What is NAID AAA Certification^®?

The increasing number of laws and regulations requiring information protection emphasizes your responsibility to make careful decisions about how your data is handled and who handles it. If security safeguards are breached, audited or challenged due diligence in the selection of the shredding vendor must be apparent and defensible. Merely saying “but we have a certificate of destruction” is an inadequate defense. Any lawyer, judge or jury would want to know what qualifications the provider possessed for you to choose them. You must be able to defend those qualifications in a court of law.

How can you be certain of the shredding provider’s qualifications? One simple way is to ask them if they are NAID AAA Certified^®. i-SIGMA® NAID certification verifies the shredding provider’s qualifications and confirms the security you expect.

Every aspect of a NAID AAA Certified^® provider’s operation is controlled by strict security standards. In fact, NAID AAA Certified^® standards are so demanding they establish the due diligence required for compliance with HIPAA, Gramm-Leach-Bliley (GLB) and FACTA, and they exceed the standards for reasonableness that is generally accepted by government agencies and courts.

NAID AAA Certification^® demands compliance with standards for employee screening and hiring, operational and facility security, the destruction process, and insurance requirements. In all, compliance with more than twenty standards is verified by and independent Certified Protection Professional^® (CPP)*. And it doesn’t stop after one inspection; to maintain certification, the shredding provider must pass the verification process annually. And to ensure ongoing compliance, the provider may be randomly audited throughout the year.

By choosing Ohio Mobile Shredding; NAID AAA Certified^® since 2003, you demonstrate that you have made your choice about information protection with care, diligence, and respect for the law.

*The CPP is the highest and most recognized security management accreditation achievable. The CPP accreditation is issued to security professionals who meet stringent educational and experience requirements by ASIS International®, the preeminent professional security association.

Downstream Data Coverage helps protect you.

Using outside services for data destruction, records storage, media rotation and many other data-related services has grown so popular because they can do it more securely and more economically than organizations can do it for themselves.

However, as the financial and regulatory compliance liabilities around data protection increase, customers have come to realize that they are inescapably responsible in the unlikely event a data breach or other loss is caused by those vendors – no matter how it happened.  Let’s face it, when 47 states have data breach notification laws and with HIPAA now requiring data breach notification across the country for breaches involving healthcare information, customers have the right to be concerned.  Fines for improper data disposal and expenses for data breach notification over the last few years are in the tens of millions of dollars and continually increasing.

That‘s why it‘s common for customers to insist that data-related service provider’s reasonably indemnify them from any harmful financial consequences they cause.  Unfortunately, many of the professional liability products on the market do not adequately address the risks.

So, how then do customers really know they are protected, when they usually never even see the policy, and if they do see it, they need a lawyer to decipher the language?  The best solution is to require a specific policy developed by organizations worth trusting.

When i-SIGMA first learned that many policies contained loopholes that rendered them useless, it started what turned out to be a 4 year project to put together a product that would provide real protections to it members.

Downstream is not available to just any service provider. i-SIGMA also had another goal when helping to create Downstream; to help lower the cost of dependable coverage to its members. To do that, only service providers subject to the security specifications and audits (both announced and surprise) of the NAID AAA Certification^® process are eligible for Downstream Data Coverage.

So, by insisting that your service provider has Downstream Data Coverage, you are not only assured they have dependable professional liability coverage, backed by i-SIGMA’s reputation and the resources and integrity of Lloyd’s – you are also assured by their NAID AAA Certification^® that you are dealing with an service provider whose operations are intensely audited.

(taken from www.downstreamdata.com)

NAID AAA Certification^® Criteria

Ohio Mobile Shredding has met or exceeded the following NAID AAA Certification^® criteria:

Employee Screening & Hiring

• A criminal record search must be conducted for each place of residence and employment during the previous 7 years and obtained through a third-party background search service.
  OMS Employees have background checks done by the FBI and the Bureau of Criminal Investigation (BCI)

• A social security header search must be conducted prior to the criminal background investigation to ensure all state and counties of residence and employment have been included (and verified) in the investigation.
• One third of Access Employees must be randomly selected and a criminal record search conducted annually by an outside source.
• No person subject to a felony conviction in the last seven years for any crime involving theft (of tangible or intangible property), fraud, burglary or larceny may be employed in a capacity where they come in contact with confidential client information.
• All employees must be drug screened at the time of hiring and randomly screened throughout the year.
• All drivers must meet all state licensing requirements. A valid driver’s license must be produced and a copy kept on file.
• All employees must sign a Confidentiality Agreement and have an I-9 or proper work permit/registration on file.

Operational Security

• Written policies and procedures for employees and drivers must be in place, updated and accessible.
• Drivers and processing employees must wear company uniforms and photo ID badges.
• Drivers must have accessible two-way communication devices.
• All vehicles used for the transfer of client records will have the applicable government inspection for road worthiness on file.
• All vehicles used for transfer and/or destruction of client records must have lockable cabs and lockable fully enclosed boxes. Locks must be used during transport and when unattended.
• All materials must be securely contained during transfer from customer’s custody to transportation vehicle to prevent loss from wind or other atmospheric conditions.

Facility Security

• Unauthorized access to the destruction area and client records is effectively prevented.
  OMS’ entire facility is locked down twenty-four hours a day.

• All non-employees entering the facility must sign a log with their name, time-in, affiliation, and time-out. The record is kept on file for one year. Visitors must be escorted or under the supervision of an Access Employee at all times.

• There is a secure area within the facility devoted to destroying media.
  OMS’ entire facility is devoted to destroying media.

• Materials are always attended by a company employee or physically secured from unauthorized access before destruction.
• There must be a monitored alarm system in place and utilized when the building is unoccupied.
• There must be a closed circuit camera system monitoring all access points and all processing activity with sufficient clarity to identify people and their activities. Recordings must be maintained for 90 days.
• Security systems must be checked and maintained on a monthly basis. A record of each check must be retained for one year.

The Destruction Process

• All paper or printed media is destroyed by equipment that reduces the paper to a size no wider than 5/8″ shred width.
  OMS utilizes equipment that reduces materials to a shred width of 5/16″ or pulverized into irregular sized particles.

• All mobile destruction must be performed at the customer’s site.
• Standard operating practices dictate that plant-based destruction must take within 3 business days.
• Destroyed materials must be disposed of in a responsible manner, which does NOT include any type of reuse (for purposes such as animal bedding or packing materials).
• A written and verifiable process for the physical destruction (not wiping or overwriting) of conventional computer hard drives must be in place. The serial numbers of all hard drives being destroyed must be recorded for each client.

Company Assurances

• The company must be legally registered business in the state of residence.

• The company must be in business for a minimum of five years.
  OMS has been in business for more than thirty-six years.

• General liability insurance of at least $2,000,000 is maintained.
  OMS exceeds certification requirements with a $3,000,000 policy.

• All marketing materials are inspected to check for misleading advertising.

Benefits of Working with a CSDS Professional

What is a Certified Secure Destruction Specialist (CSDS®)?

The CSDS program is a professional accreditation issued by i-SIGMA, the 20-year-old, non-profit watchdog organization for the secure destruction industry. To earn the accreditation, individuals must prove they have a high degree of competency in a range of data protection regulatory and compliance issues as well as a thorough understanding of physical and operational security.

Why work with a CSDS?

The secure destruction of records and data has become a complicated process over the past decade. With constantly evolving data protection laws, service provider qualifications, media, and policy development and training requirements, designing a compliant program requires a level of expertise not available in most organizations. It is now critical that you work with someone who understands your responsibilities and theirs.

For instance, did you know?

• 48 states now have laws mandating specific training of employees regarding reporting of potential data breaches to affected individuals as well as regulators.
• Health care organizations now need new contracts with their data destruction companies.
• Specific information included in a certificate of destruction will maximize their legal benefit.
• Data protection regulations now require written policies and training for employees.
• Many new types of computer hard drives cannot be overwritten or magnetically degaussed.
• Organizations can take preventive action to minimize the consequences of a data breach.

Improper data disposal puts an organization at risk

Prior to 2008, there were few if any regulatory fines for improper data disposal. Since then, in an attempt to curtail the growth of identity theft, millions of dollars in fines have been assessed. Newspapers and broadcast media routinely report incidences of improper disposal. In fact, the U.S. Department of Health and Human Services is now actively training the staff of states’ attorneys general to look for improper disposal of certain types of data.

A CSDS keeps up on data destruction requirements

There is no question that data destruction requirements will continue to evolve. That’s why CSDS professionals are required to continue their education of data protection laws and other changes that will affect their customers. Because they are staying informed, you’re better protected.

Use a CSDS to help you with your secure destruction needs today. Learn more at www.isigmaonline.org.

CSDS competencies

• Data protection legislation
• NAID certification
• Physical and operational security
• Records management principles
• Contracts and insurance
• Data protection principles
• Data destruction systems
• Employee compliance

About i-SIGMA®

The International Secure Information Governance & Management Association (i-SIGMA) is the non-profit watchdog organization for the secure data destruction industry founded in 1994. i-SIGMA’s mission is to promote the proper destruction of discarded information by promoting the standards and ethics of its members.

www.isigmaonline.org

GPS Tracking

All of our trucks are equipped with the latest GPS tracking technology to ensure absolute security in your document destruction. We know where our trucks, and your materials, are at all times.

In addition to providing a higher level of security, our GPS tracking allows us to respond quickly to emergency needs. If a client needs immediate service we can use our GPS system to locate an available truck near the area.

Facility Security

To ensure the security of your records, OMS’ facility is dedicated to destruction operations only. All entrances are locked twenty-four hours a day and access points require key and/or access codes. A closed circuit surveillance system monitors all points and processing activity, and a monitored alarm system is armed when the facility is not occupied.

All non-employees are required to sign a log stating the purpose of their visit and a Confidentiality Agreement. Visitors entering the destruction area must be escorted by an OMS Access Employee at all times.

Our Employees

Before being considered for hire, every OMS candidate must pass an extensive third-party background screening by the FBI and the Bureau of Criminal Investigation (BCI). This includes investigating felony and misdemeanor criminal records, a seven-year employment history, pre-employment drug screens, credit checks and motor vehicle reports for our drivers. Every new employee must also sign a continuing obligation Confidentiality Agreement.

All OMS associates are required to comply with OMS’ written Policies and Procedures as well as the standards required as a NAID AAA Certified® provider. All of our drivers wear easily identifiable uniforms with photo ID’s and are bonded and insured.

And, last but not least, all of our associates are really nice people!

Our Certificate of Destruction is validated by a comprehensive audit trail

At OMS, we don’t just provide you with a “Certificate of Destruction”; we back it up with a detailed audit trail for your record keeping and security. Our unique Certificate of Destruction establishes critical criteria such as transfer of custody and acceptance of fiduciary responsibility for your protection.

• Before your service begins, we provide you with a performance agreement establishing the criteria for your information destruction.
• At the time of service, we provide you with an Accountability Receipt documenting the details of your service and transfer of custody of your information.
• After your information is destroyed we issue you a Certificate of Destruction verifying the date that your information was completely and confidentially destroyed.