Full disclosure – I’ve never hired a shredding company. The truth is I own a shredding company, and these are some of the comments we’ve most frequently heard about from customers who hired us to solve a data protection problem for them. Unfortunately, without doing some research ahead of time, you could learn the hard way there is more to finding a trustworthy company than price. Here are the top five concerns in no particular order:
1. They were NOT NAID certified
What is NAID certification, and why should it be important to you? NAID is the standards-setting body for the information destruction industry. NAID AAA Certification verifies the qualifications of certified information destruction providers through a comprehensive process including both scheduled and unannounced audits of our data destruction procedures for on and off-site services.
NAID certification auditors verify that protocols are in place to ensure the security of confidential material throughout all stages of the destruction process such as handling, transporting, storing materials prior to destruction, and destroying and disposing of materials responsibly. This also includes any transfer of custody scenarios.
This rigorous process supports the needs of organizations by helping them meet numerous laws and regulations requiring the protection of confidential customer information. If you’ve hired a non-NAID certified shredding vendor, it does NOT necessarily mean they aren’t handling your material safely. It DOES mean, however, that there is no one looking over their shoulder making sure of it.
2. They Didn’t Have the Proper Professional Liability Insurance
Why should this matter to you? Using outside vendors for data destruction and other data-related services has grown so popular because they can do it more securely and more economically than organizations can do it for themselves.
But, with stringent regulations and severe financial consequences, customers have come to realize that they are ultimately responsible in the unlikely event of a data breach or other loss caused by those vendors – no matter how it happened. THAT is why it is critical to insist that your data-related service provider carries insurance that compensates you for any financial consequences they cause.
When organizations first started asking their data-related service providers to have insurance to cover financial damages in the unlikely event of a data breach, service providers turned to off-the-shelf professional liability coverage. They had no choice.
While that may have satisfied the customer’s requirement, it often did not provide them with the protection they thought they were getting. In fact, the types of claims routinely EXCLUDED in those policies encompass intentional acts by employees or claims resulting in the violation of federal regulations which are the two areas MOST likely to cause you to file a claim in the first place. Of course, that meant the customer was unknowingly at risk because their service provider could not effectively cover their liability.
There is now a great option available, Downstream Data Coverage, but it is only written for NAID certified shredding companies. This is absolutely a policy that you should be asking for.
3. My Bill is Full of Add-On Surcharges That I was Unaware Of
No one likes surprises, especially on their invoices. Unfortunately, there are plenty of shredding companies out there that like to quote a very low service charge, only to tack on a variety of unwelcome and unexpected surcharges. The result is that you often see a significantly greater bill than you were quoted.
Examples of some common add-on surcharges that we’ve seen are fuel surcharges, general trip surcharges, city surcharges (for the extra time spent driving around busy big city streets) and most recently, paper recycling recovery surcharges, which essentially means you as the customer are being changed for the shredding company’s loss of revenue when the recycled paper markets drop.
You’re going to want to find a data protection company that does not add these surcharges on to their quoted prices. It is easier to budget when you know what your final costs will be.
4. I Didn’t Know I Would be Responsible for So Much Due Diligence
It is important to understand that you have a regulatory obligation to conduct specific due diligence when hiring a data protection service provider and this continues throughout your service partnership. You may be unaware of the legal requirement or have not established vendor selection criteria. Either way, non-compliance puts your company at risk of regulatory fines, data breaches, embarrassing headlines, and lost business. It also creates an environment where an unqualified service provider is free to put you and your company at risk.
HIPAA, GLB, and FACTA all make references to service provider selection due diligence, with each clearly indicating the expectation of the customer for demonstrating care in its selection of vendors. If you experience a data breach, and your chosen service provider is found to be inadequate, you better be able to defend your decision to hire them with documented vendor qualifications and selection criteria. If “But they gave me the lowest price” is your only selection criteria, you better get ready to write a very large check to the regulators.
What many don’t realize is that hiring a NAID certified vendor can take the place of doing your own due diligence, as NAID certified vendors are audited annually and randomly on all the important industry specific selection criteria.
5. Cheap Doesn’t Mean Better…
It may have seemed like a good idea to hire a provider with the cheapest quote, but there is most likely a reason why a company is charging half what others are asking. It may be that they are simply unaware of how to price their services. If this is true, then lucky you. More often, though, the reason is they have not put the resources (aka MONEY) into proper employee training, state-of-the-art shredding equipment, a secure facility including an alarm system with 24/7 video monitoring, and the proper professional liability insurance for their customers. Collectively, these items all cost money and contribute to a responsible and reputable data protection company – a company that takes safeguarding its customers’ information very seriously.
Clearly, cost is very important in today’s economy. Everyone understands that. Data protection services, however, are just not an area that should be penny-pinched, especially with the dramatic increase of data breaches. You can’t turn on the television or open a newspaper without seeing another story about the most recent data breach. And the stories are not just about large, multinational companies. They involve smaller, local companies that may have been hacked from the outside or breached from the inside.
The bottom line is this: All data protection companies are not created equal. Be an informed decision maker and know the important differentiators. Any shredding company worth their weight in gold should be happy to answer any questions you may have. It’s important, though, to know what questions to ask. Your job and your company’s data security depend on it. As a NAID certified local data protection service provider, AccuShred is experienced and equipped to handle all of your company’s data protection and destruction needs. Contact us today to learn more about our capabilities.