Maintaining momentum

Eric Haas, president and CEO of Automated Records Management Systems (ARMS), De Pere, Wisconsin, was installed as the president of Phoenix-based National Association for Information Destruction (NAID) during its annual convention in late March in Las Vegas.

Haas has been a member of NAID’s board of directors since 2014 and served as president-elect in 2016.

He formerly worked in various roles with The Newark Group, an integrated producer of 100 percent recycled paperboard and paperboard products, before buying ARMS from his uncle in 2008. In the time since, he has expanded the suite of information management services the company provides to include information management consultations, off-site media and records storage, e-backup, email archiving, network storage, data protection, media rotation, media and data vaulting, document imaging, on-site shredding, scan-on-demand imaging and disaster recovery planning.

In his role as NAID president, Haas says he took office with the intention of continuing the association’s momentum. “Service providers, customers and policymakers across the country already largely consider NAID as the voice of integrity, standards and expertise in the area of data disposal. While improvements can always be made, it is a great foundation from which to increase the association’s relevance and improve the market for reputable service providers.”

Haas says he also plans to embrace the efforts of Don Adriaansen of Titan Mobile Shredding, Doylestown, Pennsylvania, who served as the association’s president from March of 2016 until Haas took the mantle this year. He says Adriaansen sought to prepare NAID for the next decade by ensuring its long-term health and relevance.

“On a more granular level, one specific area of my focus is to further establish NAID AAA certification as an international security standard for the industry,” he says. “It is already far and away the most recognized operations and regulatory practices certification in the data disposition arena, making it our industry’s best hope for a uniform, reasonable global standard. I am excited by the increasing uptake of NAID certification in areas like Australia and Japan and its increasing recognition as a data security standard in the IT (information technology) asset disposal space.”

In the following Q&A, Haas shares his plans for NAID during the rest of his term and provides updates on various association initiatives.

Recycling Today (RT): What NAID initiatives are you most excited about?

Eric Haas (EH): As many of your readers already know, the General Data Protection Regulation (GDPR) goes into effect in Europe next year. When that happens, it will become the most aggressive data security regulation in the world. Not only are the requirements significantly more demanding and prescriptive, fines will be dramatically increased and breach notifications go into effect. We are excited by the fact that, unlike any other data protection regime, it includes a requirement for customers to be able to demonstrate compliance, and it has the expressed intention of acknowledging legitimate vendor certifications.

This is all music to the ears of reputable service providers and a great opportunity for NAID to help them. The association has already committed serious resources to a range of initiatives, including sample contracts and education to prepare members there, and has further committed to exploring all opportunities to help members and their customers with compliance.

The association has also recently published the first-ever textbook on the secure disposition of records, media and IT assets, Information Disposition: A Practical Guide to the Secure, Compliant Disposal of Records, Media and IT Assets. (Read more about this book in the March 2017 article available at www. RecyclingToday.com/article/data- disposition-by-the-book.) Though the book will serve a number of roles, including as the training manual for future Certified Secure Destruction Specialists (CSDS), we are most excited by the long-term proposition that it will become part of the curriculum in higher education. Currently, those graduating with degrees in management information systems (MIS), cybersecurity and data security never learn about this critical topic. We have interest from several universities and will work with one in particular as a trial before expanding to others.

RT: Does NAID have any plans related to its certification or accreditation programs in the year ahead?

EH: As mentioned previously, aligning NAID AAA certification with the new GDPR and being an officially recognized EU Data Protection Authority is one of our immediate goals. Additionally, [in June] NAID introduced product destruction endorsement to the program. NAID is also integrating solid state device (SSD) erasure into the certification program for electronic overwriting operations in the first quarter of 2018, which is an important direction electronic information storage is evolving in.

EH: The Information Disposition textbook has already sold several hundred copies of the first printing in just the short time since it was released earlier this spring. NAID members have been eager to acquire a copy as they are vested in having a deep knowledge bank regarding this industry and want to ensure their customers have a clear understanding of compliance regulations as well. We have also sold a number of copies through the ARMA International (the Overland Park, Kansas-based professional association for records and information management professionals) information bookstore. We will eventually release the book on Amazon, but for now those interested should contact NAID directly to ensure they receive a copy.

RT: How has Shred School evolved since NAID purchased rights to the name from Total Training Services in 2012?

EH: The biggest change to Shred School under NAID ownership came in the first year. Under Total Training Services, Shred School was held in the hometown of Ray Barry, Spartanburg, South Carolina, and focused primarily on getting people ready to enter the business.

We are proud to say that Ray continues to be a big part of Shred School, which means sales and marketing are still a huge part of it. However, when NAID acquired it, we took this education on the road and dramatically lowered the price to make it more accessible to our members’ employees. We also expanded the curriculum to include topics like regulatory issues and digital marketing. Adding NAID CEO Bob Johnson deepened the bench. In the four years since, hundreds of industry professionals have attended Shred School, most of whom would not have been given the opportunity for other industry-specific training.

RT: What do you feel will be the biggest challenge for the information destruction industry in the year ahead?

EH: Industry challenges vary throughout the globe. In North America, consolidation and increased scrutiny of vendor qualifications are both major trends that represent both a challenge as well as an opportunity.

In Europe, the industry is focused on the new GDPR; so, that is NAID’s focus too—particularly the alignment and recognition for NAID AAA certification.

In Australia and New Zealand, though they have smaller markets, they face challenges that look very much like North America did 10 years ago.

Throughout parts of Asia and South America data security is really just now showing up on the radar. Education is still the primary challenge there.

RT: How can NAID help its members address these challenges?

EH: NAID helps members address challenges in several ways.

As the consequences for failing to protect information continue to increase, both customers and service providers need legitimate mechanisms to demonstrate they are doing things correctly. The fact is customers generally do not know how to do that, and there is unfortunately still no shortage of marginal service providers willing to mislead these new customers. All of this means that NAID has a role to play. Everything NAID does is focused on creating the tools, such as certification, Downstream Data Coverage and the education that reputable service providers and their clients need.

Moreover, NAID helps its members by creating awareness and by advocating with policymakers and standards setters. Currently, NAID has ongoing dialog regarding the GDPR in Europe, the PIPEDA (Personal Information Protection and Electronic Documents Act) review in Canada, with specific U.S. states looking at data security, with buying group organizations, such as ARMA International and ASIS International (the Alexandria, Virginia-based professional organization for security professionals), and the Payment Card Institute. We also not long ago commented on proposed regulations in Australia and New Zealand.

Lastly on this point, we talked about the textbook earlier in the interview. It is hard to imagine a better example of a trade association fulfilling its mission than providing critical and missing education to tomorrow’s information protection leaders.

RT: How do you envision the regulatory landscape related to information protection changing over the next five to 10 years?

EH: In North America, I don’t envision any dramatic changes in the laws themselves as they apply to information protection; however, we do believe we’ll continue to see higher fines as a result of continued breaches.

On the other hand, we also see trends that indicate consumers and shareholders will be less tolerant of lax data security. Ironically, that could have a bigger impact than regulations or fines, since it affects both stock value and consumer confidence.

As for the rest of the world, which in many cases is just catching up with the U.S., we see considerable regulatory changes coming over the next decade.

RT: What do you find to be the most challenging aspect of being involved with the NAID board? The most rewarding?

EH: The fact that there are 15 people serving on the NAID board of directors means that it represents a good cross-section of the membership. It also means that a lot of perspectives have to be taken into account when building a consensus, and that can be a challenge. Most board members run their business as they see fit. We are used to being in charge, calling the shots. When it comes to an association though, it is not that way. Luckily, reasonable people generally get around to reasonable conclusions even if it is not a straight line. We have some great dialogues. It can be a challenge to come to a resolution at times, but when we do, I always walk away with a confidence that we have come to the right conclusion.

When it comes to the most rewarding aspect of serving on the NAID board of directors, I would have to say it is meeting and hearing from members who are growing their businesses by using the tools and programs the association offers—things like NAID certification, Downstream Data Coverage, the annual conference, the Compliance Toolkit and Shred School. The networking is rewarding too. Even if we disagree once in a while, I can still honestly say lasting friendships have come out of service on the board.

National Association for Information Destruction President Eric Haas can be contacted via email at ehaas@arms4rim.com.