NAID AAA Certification Accolades
NAID AAA Certification is the most recognized and acknowledged verification of data destruction qualifications in the world. The program has:
- More than 950 NAID AAA Certified locations now operate on 5 continents
- Dozens of government agencies require NAID AAA Certification to destroy their discarded sensitive media
- The amended IRS Publication 1075 (2016) acknowledges the value of NAID AAA Certification
- New Jersey requires NAID AAA Certification for on-site destruction of hard drives
- NAID AAA Certification with PSPF Endorsements qualifies for the external destruction of Australian Government official information (see a list of companies with the endorsement)
It is also the most meaningful and robust secure data destruction validation program, as it:
- Verifies service provider compliance with all data protection regulations, fulfilling the client’s legal responsibility to do so
- Qualifies as the service provider Risk Assessment as required under the HIPAA Security Rule
- Qualifies as the required vendor selection due diligence required by all data protection regulations
- Meets forthcoming requirements of the EU General Data Protection Regulation (May 2018)
- Is required in order to obtain Downstream Data Coverage®, a professional liability policy honed specifically for data-related service providers
NAID AAA Certification Compliance Guidelines:
NAID is the standards-setting body for the information destruction industry. NAID AAA Certification verifies the qualifications of certified information destruction providers through a comprehensive scheduled and unannounced audit program. This rigorous process supports the needs of organizations around the world by helping them meet numerous laws and regulations requiring the protection of confidential customer information:
FACTA Final Disposal Rule requires the destruction of all consumer information before it is discarded. Covered entities must monitor compliance of any organization contracted to destroy consumer records.
- The FACTA Red Flags Rule requires audits of data-related vendors with access to personal information of customers.
- Under HIPAA, covered entities may be subject to civil penalties for the misconduct of its business associates that lead to a security breach. Working with a NAID certified vendor reduces the risk.
- Business associates of covered entities must comply with technical, administrative and physical safeguard requirements under the HIPAA Security Rule.
- The media destruction specifications of PCI compliance require the following, all of which NAID certification requires and verifies:
- 9.10.1.a: Verify that hard copy materials are crosscut shredded, incinerated or pulped such that there is reasonable assurance the hard copy materials cannot be reconstructed.
- 9.10.1.b: Examine storage containers used for information to be destroyed to verify the containers are secured. For example, verify that a to-be-shred container has a lock preventing access to its contents.
- 9.10.2: Verify that cardholder data on electronic media is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion or otherwise physically destroying the media (e.g., degaussing).
- NAID’s certification program was developed by information security professionals and recognized by thousands of private and governmental organizations around the world.
- All regional, third party NAID auditors have earned the Certified Protection Professional accreditation from ASIS International and are extensively trained on all certification audit procedures and requirements.
- NAID certification auditors verify that protocols are in place to ensure the security of confidential material throughout all stages of the destruction process such as handling, transporting, storing materials prior to destruction, and destroying and disposing of materials responsibly. This also includes any transfer of custody scenarios.
- An extensive, three-level background screening process verifies that no individual with a known history of related crimes will be handling confidential material.
- A regimented, comprehensive unannounced audit program means that certified companies operate knowing they may receive an unannounced audit on any day, at any time, providing a powerful motivator for ongoing compliance.
- The Certification Review Board tracks reports of non-compliance and takes immediate remedial action to bring certified companies back into compliance. Repeat or serious infractions will result in fines and may result in the removal of certification.