Let’s rewind the clocks to a simpler time. The year was 1995 and a NAID certification was unheard of.
The Rock and Roll Hall of Fame Museum opens in Cleveland, Ohio by renowned architect I. M. Pei. The number one song is Gangster's Paradise from Coolio.
The first solo transpacific helium-filled balloon flight is made by Steve Fossett, covering 5,430 miles from Seoul, South Korea, to Leader, Saskatchewan, Canada.
The Sony Playstation is released in North America and Europe.
In these early days, the big desktop computers, laser printers, and even bigger mainframe computers looked a lot different. They were much bigger and bulkier back then.
Regardless, they served the same purpose: people were using technology for efficiency. There was a lot of data being stored, private information. There were concerns, but the regulation back then was not as strict as it is today for information security and privacy. Nor was it as strict for environmental regulation and dealing with e-waste and all the hazardous components that are found in e-waste.
27 years ago, the average household may have had one cell phone, one desktop computer, and one TV in the house. Now, almost a third of households have more than 2 computers, 4 cell phones, and 4 television sets. The average household has 7.3 screens in their home.
We have technology everywhere. And with that, there is the collection of data.
But why 1995? For starters, Greentec was formed that year and the ‘90s were a pivotal time for NAID and technology in general.
i-SIGMA came about from the merger of the National Association for Information Destruction® (NAID®) and PRISM International™ (Professional Records and Information Services Management®) in 2018. They now operate under the umbrella of i-SIGMA, but their mission remains the same: as a third-party data security vendor, to rigorously enforce information security standards and ethical compliance of records and information management and data destruction providers. They provide scheduled and surprise audits, by trained, accredited security professionals, to help businesses meet their regulatory due diligence requirements.
According to i-SIGMA, “the 1990s will probably be remembered as one of the most phenomenal decades in American economic history, and the growth in the commercial records center industry reflects that boom.”
There became a need for backup for massive amounts of electronic files…and it gave birth to electronic vaulting. Although piloted in the 1980s, electronic vaulting became more prevalent in the 1990s due to the switch from manual records management to electronic filing. Electronic vaulting uses a central computer to ping a client’s LAN periodically and create a 30-day emergency backup. Today we’d call that Dropbox, or something similar.
Nowadays, storage has become so cheap and abundant, backups normally exist either onsite or in the cloud.
This brings us to the problem that data and its backups need to be destroyed at end-of-life.
The Types of NAID Certifications
So what does a NAID certification require that verifies your data’s safety?
It requires training. It requires that specific procedures and processes be followed for the security side of things as well as the environmental, health, and safety protocol side.
Certifications are all about transparency. And it provides a window into the organization.
NAID is really all about physical security, the data wiping, the data destruction, and the soft side of security.
But when it comes to certifications, oftentimes companies will window dress just like everywhere else, but the question you should focus on is what type of certification they have.
For example, “You're NAID certified for example, but what are your NAID certified for?”
A company could be NAID certified for just document shredding documents. Or they could be NAID certified for on-premise type of destruction work. There is a NAID certification for data wiping electronic devices and the company could be certified for plant-based wiping, but not on-premise.
And the same goes for physical destruction. They may be certified to shred devices at their own plant, but not on someone's premises. So knowing that someone has a NAID certification is good, but it’s also knowing what the scope of that certification is, is even better.
The advantage of a NAID certification is that a company cannot certify itself. It will have a third-party verifier come in, they look at the vendor’s processes and the biggest question that they are attempting to answer is simply,
“Are you doing what you say you're doing?”
During their site audit, NAID goes through all of their security protocols to make sure that there are written processes in place and that the employees know what these processes are by heart (or at least know where to easily access them/demonstrate them). Employees are background-checked as part of the NAID certification.
This is especially important if they're an employee that has access to electronic devices and data, for example, your devices. And having that certification means that auditors come in and weigh all of these factors, and either certified the vendor that they are following those standards or they are not (and a means for remediation).
So the overarching NAID certification not only applies to on-premises and what is done there, but it also applies to how the employees train as well as what is done in their own plant where they are receiving these IT assets.
NAID has also other levels of certification, such as on-premise or plant-based destruction, for example. In the case of Greentec, we employ live CCTV cameras in the Greentec facility as well as a metal detector and a security guard at our facility during all business hours. Then we have a cage and a fenced-in area that only allows access to employees and our trucks, and when they go on the road, they have to be locked at all times. Then, the physical locks on the doors of the trucks/vehicles have to follow a specific standard, including GPS tracking.
And then there are other levels like data destruction of information (not physical destruction of the actual device, that’s another cert), then you need to have to be certified for that.
Here’s what Greentec would recommend as the best way to deal with certifications: when an organization tells you they do have this certification, ask for a copy of it and read what they're really certified for. The scope of the certification would say right on their document what they're certified for.
From a transparency perspective, if you were chatting with a prospective vendor and you tell them you want them to take care of these assets, transparency would require that they are not certified to do that. You shouldn't have to hunt to get that certificate.
Who Typically Asks for NAID Certifications or Similar IT-Related Certs?
Larger enterprise accounts are asking for them as well as government clients, institutions, IT professionals and leaders who understand security throughout the whole lifecycle of devices. These types of professionals are also held to a much higher standard when it comes to data, privacy, and security.
When it comes to the end of life cycle, they don't want to take security for granted. They want to make sure that even when it comes to end of life, they're working with a partner that understands the importance of security and has the right protocols, systems, and technology in place to be able to handle the information securely, as well as wipe, remove, and destroy it.
Why Data Destruction with NAID is Imperative
The biggest mistake IT leaders make when disposing of old assets is not being able to track the destruction of old data. Often, they assume that the devices don’t store any important data, so they try to save costs by not going through the proper data sanitization or destruction process.
However, they end up not having important documentation and certificates to protect them from privacy breaches. Unfortunately, there is a temptation just to kind of get rid of unwanted IT assets and not really pay attention to the level of certifications and security that you're getting from a company.
Some even approach it from the standpoint that the information is not that important. In the eyes of regulation and legislation, the information or the data controller, the person that controls the information is always the one that's held liable.
What a lot of companies do not understand (or they may not simply know) is that they are liable for those breaches. So if they have a data breach, for example, they had a hundred customers or a hundred contacts whose private information was exposed, they could get sued by every one of those contacts.
By the way, data breaches are up by 200-300% in the last five years.
At Greentec, we have spent time looking at lots of different providers for IT disposal recycling across the industry, and we have noticed that some have their certifications prominently displayed, and some of them either don't have them or they don't put them on their website.
We’ve been in business long enough to know that’s a big problem.