With data breaches and identity theft on the rise, businesses and their customers are faced with near constant reminders about the consequences of poor data management.
To counter this growing epidemic, many businesses invest heavily in security and infrastructure for their stored documents to ensure their data is protected throughout its lifecycle.
However, the protocols for destroying data that is no longer needed is often overlooked. And this can leave a gaping hole in your data security plan.
For this reason, many businesses choose to hire a third party information destruction company to handle the task. Hiring a professional moves the responsibility off of the shoulders of the business onto the provider, and is an excellent option for businesses who need secure information destruction on demand, but dont posses the staff, equipment, or know-how to do the job themselves.
But how do you know if you can trust your service provider with your sensitive documents? After all, handing over your records to a complete stranger can be a harrowing experience as it is.
NAID® AAA Certification is the answer to this problem. Our article will explain everything you need to know about NAID, their AAA Certification program, and why you should choose a AAA Certified information destruction service..
Who is NAID?
NAID (The National Association of Information Destruction) is a non-profit trade association responsible for setting standards and best practices for the information destruction industry.
Established in 1992, NAID’s stated mission was to educate the public about the importance of properly destroying sensitive data, and to convey the benefits of outsourcing the process to a reputable and qualified service provider.
In 2000, NAID’s role in the industry evolved with the introduction of their AAA Certification program. While NAID membership is and always has been open to all shredding companies, AAA certification is a voluntary program for NAID members who wish to demonstrate their ongoing commitment to ethical standards and secure information destruction processes.
As of 2018, NAID is a division of the International Secure Information Governance and Management Association (I-SIGMA.)
What is NAID AAA Certification®?
NAID AAA Certification® is a certification awarded to information destruction companies who continuously validate their services’ compliance with data protection laws through a series of third-party audits.
These random, unannounced audits are completed by trained and accredited independent Certified Protection Professionals® (CPP), and are designed to ensure continuous adherence to data security best practices.
Company facilities, equipment, vehicles, and processes are all subject to evaluation during these audits to ensure top to bottom compliance with the standards set by NAID.
In exchange, NAID AAA Certified providers gain access to numerous educational and support materials, the ability to advertise as an AAA Certified provider, and become eligible to provide information destruction services for businesses and government agencies who require this credential.
More than 1,000 information destruction companies have received their NAID® AAA Certification, including mobile, paper, and computer destruction services across five continents.
What is required for NAID AAA certification?
NAID® AAA Certification is the most trusted and widely accepted certification for data destruction companies in the world. Companies who wish to become AAA certified must meet incredibly stringent requirements, including rigorous security audits, documented company incident response policies, facility security requirements, equipment inspections, and more.
Rigorous Security Audits
Service providers must submit to both regularly scheduled security audits and unscheduled, surprise audits by trained and accredited security professionals. Providers will not know when these audits occur, which can be a great motivator for ongoing compliance. All providers must maintain a passing grade to maintain their certification status.
A customer may request an audit to monitor a particular service provider to ensure they meet the regulatory risk assessment requirements, and may monitor compliance by subscribing to email notifications of the service provider’s certification renewal, audit, or lapse.
Service providers must maintain detailed and up-to-date employment related records including:
- Background screening and training programs
- Employment history verification
- Drug/Substance Screening Results
- Signed confidentiality agreements
- Drivers license verification
Documented Company Policies
Service providers must maintain written company policies and procedures manuals to ensure incident response preparedness and regulatory compliance.
Service providers must maintain a well-secured facility, meeting specific standards set by NAID. This includes monitoring all main access points with a closed circuit camera system, a fully operational facility-wide alarm system, and a secured area within the facility devoted solely to information destruction processes.
Companies must also document their protocols for customer visits and employee access policies to secured areas.
Service providers must use commercial grade destruction equipment. The resulting byproduct must meet specific particle size requirements to ensure destroyed information is impossible to reproduce.
Documentation of Services
Service providers must provide customers with a certificate of destruction with every service. This important document can be used to prove that records were destroyed in compliance with data privacy regulations
All vehicles used to transport confidential data must be fully insured and inspected. Vehicle cabs and boxes must be locked at all times, and drivers are required to have two-way communication devices. Drivers must document all transfers to maintain a secure chain of custody.
In order to maintain NAID® AAA Certification, companies must be legally registered and in good standing with the state of incorporation. Businesses must also have general liability insurance at all times.
Companies with multiple locations must maintain separate certifications for each of their locations. That’s because different locations have different employees and managers. When a NAID certified company references their certification, they must specify the location to which it applies.
View the i-SIGMA Certification Specifications Reference Manual for additional details and requirements.
What are the benefits of NAID AAA certification?
AAA Certified document shredding companies are thoroughly vetted and verified by NAID to ensure that the services provided comply with all relevant data privacy protection laws and regulations, as well as information destruction best practices.
Other benefits include:
Businesses that possess personally identifiable information (PII), personal health information (PHI) and other sensitive materials are required by law to make every reasonable step to protect the sensitive data in their possession.
That means that before any data is handed off to a third party, a business must do everything in its power to ensure service providers are fully compliant with data privacy protection laws like HIPAA, HITECH, and FACTA.
Fulfilling this important regulatory requirement can put an unnecessary burden on the business, as it must thoroughly research their service provider before it can hand off any records.
When an information destruction company is NAID AAA Certified, due diligence is completed by NAID itself, in far more detail than any business could ever dream of. NAID handles all of the effort of continuously monitoring each certified business to ensure that best practices and protocols are followed consistently.
For this reason, choosing a NAID AAA Certified provider is a widely accepted method of meeting your business’ due diligence requirements. Requiring in your policy that your information destruction vendor must be NAID AAA Certified, and choosing one that is, satisfies that legal requirement and protects you and your business.
Privacy and Security
Businesses are required to store a lot of sensitive documents. Whether it’s employee records, client information, or proprietary data, most of these records need to be kept on file for an extended period of time.
But what happens to this data when it is no longer needed? You could hang on to everything forever, but this exposes your data to unnecessary risk, and could lead to identity theft, or worse. And very few businesses can survive a data breach, especially one caused by sheer negligence.
Choosing a NAID AAA Certified data destruction company is the most secure way to rid your organization of the sensitive information in your possession, while ensuring the privacy of your data is not compromised in the process.
Not only are AAA Certified shredding companies required to train employees how to handle sensitive documents, but every part of their destruction process, down to shredding particle size, is reviewed to ensure that confidential information processed cannot be reconstructed.
What is i-SIGMA?
i-SIGMA (International Secure Information Governance & Management Association) is a non-profit watchdog organization formed by the merger of two well established trade associations, the National Association for Information Destruction® (NAID®) and PRISM International™ (Professional Records and Information Services Management®).
Formed in 2018, i-SIGMA enforces standards and ethical compliance for more than 2,000 information destruction providers internationally, and currently maintains the most rigorous and widely accepted third party security compliance certifications in the world.
What Comes Next?
If you’re looking for a NAID® AAA Certified information destruction company, look no further. SecureScan has been providing ultra-secure mobile document shredding services throughout the Northeast since 2003. Our team is ready to help you rid your organization of sensitive documents while protecting the confidentiality of your data. Visit our quote page to request more information from one of our information destruction technicians.
To view our certification status, visit directory.isigmaonline.org. Type “SecureScan” into the company name field and review the result.