As we previously discussed that we are AAA NAID Certified. In accordance with NAID we must be compliant with the following process that supports the needs of organizations around the world.
Note, the information below is cited directly from NAID to ensure we cover everything correctly:
- FACTA Final Disposal Rule requires the destruction of all consumer information before it is discarded. Covered entities must monitor compliance of any organization contracted to destroy consumer records.
- The FACTA Red Flags Rule requires audits of data-related vendors with access to personal information of customers.
- Under HIPAA, covered entities may be subject to civil penalties for misconduct of its business associates that lead to a security breach. Working with a NAID certified vendor reduces the risk.
- Business associates of covered entities must comply with technical, administrative and physical safeguard requirements under the HIPAA Security Rule. For more information on HIPAA, see "Common misconceptions about HIPAA and data destruction."
- The media destruction specifications of PCI compliance require the following, all of which NAID certification requires and verifies:
o 9.10.1.a: Verify that hard copy materials are crosscut shredded, incinerated or pulped such that there is reasonable assurance the hard copy materials cannot be reconstructed.
o 9.10.1.b: Examine storage containers used for information to be destroyed to verify the containers are secured. For example, verify that a to-be-shred container has a lock preventing access to its contents.
o 9.10.2: Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industry- accepted standards for secure deletion or otherwise physically destroying the media (e.g., degaussing).