Making the case for certification

Secure data destruction is critical for companies to protect sensitive information. Organizations across industries such as telecommunications, health care, banking, government and education must consider the guidelines and regulations regarding sensitive data stored on their information technology (IT) assets when choosing a company to handle disposal, recycling or repair. Data destruction service providers can hold several certifications and accreditations regarding their disposal, recycling and data destruction processes, and companies looking for the highest level of data destruction security often require National Association for Information Destruction (NAID) AAA Certification.

NAID AAA Certification verifies data destruction service provider compliance in accordance with data protection regulations and security standards related to the physical destruction of hard drives and solid-state devices. It is offered by the International Secure Information Governance & Management Association, or i-SIGMA, a Phoenix-based industry trade association that works to provide consistency in data destruction and records management.

To maintain NAID certification, companies must pass a comprehensive initial audit followed by scheduled and random audits thereafter.

Earning NAID certification

Data destruction service providers earn NAID certification to demonstrate their preparedness to support the highly regulated industries their customers occupy. When a company pursues NAID certification at a facility, it needs to add to and adapt some of its security features to meet and exceed NAID requirements.

The process can take more than three months from deciding to certify a facility to submitting the application and receiving the certification. While the certification process itself takes up to two months and includes initial audits and background checks, a facility must have a 90-day history of closed-circuit television (CCTV) recordings to submit the application. Facilities without existing video recordings need to factor this 90-day window into the process.

In addition to installing CCTV surveillance cameras, company employees must have background checks and drug screenings. Per NAID requirements, employees at certified locations must agree to annual random drug screening and background checks, or the company can choose to participate in supervisor trainings to opt out of the drug testing requirements. These screened employees have access to secured areas of the facility, ensuring only they have access to the most-sensitive data.

After extensive preparation, a company can submit its application. Then an assigned auditor conducts a full audit, checking for internal process compliance in areas such as transportation to data destruction. The auditor also verifies that the facility has the required security features, including security cameras, badge access and alarm systems. Finally, the auditor shares the results with the NAID certification review board, which evaluates the application and ensures information on the company’s application matches the audit findings.

Clean Earth’s facility in Allentown, Pennsylvania, was first certified more than 10 years ago and continuously has upheld its high standard for data security. With this experience and successful track record with the certification process, the company earned NAID certification at its Modesto, California, facility in 2021.

NAID certification includes Clean Earth’s Allentown and Modesto facilities’ physical destruction capabilities. The facilities house industrial crosscut shredders to physically destroy hard drives as well as their data.

In addition, the Modesto facility is NAID-certified in electronic media overwriting. When customers are looking for data sanitization without destroying the product if they can refurbish or reuse it—or as an extra security measure—the e-scrap is directed securely to the Modesto facility for data overwriting.

As demand for regulated and secure data and e-scrap destruction increases, Clean Earth is looking to expand its number of NAID-certified facilities.

When a company pursues NAID certification at a facility, it needs to add to and adapt some of its security features to meet and exceed requirements.

Standing out to customers

Meeting customers’ needs and standards for secure destruction are the primary reasons data destruction service providers earn and maintain NAID certification. It gives customers peace of mind knowing sensitive information—from pickup through the end of the data-destruction process—is handled with the utmost security by specialists who have been vetted and screened. NAID certification also can be mandatory for clients in higher-security industries.

The extensive auditing processes and requirements are standard for all NAID-certified companies, so providers that are looking to earn the certification and companies that are looking to hire NAID-certified e-scrap handlers can access compliance information and understand the certification requirements.

Customers in industries that must securely maintain data rely on this transparency to ensure they are meeting the legal and regulatory requirements for disposing of e-scrap. They can monitor their data destruction service providers’ compliance through email notifications that alert them when providers’ certifications are up for renewal, when providers are audited and if their certifications lapse. In the case of discrepancies within an audit or issues with a provider’s data-destruction methods, customers can ensure policies address incident response preparedness, employee training and regulatory compliance. Customers also have access to full audit reports and monitoring services.

These factors offer customers transparency into their providers’ operations and encourage e-scrap companies to maintain high certification standards.

Keeping up with regulations

NAID certification requires that companies adhere to the many laws and regulations that require protecting confidential consumer information.

Some laws and regulations that NAID requires member companies follow include the Health Insurance Portability and Accountability Act (HIPAA), the Fair and Accurate Credit Transactions Act (FACTA) and the Payment Card Industry (PCI) Data Security Standard.

The FACTA Red Flags Rule requires audits of vendors handling data that include customers’ personal information, which is covered by NAID audits. The procedures NAID-certified companies must follow reduce the risk of security breaches and comply with technical, administrative and physical safeguards under HIPAA.

Finally, through NAID requirements for the destruction of hard copy materials, storage container examination and unrecoverable electronic cardholder data, all member companies must follow the PCI Data Security Standard.

Additionally, many U.S. government agencies require their e-scrap management companies to be NAID-certified. Companies with the certification meet the European Union’s General Data Protection Regulation, or GDPR. Some U.S. states even require the certification for on-site hard drive destruction.

Whether customers choose a NAID-certified company because it is required or to add an additional layer of security, they can rest assured they are meeting their legal responsibilities to comply with laws and regulations, regardless of the states in which they operate or the country-specific regulations that exist.

Data destruction service providers looking to improve upon their current security measures and to compete for new customers in regulated industries should consider NAID AAA Certification as a top-tier option. Likewise, industries with high-security data must understand the benefits of working with an e-scrap company dedicated to ensuring its customers remain in compliance with legal regulations by providing the highest level of secure data destruction.

Chendy Chea is the facility manager for three Clean Earth facilities handling hazardous waste disposal, universal waste recycling and electronics recycling in California. He is an expert in electronic scrap processing and information technology asset disposal and can be contacted at cchea@harsco.com.