You need high security. You need Ohio Mobile Shredding.
As the secure destruction environment continues to become increasingly regulated, companies are requiring assurance that their provider is capable of assuming the risk associated with handling data. NAID AAA Certification provides that assurance.
NAID Certification is an internationally recognized program that routinely audits data-related service providers who are responsible to securely destroy sensitive materials for their clients. The program relies on unannounced and announced audits using third party accredited security professionals to verify compliance with 20 operational aspects of security, including employee screening , access control, training, CCTV image capture, and making sure that the firm complies to written policies and procedures that are consistent with data protection regulatory requirements.
For our customer’s legal compliance and complete peace of mind, Ohio Mobile Shredding invests in meeting the certification requirements and has maintained its NAID AAA Certified status since 2003.
Who is NAID®?
NAID is The National Association for Information Destruction, the non-profit trade association of the information destruction industry. Founded in 1994, NAID has only one purpose – to champion the responsible destruction of confidential information and materials by promoting the highest standards and ethics.
Today NAID is recognized internationally by many policy-makers, and is often called upon to provide counsel to organizations developing information security standards and regulations.
Ohio Mobile Shredding has been a member of NAID since 1996. Our founder and CEO, Timothy J. Oberst, has served NAID as President, Director, Treasurer, and on various committees including the Ethics Committee, the Certification Rules Committee, and the Complaint Resolution Council.
For more information about NAID contact:
Robert J. Johnson
National Association for Information Destruction, Inc.
1951 W. Camelback Rd, Ste 350
Phoenix, AZ 85015
What is NAID “AAA” Certification?
The increasing number of laws and regulations requiring information protection emphasizes your responsibility to make careful decisions about how your data is handled and who handles it. If security safeguards are breached, audited or challenged due diligence in the selection of the shredding vendor must be apparent and defensible. Merely saying “but we have a certificate of destruction” is an inadequate defense. Any lawyer, judge or jury would want to know what qualifications the provider possessed for you to choose them. You must be able to defend those qualifications in a court of law.
How can you be certain of the shredding provider’s qualifications? One simple way is to ask them if they are NAID Certified®. NAID certification verifies the shredding provider’s qualifications andconfirms the security you expect.
Every aspect of a NAID Certified® provider’s operation is controlled by strict security standards. In fact, NAID Certified® standards are so demanding they establish the due diligence required for compliance with HIPAA, Gramm-Leach-Bliley (GLB) and FACTA, and they exceed the standards for reasonableness that is generally accepted by government agencies and courts.
NAID Certification demands compliance with standards for employee screening and hiring, operational and facility security, the destruction process, and insurance requirements. In all, compliance with more than twenty standards is verified by and independent Certified Protection Professional® (CPP)*. And it doesn’t stop after one inspection; to maintain certification, the shredding provider must pass the verification process annually. And to ensure ongoing compliance, the provider may be randomly audited throughout the year.
By choosing Ohio Mobile Shredding; AAA Certified since 2003, you demonstrate that you have made your choice about information protection with care, diligence, and respect for the law.
*The CPP is the highest and most recognized security management accreditation achievable. The CPP accreditation is issued to security professionals who meet stringent educational and experience requirements by ASIS International®, the preeminent professional security association.
What are the differences?
NAID Member or NAID Certified®
Understanding NAID is an important role in maintaining legal compliance
The question about the difference between Membership and Certification is a very good one. There are significant differences between the two which must be noted when you are evaluating potential vendors for your secure document destruction program.
The National Association for Information Destruction (NAID) is the only recognized source for security and ethics standards in the document destruction industry. Companies involved in the destruction of documents are eligible for membership, and more importantly, for certification.
NAID certification enforces the highest security standards and ensures that all of the vendor’s procedures meet strict criteria before certification is granted.
The difference between a vendor’s level of involvement with the association should be an important criteria in your decision making process. Those organizations that are simply members are subscribing to a professional association. They have access to publications and security guidelines, and they are also included in the supplier directory. NAID membership does not qualify their standards or the level of security they provide.
However, those shredding companies that choose to become NAID Certified® are companies that have committed significant resources to ensure the security of the information that they handle on behalf of their customers.
The process of becoming certified is extensive, and involves many operational commitments on the part of the certified vendor. The certification process requires that all employees undergo background investigations, that all employees receive comprehensive security training, and that operational procedures, and physical facilities incorporate many security safeguards. This includes both physical security measures, as well as operational and information security procedures. Further, NAID certification requires an initial third party audit, as well as ongoing audits to ensure compliance with all security guidelines and procedures. Those organization that are simply members are not subject to any of these requirements.
The difference between membership and certification is significant. The member belongs to an organization that publishes comprehensive industry standards for the security of information; however, the organization that is NAID Certified® has proven that they operate in strict accordance with these standards.
NAID Certification is the only qualified standard for security in the document destruction industry. It establishes due diligence and proper application of “Reasonable Care” required for compliance with HIPAA, Gramm-Leach-Bliley and FACTA. NAID membership, in and of itself, does not. Because the responsibility to protect information cannot be transferred to a vendor, it is good business practice to choose a NAID Certified® shredding company with verified security standards.
Downstream Data Coverage helps protect you.
Using outside services for data destruction, records storage, media rotation and many other data-related services has grown so popular because they can do it more securely and more economically than organizations can do it for themselves.
However, as the financial and regulatory compliance liabilities around data protection increase, customers have come to realize that they are inescapably responsible in the unlikely event a data breach or other loss is caused by those vendors – no matter how it happened. Let’s face it, when 47 states have data breach notification laws and with HIPAA now requiring data breach notification across the country for breaches involving healthcare information, customers have the right to be concerned. Fines for improper data disposal and expenses for data breach notification over the last few years are in the tens of millions of dollars and continually increasing.
That‘s why it‘s common for customers to insist that data-related service provider’s reasonably indemnify them from any harmful financial consequences they cause. Unfortunately, many of the professional liability products on the market do not adequately address the risks.
So, how then do customers really know they are protected, when they usually never even see the policy, and if they do see it, they need a lawyer to decipher the language? The best solution is to require a specific policy developed by organizations worth trusting.
When NAID first learned that many policies contained loopholes that rendered them useless, it started what turned out to be a 4 year project to put together a product that would provide real protections to it members.
Downstream is not available to just any service provider. NAID also had another goal when helping to create Downstream; to help lower the cost of dependable coverage to its members. To do that, only service providers subject to the security specifications and audits (both announced and surprise) of the NAID AAA Certification process are eligible for Downstream Data Coverage.
So, by insisting that your service provider has Downstream Data Coverage, you are not only assured they have dependable professional liability coverage, backed by NAID’s reputation and the resources and integrity of Lloyd’s – you are also assured by their NAID AAA Certification that you are dealing with an service provider whose operations are intensely audited.
(taken from www.downstreamdata.com)
NAID Certification Criteria
Ohio Mobile Shredding has met or exceeded the following NAID Certification criteria:
Employee Screening & Hiring
A criminal record search must be conducted for each place of residence and employment during the previous 7 years and obtained through a third-party background search service.
OMS Employees have background checks done by the FBI and the Bureau of Criminal Investigation (BCI)
- A social security header search must be conducted prior to the criminal background investigation to ensure all state and counties of residence and employment have been included (and verified) in the investigation.
- One third of Access Employees must be randomly selected and a criminal record search conducted annually by an outside source.
- No person subject to a felony conviction in the last seven years for any crime involving theft (of tangible or intangible property), fraud, burglary or larceny may be employed in a capacity where they come in contact with confidential client information.
- All employees must be drug screened at the time of hiring and randomly screened throughout the year.
- All drivers must meet all state licensing requirements. A valid driver’s license must be produced and a copy kept on file.
- All employees must sign a Confidentiality Agreement and have an I-9 or proper work permit/registration on file.
- Written policies and procedures for employees and drivers must be in place, updated and accessible.
- Drivers and processing employees must wear company uniforms and photo ID badges.
- Drivers must have accessible two-way communication devices.
- All vehicles used for the transfer of client records will have the applicable government inspection for road worthiness on file.
- All vehicles used for transfer and/or destruction of client records must have lockable cabs and lockable fully enclosed boxes. Locks must be used during transport and when unattended.
- All materials must be securely contained during transfer from customer’s custody to transportation vehicle to prevent loss from wind or other atmospheric conditions.
Unauthorized access to the destruction area and client records is effectively prevented.
OMS’ entire facility is locked down twenty-four hours a day.
- All non-employees entering the facility must sign a log with their name, time-in, affiliation, and time-out. The record is kept on file for one year. Visitors must be escorted or under the supervision of an Access Employee at all times.
There is a secure area within the facility devoted to destroying media.
OMS’ entire facility is devoted to destroying media.
- Materials are always attended by a company employee or physically secured from unauthorized access before destruction.
- There must be a monitored alarm system in place and utilized when the building is unoccupied.
- There must be a closed circuit camera system monitoring all access points and all processing activity with sufficient clarity to identify people and their activities. Recordings must be maintained for 90 days.
- Security systems must be checked and maintained on a monthly basis. A record of each check must be retained for one year.
The Destruction Process
All paper or printed media is destroyed by equipment that reduces the paper to a size no wider than 5/8″ shred width.
OMS utilizes equipment that reduces materials to a shred width of 5/16″ or pulverized into irregular sized particles.
- All mobile destruction must be performed at the customer’s site.
- Standard operating practices dictate that plant-based destruction must take within 3 business days.
- Destroyed materials must be disposed of in a responsible manner, which does NOT include any type of reuse (for purposes such as animal bedding or packing materials).
- A written and verifiable process for the physical destruction (not wiping or overwriting) of conventional computer hard drives must be in place. The serial numbers of all hard drives being destroyed must be recorded for each client.
- The company must be legally registered business in the state of residence.
The company must be in business for a minimum of five years.
OMS has been in business for more than twenty-five years.
General liability insurance of at least $2,000,000 is maintained.
OMS exceeds certification requirements with a $3,000,000 policy.
- All marketing materials are inspected to check for misleading advertising.
Benefits of Working with a CSDS Professional
What is a Certified Secure Destruction Specialist (CSDS®)?
The CSDS program is a professional accreditation issued by NAID, the 20-year-old, non-profit watchdog organization for the secure destruction industry. To earn the accreditation, individuals must prove they have a high degree of competency in a range of data protection regulatory and compliance issues as well as a thorough understanding of physical and operational security.
Why work with a CSDS?
The secure destruction of records and data has become a complicated process over the past decade. With constantly evolving data protection laws, service provider qualifications, media, and policy development and training requirements, designing a compliant program requires a level of expertise not available in most organizations. It is now critical that you work with someone who understands your responsibilities and theirs.
For instance, did you know?
- 48 states now have laws mandating specific training of employees regarding reporting of potential data breaches to affected individuals as well as regulators.
- Health care organizations now need new contracts with their data destruction companies.
- Specific information included in a certificate of destruction will maximize their legal benefit.
- Data protection regulations now require written policies and training for employees.
- Many new types of computer hard drives cannot be overwritten or magnetically degaussed.
- Organizations can take preventive action to minimize the consequences of a data breach.
Improper data disposal puts an organization at risk
Prior to 2008, there were few if any regulatory fines for improper data disposal. Since then, in an attempt to curtail the growth of identity theft, millions of dollars in fines have been assessed. Newspapers and broadcast media routinely report incidences of improper disposal. In fact, the U.S. Department of Health and Human Services is now actively training the staff of states’ attorneys general to look for improper disposal of certain types of data.
A CSDS keeps up on data destruction requirements
There is no question that data destruction requirements will continue to evolve. That’s why CSDS professionals are required to continue their education of data protection laws and other changes that will affect their customers. Because they are staying informed, you’re better protected.
Use a CSDS to help you with your secure destruction needs today. Learn more at www.naidonline.org.
- Data protection legislation
- NAID certification
- Physical and operational security
- Records management principles
- Contracts and insurance
- Data protection principles
- Data destruction systems
- Employee compliance
The National Association for Information Destruction (NAID) is the non-profit watchdog organization for the secure data destruction industry founded in 1994. NAID’s mission is to promote the proper destruction of discarded information by promoting the standards and ethics of its members.
All of our trucks are equipped with the latest GPS tracking technology to ensure absolute security in your document destruction. We know where our trucks, and your materials, are at all times.
In addition to providing a higher level of security, our GPS tracking allows us to respond quickly to emergency needs. If a client needs immediate service we can use our GPS system to locate an available truck near the area.
To ensure the security of your records, OMS’ facility is dedicated to destruction operations only. All entrances are locked twenty-four hours a day and access points require key and/or access codes. A closed circuit surveillance system monitors all points and processing activity, and a monitored alarm system is armed when the facility is not occupied.
All non-employees are required to sign a log stating the purpose of their visit and a Confidentiality Agreement. Visitors entering the destruction area must be escorted by an OMS Access Employee at all times.
Before being considered for hire, every OMS candidate must pass an extensive third-party background screening by the FBI and the Bureau of Criminal Investigation (BCI). This includes investigating felony and misdemeanor criminal records, a seven-year employment history, pre-employment drug screens, credit checks and motor vehicle reports for our drivers. Every new employee must also sign a continuing obligation Confidentiality Agreement.
All OMS associates are required to comply with OMS’ written Policies and Procedures as well as the standards required as a NAID Certified® provider. All of our drivers wear easily identifiable uniforms with photo ID’s and are bonded and insured.
And, last but not least, all of our associates are really nice people!
Our Certificate of Destruction is validated by a comprehensive audit trail
At OMS, we don’t just provide you with a “Certificate of Destruction”; we back it up with a detailed audit trail for your record keeping and security. Our unique Certificate of Destruction establishes critical criteria such as transfer of custody and acceptance of fiduciary responsibility for your protection.
- Before your service begins, we provide you with a performance agreement establishing the criteria for your information destruction.
- At the time of service, we provide you with an Accountability Receipt documenting the details of your service and transfer of custody of your information.
- After your information is destroyed we issue you a Certificate of Destruction verifying the date that your information was completely and confidentially destroyed.