Security Shredding and Storage - a shredding industry publication
Industry Professionals Voice Concern Over NAID Certification

by Mollie Day

Secure shredding professionals are voicing concerns over alleged abuse of security claims made by the National Association for Information Destruction (NAID), the self-titled “international trade association for companies providing information destruction services.”

Concerned vendors say that neither a NAID membership nor a NAID certification assure document handling practices secure enough to live up to NAID’s “bloated” claims. “NAID’s “AAA” Certified logo in many cases is an illusion being sold to facility managers and non-security professionals overwhelmed by federal regulation and plain fear of identity theft,” says Brian Baker, of Baker Security Group. Secure shredding professionals are calling for an examination of NAID’s practices and their allegedly misrepresented power in the marketplace.

Low security standards and lack of enforcement will jeopardize sensitive information, put the company responsible for materials at risk of breaking the law and losing business. This point needles the minds of NAID’s critics who feel that a powerful member organization that promotes certification and represents the shredding industry should promote best security practices. Critics argue that something is not better than nothing when it gives a false sense of security, and that corporations have a non-delegable duty to protect their customer information.

“Consumers are taught to seek credibility and this is what the [NAID] certification mistakenly sells,” says Baker. A certified protection professional (CPP) and the owner of a security management and consulting company, Baker – and many others – argue that NAID’s certification standards do not meet security standards and best practices that exist, despite the organization’s status and claims.

“There are a lot of really, really good NAID-certified companies out there. But they belong to NAID because they’re up against the wall,” says Baker, who argues that highly qualified vendors could lose business to a vendor with the well-known NAID logo if a customer does not know the ins and outs of best security practices.

“NAID is pretending to set the security standards, not along the lines of best practices or even best security,” Baker adds.

Baker sites several common criticisms of NAID’s standards, such as: NAID doesn’t support a particle size that will render sensitive information unreadable. He is careful to add that standards can go too far in the opposite direction. While pulverizing and incinerating of documents may be appropriate for the Department of Defense, these standards should not be necessary for all shredding companies, Baker says.

As a company prepares to become NAID certified, a NAID-approved auditor, a CPP accredited by the American Society for Industrial Security, conducts an audit of the vendor. During that audit, CPPs observe and differentiate between contiguous shred with a maximum 5/8” wide with no limit on the length; a cross cut or Pierce and Tear shred with maximum dimensions _” wide by 2.5” long (about the size of an envelop window); and pulverizing screen with maximum 2” diameter holes.

Tom Simpson, Secretary of NAID’s Board of Directors, says particle sizes that CPPs are directed to look for in a NAID certification audit are about the machine not the particle size. “NAID is not in the particle-size business,” Simpson says.

Simpson explains that particle sizes NAID selects are based on “the most commonly available machines that are most commonly purchased by businesses.” Furthermore, Simpson offers, vendors can put materials through larger-sized shred screen more than once in order to obtain smaller and smaller particles, which is more time consuming and more costly, or they can run it through once and save the expense.

For better or for worse, what NAID offers appears to be on par with requirements covered by the Federal Trade Commission’s (FTC) very broad stroke.

Under the Gramm-Leach-Bliley (GLB) Act (“Safeguards Rule”) and the Fair Credit Reporting Act (Disposal Rule), certain secure document standards are the law for “financial institutions” covered under the FTC’s jurisdiction. Though state and industry policy may differ, federal law does not specify exact requirements for companies such as credit reporting agencies, MasterCard and Visa, pertaining to: particle size, employee hiring practices, document safeguarding practices, and insurance.

“Its not a one size fits all kind of thing,” says Katherine Armstrong, attorney and spokeswoman for the FTC, Division of Finance, in regard to government standards for secure document handling practices. “Its flexible by design so that entities can make decisions that make sense according to their business,” she explains. The FTC has no stated opinion of NAID.

According to federal law “reasonable measures” must be taken to protect personal information and in relation to its disposal. “It’s up to an entity to put reasonable procedures in place. And they [vendors] have a responsibility to do what they contract out their service to do,” explains Armstrong. “If your business is using a really big shred size that someone could tape together then that’s not reasonable,” she adds.

By Armstrong’s description, complaints against any “financial institution,” or contracted vendor, NAID-certified or not, that shreds sensitive documents into chunks the size of an envelope window – could be reported to the FTC. However, Armstrong can site only two instances of enforcement of the Safeguard and Disposal Rule. These two settlements occurred, she says, because people bothered to call the FTC and report two “financial institution” that were dumping (whole) sensitive documents into the trash, a clear violation of the law, according to Armstrong.

When it comes to shredding, the Europeans set a high bar. The British Standards Institution (BSI) has 6 different shred sizes that they specify for the shredding industry in Britain, depending on the level of security needed for the business. Comparatively, the shred size that auditors look for in a checklist prepared by NAID is almost the largest of what BSI would allow.

“The NAID standard makes us look like fools,” says retired Army Lt. Col. and homeland security expert, John Miller. Miller is president of WesTex Document Inc, a NQA-1 (Nuclear Quality Assurance) certified document-handling company in Lubbock, Texas.

From nuclear industry NQA-1 standards and procedures, to the brother-in-law shredding business, the broad spectrum from quality assurance to “secure” document handling/destruction can be vast, according to those, like Miller who have run the industry “marathon,” so to speak, and won.

NAID offers a starting point for document handling companies, says Miller, who began his work in the business as a NAID member and then board member. “A company would certainly want to look at the NAID website for the minimum certification practices that are out there, and strive to achieve those practices. If they were at least doing those things [listed on NAID’s website], that would at least put them above mid-point on the scale of 1-10,” says Miller.

Miller adds that there are a lot of shredding companies out there that are in the business of shredding and could care less about making the consumer meet federal compliance.

In August of 2006 Wes Tex executives made a strategic decision to part ways with NAID altogether, due to the organization’s lack of information security standards. WesTex closed out 2006 with a 17% increase in sales ($1.4 million) over the previous year. “We have lost no business as a result of our decisions to leave NAID,” Miller reports.

Miller reports that NAID is doing things, and always has, to improve security for the customer, but that their efforts fall short.

While Miller was an active member, NAID’s board determined that that was not important for vendors to carry Errors and Omissions Insurance, which Miller says will protect the customer if a vendor’s employee steals or uses the info to his benefit.

“They [NAID] require general liability insurance that will protect you if my driver backs my truck into you. It will not provide any protection to my customer if my employee willfully uses that information that we have been entrusted to protect and destroy,” says Miller.

“Standard Errors and Omissions we found lacking,” says Tom Simpson on behalf of NAID. “Standard Errors and Omissions mean that someone makes a mistake and most policies don’t cover that. If you really need something like that, you want to write a policy that pertains to specifics of the company,” Simpson explains.

This point is something that everyone can agree upon: The best companies have to write their own policy, in order for it to be better than all the rest.

According to Jim McGuire, president of Shotgun Capital Advisors, an investment-banking firm that specializes in the security service sector, some of the best, most world-renowned security firms in the world don’t seek certification in an industry. “They strive to be world class and top of their industry by developing their own standards that are unique and proprietary in their business,” say McGuire.

“They [NAID] are there to support the ‘mom and pops’ businesses, to get them close to an even playing field with the larger companies,” McGuire says.

In creating Brinks Document Destruction standards, McGuire says that the company replicated standards from the armored car side of the business, particularly in regards to hiring. “We felt that handling valuable information was as important as handling cash valuables – why go backwards?” McGuire asks.

In order to weed out unsavory applicants Brinks requires all job applicants to undergo a 10-year background check with no gaps via an investigative agency. Potential employees must then pass a criminal background check, “criminal and felony and state-level misdemeanor,” says McGuire.

In contrast, NAID certified companies have only a 7-year, county and state-level criminal background check. The process has holes for violent criminals.

“In reviewing the NAID certification guidelines, the only criminal convictions I could find that would prevent someone from owning or working for a certified company is a felony conviction of burglary or theft,” writes Doug Knisley of Knisley Shredding in an article titled, ““AAA” Certification, Where Does the Credibility Come From”?

“We went to what is commonly expected,” says Simpson, speaking for NAID.

The “most secure” practice would be fingerprinting, says Miller.

Critics argue that it’s not just the size, the insurance or the employee history that count. NAID-member businesses pay annual dues but are not required to undergo an annual auditing process. In their brochure, “How outsourcing your shredding is more secure and less expensive than shredding it yourself,” NAID states that its members are the “most secure” alternative to in-house shredding. Businesses make the NAID member list with an approved application, plus initiation and minimum annual fees starting at $1045.00.

Thus the needle goes deep for critics who dispute the way that NAID promotes its “most secure” members in light of the “most” secure standards, which they cannot ensure.

Through NAID’s certification program, NAID members may seek annual certification audits for both mobile and plant-based operations in paper or printed media, micro media or computer hard drive destruction, according to NAID’s website. Audits are conducted by CPPs with a NAID checklist, because, Simpson says, “ It takes out any bias. It’s black or white.” NAID’s board will certify a vendor who completes its application, pays the annual fee, and passes the audit.

Simpson says that NAID is a self-policing organization with two enforcement vehicles: independent auditors and the deterrent of unannounced audits in place for NAID certified companies, but not NAID members.

Multiple critics of NAID’s supposed enforcement strategy argue that it isn’t working and vehemently cite numerous instances of lax security committed by a company bearing the NAID logo.

“Security standards for the shredding industry will become the next frontier in negligent security litigation,” Baker says in one of several articles he has written about non-secure practices and NAID.

“We are truly moments away from seeing the next round of federal or state investigations and penalties to be directed at document shredding and recycling operators who fail to protect consumer data. When this happens, the certifications will stand silent and those responsible will be seeking remedy.”

Social Media

Security Shredding on Linked In Security Shredding on Facebook Security Shredding on Twitter

Sponsors

Shredding machinery to cost-effectively meet your waste reduction and recycling needs.

Subscribe Today

Every other month, Security Shredding & Storage News brings you important stories about:

  • New Technology
  • Products
  • Laws
  • Processes

Security Shredding & Storage News features articles and services relevant to your daily operations.

Subscribe Today

Click here for printable mail in form, and Subscribe to Security Shredding & Storage News Today!

USIlluminations on Linked In

Member Login