to shred old employee records recently converted to a digital format.
Easy, right? Go online, find a few local service providers, and go with the lowest bid. Unfortunately, while it sounds logical, it’s also illegal.
Really? Illegal?
Yes, today’s data protection regulations, like HIPAA, GLBA, FACTA, and at least 17 state laws, require organizations to carefully scrutinize data destruction service providers to make sure they have a sufficiently high level of security and that they meet regulatory compliance requirements. As a result, hiring a provider because they have the lowest price violates those regulations. In fact, if ever subject to a
regulatory audit or investigation, regulators would automatically inquire about the selection criteria that was used to make the decision.
Keep in mind, because data protection and privacy regulations are enacted by governmental authority and are enforceable by law, violating them literally constitutes an illegal act. The fact is, however, though it is technically illegal to use pricing to make the decision, it is not the only reason for reviewing the compliance and security of any future shredding service.
It just so happens that there is no shortage of shredding services with little or no security or regulatory compliance. Their continued operation is based solely on the fact that their customers neglect their legal obligation to look under the hood. And, while their low prices might seem attractive, those prices are often based on the fact that they are not spending time and resources on employee screening and
training, or proper insurance, or keeping up with constantly changing regulatory requirements. More often than not, they would be hard-pressed to define what appropriate security and compliance even looks like. Compounding the risk, should a shredding service cause a data security breach, the same regulations that require vendor selection due diligence would also hold their clients 100% responsible for breach notification costs. Even worse, when regulators learn that the service provider was hired without proper scrutiny, the client would be
found negligent, liable, and subject to further penalties and sanctions.
What Shredding Service Due Diligence Looks Like
1. Require Certification: Certainly, requiring industry certifications, like NAID AAA Certification, can help with due diligence. But remember, such certifications are a floor not a ceiling. They represent the minimum that should be required not the maximum. So, while requiring NAID AAA Certification should without question be a part of any shredding service due diligence, there are other things clients should be examining.
2. Verify Insurance: The question here is fairly straightforward, do they have professional liability coverage? Most service providers don’t. Ironically, firms that have the capacity to indemnify their client for the service provider’s error and omissions are often the least likely to need it. The point of requiring it is not that there is heightened risk of a problem, but rather that it is a best practice for clients to expect shredding service to have a reasonable, limited capacity to indemnify the client for their mistakes. And, by verify, we mean get proof. Too often a service provider says they have it, while they may not even know what it is. General business insurance policies do not cover a vendor’s errors and omissions.
3. Verify Their Regulatory Expertise: The client has the right to expect their shredding service to be the expert in secure disposition and regulatory compliance, not the other way around!! The simplest way to determine whether a shredding service is capable and
trustworthy is to evaluate qualifications of the person on their team who is responsible for their regulatory compliance. In the past few years alone, 17 states (and counting) have enacted new data protection regulations that have impacted shredding services. In fact, many international regulations now
impact large clients doing business around the world. No service provider could be expected to respond to these changes without internal expertise driving their compliance program. Many shredding services lack the capability or willingness to make such accommodations, preferring to take an “off-the-shelf” and “one-size-fits-all” approach. This inevitably puts the customer at risk. Clearly, we hope clients choose Shred America to meet their shredding needs. But, if that’s not in the cards, we want them to know how to best protect themselves. Please don’t hesitate to contact us any time with questions or concerns. We pride ourselves on our internal compliance expertise and are happy to be of assistance to any organization looking to do the right thing.
© 2024 Shred America – All rights reserved
- Share this post