call us at 1.866.467.4733 or visit our website at
RSS icon Home icon

    Posted on December 22nd, 2009 admin No comments

    We have all heard the saying, “where there’s smoke, there’s fire.” Well there is certainly a lot of smoke related to pending federal data protection legislation. 

    NAID has been anxiously monitoring a host of events that indicate a national data protection law, potentially preempting states laws, is likely next year.

    • In August, Senator Patrick Leahy (VT-D) introduced the Personal Data Privacy and Security Act of 2009 (PDPSA) that has already passed the Senate Judiciary Committee (which Leahy chairs) and is on its way to the full Senate.
    • The House of Representatives just passed the Data Accountability and Trust Act (DATA). Privacy watchers in D.C. say this increases the likelihood that a comprehensive data protection law will result.
    • An editorial two weeks ago in the New York Times made a strong appeal for the movement on the long over due national data protection law.
    • An article in the Washington Post last week drew reference to the fact that the disposal of hard copy records is just as significant a problem as e-destruction and deserves increased legislative attention.
    • NAID contacts within the FTC are openly saying they anticipate a new national data protection law in 2010.

    The good news is that the language in these laws is very direct about destruction requirements as well as penalties and enforcement.  That being said, NAID believes there is a strong likelihood that special interests will seek to water them down and NAID isn’t taking any chances. The association intends to be as vocal as ever in reminding lawmakers that clear direction and enforcement are essential to effective data protection.

    NAID will likely dedicate some resources to convincing legislators that paper-based breaches be subject to data breach notification provisions—a point that is not as clear as it should be in some of the current language.


    Posted on November 25th, 2009 admin No comments

    The Department of Health and Human Services issued guidance related to safe harbors for healthcare providers to avoid mandatory data breach notification.  The guidance states that if computer hard drives are disposed after sanitization meeting National Institute for Standards and Testing (NIST) specification SP 800-88, data breach notification will not be required.  It also states that that destroying paper media in a manner that it “cannot be read or otherwise cannot be reconstructed” provides that same safe harbor. The NIST SP 800-88 specification reference in the HHS Guidance DOES NOT APPLY to paper media within the HHS Safe Harbor Guidance, HIPAA, HITECH or Data Breach Notification.

    Unfortunately, because NIST SP 800-88 also contains specifications for paper destruction, which is very small, some HIPAA/HITECH Covered Entities are misinterpreting the HHS Guidance to mandate that destruction specification extends to paper as well. Again, NIST SP 800-88 does not extend to paper media, only to sanitization.

    Here is the language as it reads in the Federal Register:

    (b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
    (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
    (ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

    It is important to note that none of this is actually a requirement of HIPAA or HITECH—it is simply advice regarding safe harbors for avoiding possible data breach notification events.

    Read the Federal Register Reference



    Posted on November 25th, 2009 admin No comments

    On November 1st, after being pushed back twice, the Red Flag Rule (amendment to FACTA) will finally go into effect, requiring every organization “that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft” to develop what it calls “reasonable policies and procedures for detecting, preventing, and mitigating identity theft.”  The FTC says that the law will apply to an estimated 11 million organizations.

    While all current data protection laws require organizations to have written data protection policies and procedures, the Red Flag Rule is specifically created to emphasize the importance regulators put on them.  This is good news for the secure destruction industry, since NAID’s own statistics show that organizations with written data protection procedures are twice as likely to outsource their destruction requirements as those without them. 

    To help NAID Members respond to the estimated 11 million organizations that will need to comply with the law, NAID has produced a draft Red Flag contract clause and language to update member’s policies and procedures. To obtain the documents, members must complete the NAID Red Flag Rule Release. NAID has also stepped up training on the use of the Compliance Toolkit for members looking to capitalize on the opportunity created by the imminent effective dates of the Red Flag Rule and HITECH.



    Posted on July 7th, 2009 admin No comments

    Pharmacy pays fine for jeopardizing patient information

    While it does not involve the sensational million dollar amount of other recent data disposal fines, a fine levied in Indiana sends the message that even small local pharmacies are subject to the continually escalating intensity of enforcement

    Bob Segall of WTHR in Indianapolis, Indiana reported that a small local pharmacy reached a settlement with the state’s Pharmacy Board.  According to the report, which was posted to the TV Station’s website on June 8th, Low Cost Pharmacy will receive a letter of reprimand from the Pharmacy Board and will pay a $250 fine to settle state charges that it improperly disposed of private patient information.

    Full Article


    Posted on July 3rd, 2009 admin No comments

    credit_cardAccording to an article by Kim Zetter, appearing on the website of Wired News on June 2nd, for the first time a financial institution is suing an auditor for verifying that a third party card processor was secure prior to a data breach caused by the same service provider. The third party processor’s data breach released over a quarter of a million credit card numbers and put almost 40 million other credit card numbers at risk.  As a result of the breach by the third party service provider, the financial institution that brought the suit must notify its customers of the incident.

    The article further describes the ramifications of an anticipated trend of suits where third parties fail to provide the security they claim to provide as well as the risk of such suits against organizations that verify their security.

    Full Article


    Posted on July 2nd, 2009 admin No comments

    A new white paper titled Why Information Destruction is the Key to Sustainable Success in e-Scrap has been posted to the NAID website discussing the linkage between data security and continued success in electronics recycling.  The article draws a parallel between the evolution of the office paper recycling industry and the electronic recycling industry against the backdrop of increasing regulatory intensity and enforcement.


    Posted on July 1st, 2009 admin No comments

    NAID_AAA_CertLOGOWith HIPAA Covered Entities and Business Associates now subject to data breach notification requirements of HITECH, NAID Members will see the association more closely following and reporting on related issues.

    Recently, Aetna Casualty was forced to notify 65,000 current and former employees, sending each a letter wherein the company admitted its role and described the nature of the data breach.  The company’s online job application site was breached, which only became apparent earlier this month when affected individuals began receiving suspicious emails soliciting personal details.  The site reportedly contained the Social Security Numbers of the 65,000 people who were notified.

    A class action suit has already been filed against Aetna related to this incident, which is just one of the consequences of what is coming to be known as Breach Notification Fallout.

    The upcoming edition of NAIDnews (June 2009) contains a thorough examination of the impact of breach notification and why it is among the most feared of all the new HIPAA/HITECH provisions.

    Full Article

  • Data Destruction Companies Watch Demand Grow As State Regulations Get Tougher

    Posted on April 14th, 2009 admin No comments

    Boom Time for Shredders

    Identity theft hurts consumers, and it can cost companies that have put private data at risk thousands of dollars in fines.

    But the problem has sprouted a growing industry — information destruction — that continues to move forward even though the economy has turned sour.

    In central Ohio, roughly a dozen companies are certified in the industry, which includes shredding tons of paper and electronic devices, and wiping information from computers and other electronic equipment.

    Established companies in the information destruction industry are growing an average of 10 percent to 25 percent each year, said Tim Oberst, president and chief executive of Ohio Mobile Shredding and president-elect of the National Association of Information Destruction.

    The organization went from 180 members in 2002 to 1,150 this year, but it doesn’t track sales figures.

    “As people become more aware of the need for information destruction, and as the regulations get tougher, they’re paying a lot more attention to it,” said Robert Johnson, executive director of the association. “Demand for information destruction services will continue to grow.”

    Reasons for that demand include more technology turnover and an increase in the enforcement of regulations to properly destroy documents, Johnson said.

    “In the last year and half, there has probably been $3 (million) to $4 million worth of fines,” Johnson said.

    In Ohio, there have been two recent cases where companies have been accused of improperly discarding information.

    Last December, the Department of Commerce filed a complaint against a mortgage company accusing the owner of abandoning hundreds of customer records when he went out of business.

    Another notice was filed in October against a Cuyahoga County mortgage company for a similar incident.

    Department of Commerce spokesman Dennis Ginty said that because of the distress in the housing market, mortgage brokers are going out of business and some simply abandon their records after they close their offices.

    “We are very concerned about possible identity theft and want to make sure that all customer personal information is protected,” Ginty said.

    Oberst, of Ohio Mobile Shredding, said his company was the first of its kind in Columbus in 1987, and he has watched the business boom since then.

    “The industry started to grow to the point where it became an ‘industry,’ ” Oberst said.

    It was tough to sell shredding services when he started out because businesses weren’t particularly concerned, Oberst said.

    “Most businesses would say, ‘What do you have to shred? We don’t have anything confidential,’ ” Oberst said. “Their attitude was out, ‘of sight, out of mind.’ ”

    That’s changed.

    “It’s like an everyday thing that has to be taken care of,” Oberst said.

    CareWorks, a managed-care organization for workers’ compensation, is one of Ohio Mobile Shredding’s customers. It ships 16 to 18 96-gallon barrels of paper to the company every two weeks, said Dave Gran, the facility manager.

    “That personal, confidential documentation has to be destroyed in a certain manner,” he said.

    Mobile Shredding does both paper-shredding and product-destruction — which can include anything from ID badges to hard drives.

    “From my perspective, if a company really wants to be sure the information isn’t left on the hard drive, we recommend physical destruction,” Oberst said. “The little money you get from reselling a hard drive is not worth the risk.”

    Hilliard-based Redemtech, a company that helps large corporations manage technology changes and upgrades, uses a hard-drive overwrite program to destroy the data on its clients’ computers.

    The overwrite program puts a data pattern over top of the original information, thereby obliterating it, said Redemtech president Bob Houghton.

    “If part of your objective is to preserve the financial value of the assets, if you can preserve the hard drive, it really helps,” Houghton said.

    Redemtech handles e-waste — used electronics ranging from computers to cash registers. It erases hundreds of thousands of hard drives a month, Houghton said.

    The company generally tries to refurbish and resell items for clients, so it puts an emphasis on inventory control to make sure no data is preserved.

    “Every single gram of material that moves through the plant is accounted for, particularly data-bearing devices,” Houghton said.

    With states adding regulations on top of existing federal laws, Houghton said many corporations are becoming more concerned about data destruction.

    “It’s good because it means increased consumer protection and less chance of identity theft,” Houghton said. “It’s really tough for a corporation to make sure they’re complying across all the jurisdictions they may be doing business in.”

    Redemtech’s customers include national banks, top insurance companies and health-care organizations, Houghton said.

    Clients now request extra rigor in overwriting data — for example, a company that in the past only wanted one overwrite pass now might ask for three, Houghton said.

    “This is simply to ensure there is even less chance that any data is going to be left in a readable state on the hard drive,” he said.

    Whether it’s through data overwrite programs or simply shredding documents, proper disposal of personal information is becoming more important as concern over identity theft rises.

    “The consumer has become more aware their information is in so many places and they have no idea how the company is protecting it,” Oberst said.


  • WTHR Investigation Leads to Record $2.25M HIPAA Settlement

    Posted on March 6th, 2009 admin No comments

    cvs-settlement13 Investigates’ “Prescription Privacy” investigation has resulted in a $2.25 million settlement agreement between the U.S. Department of Health and Human Services (HHS) and the nation’s largest retail drugstore chain.CVS, which operates more than 6,000 pharmacies, has agreed to pay the record-setting settlement and implement a “robust corrective action plan” after WTHR found the company was tossing its customers’ private healthcare records into unsecured dumpsters in Indianapolis and other cities nationwide.

    “This is a very important settlement,” said Robinsue Frohboese, acting director of HHS’ Office for Civil Rights. “The millions of customers who go to CVS pharmacies will now have the confidence that their very personal healthcare information will, in fact, be protected.”

    During its investigation, HHS found that CVS failed to implement adequate policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process; failed to adequately train employees on how to dispose of such information properly; and did not maintain and implement a sanctions policy for members of its workforce who failed to comply with its disposal policies and procedures.

    Frohboese said WTHR’s 2006 investigation “formed the basis of the [federal] investigation,” which was launched after Indianapolis-area CVS customers filed complaints with the Office of Civil Rights.

    Jackie Wright was one of those customers.

    Wright felt betrayed by her drugstore after learning her family’s healthcare records were among dozens of private healthcare documents WTHR found in a dumpster behind a northwest side CVS.

    “They are supposed to be shredding it, getting rid of it and destroying it – not throwing it in the dumpster where people can get your personal information,” she told WTHR in June 2006. Soon after, Wright filed a federal HIPAA complaint, alleging that CVS failed to protect her privacy.

    She heard nothing about her complaint — until today.

    “I thought everybody forgot about it and that nobody really cared,” she said. “But $2.25 million, that’s a lot of money… $2.25 million says they do think about what you say.”

    Unfortunately for Wright, complainants will not get any of the pay-out. HHS says all of the settlement money has been deposited into the US Treasury and will be used to investigate other cases involving companies accused of violating healthcare privacy regulations.

    As part of its 20-page settlement, CVS is required to fully implement an action plan designed to protect patient information from being discarded into unsecured dumpsters. The plan will be monitored for 20 years by the Federal Trade Commission, which assisted the Office For Civil Rights in the investigation, marking the first time the agencies have worked together to enforce violations of the nation’s healthcare privacy law.

    Much of CVS’s corrective action plan was developed in late 2006 after 13 Investigates expanded its investigation to show the company’s privacy violations extended far beyond Indianapolis.

    In summer and fall of 2006, WTHR visited cities across the nation and, despite assurances from CVS that it had taken corrective measures at its pharmacies, 13 Investigates found the company was still failing to protect customer privacy. WTHR found protected patient records in CVS dumpsters in Boston, Chicago, Cleveland, Detroit, Dallas, Louisville, Miami, New Haven (Conn.), Philadelphia, and Phoenix. 13 Investigates also found hundreds of private customer records tossed into CVS dumpsters in Woonsocket, R.I., which is home to CVS world headquarters. The investigation also revealed similar problems at Walgreens and RiteAid pharmacies, the country’s second and third largest drugstore chains.

    On Wednesday, CVS released a statement saying it agreed to the settlement “to avoid the time and expense of further legal proceedings” and the “company denied engaging in any wrongful conduct.”

    But that contradicts earlier statements made by corporate officials.

    Two years ago, when 13 Investigates went to CVS headquarters to show what we found, CVS privacy officer Christine Egan admitted “We are not safeguarding customer privacy as we are required to do… It’s sad and intolerable.”

    Today’s agreement is only the second monetary settlement involving HIPAA violations since the Health Insurance Portability and Accountability Act took effect in 2003, and the $2.25 million figure shatters the previous settlement. In July 2008, HHS entered into its first HIPAA settlement agreement with Seattle-based Providence Health & Services. The company paid $100,000 stemming from lost and stolen computers containing health information.

    Federal regulators say they hope this latest settlement will help them promote the importance of protecting healthcare information, and HHS has posted a tip sheet for other businesses to learn from CVS’ mistakes.

    “The Office For Civil Rights is using this opportunity to get good information out to healthcare providers about appropriate ways to dispose of personal health information,” Frohboese said.

    HHS won’t comment on the possibility of a settlement agreement with Walgreens and other pharmacies involved in WTHR’s Prescription Privacy investigation, which also prompted formal complaints against CVS and Walgreens by the Indiana Attorney General. Those cases are still pending before the Indiana Board of Pharmacy.

    (Source :

  • The Secure Shredding Industry’s Almighty Certificate of Destruction

    Posted on October 9th, 2008 NewSunSEO No comments

    In the professional shredding industry there is a document known as the Certificate of Destruction which is given to customers utilizing shredding companies as “proof” that documents have been destroyed. While these COD’s are used by virtually all shredding companies, the similarities end there. There is no universal form for a COD, which can create confusion for you, the consumer, when shopping for a reputable shredding company. Just what does the COD mean anyway? Probably not what you thought it meant.

    Many shredding clients mistakenly take the COD as proof that they have washed their hands of any liability for the documents that are being destroyed. Unfortunately, this is logistically impossible, for many reasons. Even if a COD is itemized, listing, say, all employee records from 1990-1995, it is obviously impossible for the shredding contractor to know for sure whether each and every employee record for that time period was included in the documents he was given. And shredding companies don’t pretend to know that either.

    A standard clause in contracts for all NAID members (National Association for Information Destruction, which every reputable shredding company should be a member of) clearly states that itemized lists of materials submitted for destruction are not proof that such documents were actually included in the materials submitted. This clause protects the shredding company, but it also protects the consumer, because it is eliminating any false notions that the COD is in itself proof that particular documents were destroyed. The clause goes on to state that if specific proof is needed, special arrangements need to be made in advance, with special terms and fees.

    So what, then makes up a good COD, and what should you look for when selecting your shredding service? Here are some excellent qualities of a Certificate of Destruction :

    • A unique serial or transaction number
    • A clear statement of the terms and conditions
    • Statement of fiduciary responsibility
    • The date and location of the destruction of materials
    • The witness to the destruction (a signature, which could be another employee or representative of the shredding company, or representative of the client if they wish).

    What does all of this mean? Do Certificate of Destructions provide any protection to the consumer? Actually, they are very important documents that protect both the contractor and the consumer, by stating upfront what is and what is not a responsibility of the shredding company. And ultimately, it all leads back to this: choosing a reliable, reputable shredding company provides you not only with excellent service, but peace of mind as well.