Shred America | Shredding Industry Knowledge

Shred America: Your Compliance Partner

Shred America: Your Compliance Partner
At present, there are six federal data protection regulations, all of which have very specific requirements for vendor selection, breach notification, and information disposal. Adding to the complexity, virtually every state has one or more data protection regulations, many with unique requirements related to people's rights. These new state laws don’t just apply to organizations located in the state, but to any organization doing business there no matter where they are located. 

Helping Clients Give the Gift of Data Security

At a time when protecting information is more important than ever, ensuring its security
is a gift organizations give themselves, their customers, their stakeholders, and their
employees. Here at Shred America, we are both humbled and proud to help our clients
consistently deliver on those commitments.

The Four Compliance Profiles of Shredding Services (and which to avoid)

When a client hires a service like Shred America to destroy old documents and hard drives, that client is fulfilling their legal and regulatory obligation to protect sensitive information. 

Because of these regulatory implications, (and because clients are held responsible for the compliance of their shredding service), this blog categorizes the 4 typical compliance strategies prevalent in the secure shredding industry and recommends how clients should respond.
_________

In backwards order, from riskiest to the safest, they are:

Category 4: (Highest risk) No compliance strategy whatsoever.
Category 3: (Risky) Fain regulatory compliance without verification.
Category 2: (Safe) Aware of their regulatory standing, and clearly demonstrate their compliance.
Category 1: (Safest) Possess a superior regulatory acumen and serves as an authoritative regulatory compliance resource for their clients.

(If you guessed that Shred America is in Category 1, you’re right. Reading this will explain what that means for our clients.)
__________

Category 4 (Highest risk): No compliance strategy whatsoever.

These secure shredding firms are clueless about their regulatory standing and obligations as Data Processors. In fact, when pointedly asked if they are data processors, Category 4 service providers either have no idea or argue that they are not. Remember, any service provider that has access to personal information is technically a Data Processor and it is their clients’ responsibility to make sure they are compliant. Obviously, since they are clueless about their regulatory standing, the only possible course of action is to move on. 

Recommendation: If you’re using such a service provider, stop ASAP. You’re not getting what you’re paying for and you’re putting your organization at risk. In the event you have a contract with them, their lack of compliance is more than enough justification to terminate it.
On the other hand, if you’re still looking, you’ve got more work to do. 
 
Category 3 (Risky): Fain regulatory compliance without offering the necessary proof.

Category 3 secure shredding services have some idea of their regulatory standing, but instead of taking the appropriate steps to address their obligations, their websites and representatives often use misleading or meaningless claims to make it falsely appear as if they are doing everything right. And, because their compliance is usually a pretense, Category 3 service providers are unable to obtain a legitimate third-party certification. Since none of the legitimate certifications are prohibitively expensive, there is no justifiable reason for any secure shredding service not to achieve at least one of them. Of course, falsely claiming such certifications is one of the tricks of these pretenders, so it is always important to verify that such claims are valid.

Recommendation: If you’re using a Category 3 service provider, stop ASAP. Their deceptiveness speaks to a lack of integrity. Terminating a contract based on their deceptive practices will not be a problem. 
Again, if you’re currently looking for a service provider, you’ve got more work to do. 
___

At this point, readers may be wondering how Categories 3 and 4 stay in business. The answer is that, unfortunately, there are still plenty of clients who are unaware of the regulatory obligations and are simply too trusting. If all clients understood their vendor selection due diligence requirements, Categories 3 and 4 would be out of business tomorrow. Caveat Emptor!
____ 

Category 2 (Safe): Aware of their regulatory standing, and clearly demonstrate their compliance. 

The only practical strategy for determining if a secure shredding service meets this threshold is to verify that they hold a legitimate, audited, third-party certification. These include NAID AAA certification for paper shredding and electronic media. ADISA and e-Steward certifications apply to electronic media and R2v3 certification is also acceptable for electronic media, provided the holder has the additional data security component. As mentioned before, certification claims should always be verified. 

Recommendation: If the option to work with a Category 1 secured shredding firm is not available, the selection of a legitimately certified service provider is a safe (legally defensible) choice. 

Category 1 (Safest): Possess a superior regulatory acumen and serves as an authoritative compliance resource for their clients.

These companies, Shred America included, represent the rarest compliance profile of all. They currently consist of only a handful of secure shredding services who have engaged a highly qualified data protection and privacy officer (DPO) to oversee their own and their clients’ regulatory compliance. This is vastly different from the typical shredding service that may appoint a compliance manager from among their existing employees with no credentials or other evidence of any regulatory expertise. Companies like Shred America have found that the extent of the DPO’s experience and qualifications is directly related to their ability to maintain their own compliance and to be able to assist the client in maintaining theirs.

Office and Personal Shredders; Why They're Not A Good Option

Office and Personal Shredders: Why They Aren’t a Good Option
Many cautious and cost-conscious business people and homeowners believe that using a shredder is the safest and most economical way to discard sensitive information. Ironically, whether for workplace or home use, using a small shredder is actually one of the most expensive and least secure solutions.