In a world where so many facets of our lives and the information we keep is held online, where we see passwords and security, hackers and scammers see opportunity. For a business, one way to avoid hackers is by keeping systems, processes, and passwords up to date. However, when it comes down to it, all of these things can fail with employee oversight, and simply not being able to spot a phishing email. So, what are some steps you can take today to protect your accounts from hacks? Here are some tips from the National Cybersecurity Alliance.

• Keep good records. Keep documentation of all orders and purchases. This will help you to detect bogus accounts and invoices.
• Most email platforms, including Google and Yahoo now allow you to unsubscribe from emails without clicking on any links within the email itself. If you never subscribed to the email to begin with, don’t click “Unsubscribe” at the bottom, but use your email platform’s Unsubscribe or Junk feature to remove the email.
• Be extra careful with payment procedures. Establish payment authorization procedures, including a multi-person approval process for transactions above a certain dollar threshold.
• Avoid some payment methods when possible. Wire transfers, pre-paid debit cards and gift cards are scammers’ preferred methods of payment. Always confirm that any requests for payment with untraceable methods such as these are verified by an authorized source. Also, try to pay by a written, company. That way, a paper trail has been created.
• Double-check vendors. Make sure that the business billing you is a business you’re familiar with and normally do business with. If not, question it. Get the name of the person you speak with, the company name, address, phone and website.
• Be careful what information you share. Do not give out information about your business unless you know what the information will be used for. Never provide personal information or financial details to anyone you don’t know.
• Protect your devices. Make sure you have proper computer protection software and a firewall. Don’t click on links inside unsolicited e-mails. They could spread malicious software or viruses.
• Spread the word. If your employees know about the scam, they’ll be more likely to spot it. Tell your colleagues too.

Should you receive any phishing emails, it is recommended that you forward these to the Anti-Phishing Working Group at reportphishing@apwg.org and the FTC at ReportFraud.ftc.gov.

The post Avoiding the Everyday Scam appeared first on i-SIGMA.

The answer is often YES! A shredding company may have the right to pursue lost income from an at-fault driver and the at-fault driver’s insurance company after an accident. The amount of the claim will depend on the length of downtime, as well as other circumstances and applicable laws. Here are a few points to consider:

Liability: To establish liability, be sure to gather evidence such as accident reports, witness statements, and video footage. Once fault is proven, demand payment for the repairs or totaled equipment, as well as the consequential damages. Consequential damage includes income lost while the shredder equipment was down.

Insurance claims: The shredding company should consider filing a claim with the at-fault driver’s insurance company right away. This adverse insurance company may be responsible for covering the direct losses resulting from the accident. These direct losses may include repairs or replacement of equipment, towing, hotel, rental of equipment, downtime, diminished value, etc.

Proof of losses: To support an insurance claim, the shredding company will need to provide evidence of the actual losses suffered. This evidence may include estimates and final repair invoices, out of pocket expense receipts, expert statements, financial records, business documentation, and other relevant records demonstrating revenue typically generated during the downtime period.

Legal proceedings: If the adverse insurance company disputes the claim or fails to provide a fair settlement, the shredding company may consider taking legal action to pursue compensation for all losses. Be aware: every claim has a ‘statute of limitation’. This is the time limit in which to bring legal action. Don’t let time run out!

It’s important to note that the specifics of pursuing insurance claims vary based on state law. Consulting with a lawyer experienced in accidents and insurance claims can provide shredders with the most accurate advice tailored to each specific situation. With your supporting documents and their help, you’ll be well on your way to reclaiming money that is rightfully yours.

About the Author: 

Attorney Kelsea Eckert, the driving force behind Eckert & Associates, PA, has been a legal advocate for small trucking businesses for most of her 35-year legal career.  As the firm’s lead attorney, she oversees all downtime claims handled by Eckert & Associates, PA. Working mainly with owner operators and small fleets, the firm provides invaluable counsel to countless small trucking businesses battling insurance giants.

Kelsea’s a big believer in the value of small business. She and her firm are adamant that owner operators and small fleets should receive the same treatment as the big guys. Kelsea’s passionate belief that even the smallest trucking companies deserve fair reimbursement for their repairs, downtime, and other out of pocket expenses is the foundation of her firm’s unwavering commitment to their clients. Kelsea’s tenacity, diligence, and belief in justice have made Eckert & Associates, PA a staunch ally of owner operators and small fleets across our nation.

Learn more about Eckert & Associates >>

The post Can a Shredding Company Recover Lost Profit After a Truck Accident? appeared first on i-SIGMA.

Running a business can be a daunting task, especially when it comes to ensuring compliance with various regulations and laws. Compliance is important not only for legal and ethical reasons but also for the efficiency of your business. By partnering with an i-SIGMA Certified Company who has obtained either their NAID AAA or PRISM Privacy+ Certification, your company is already leagues ahead in terms of compliance. The list below highlights ten things you can do to help run your business more efficiently, all of which are required of i-SIGMA Certified Providers. Find an i-SIGMA Certified Service Provider Here >>

Identify and prioritize compliance requirements

The first step towards efficient compliance is to identify and prioritize the requirements that apply to your business. Depending on your industry and location, you may need to comply with various regulations, such as data privacy laws, labor laws, and tax regulations. Make a list of these requirements and prioritize them based on their importance and impact on your business.

Create a compliance program

Once you have identified the compliance requirements, create a compliance program that outlines the policies and procedures for meeting these requirements. This program should be tailored to your business and should cover all relevant compliance areas. Ensure that all employees are trained on the compliance program, and make sure that it is regularly updated to reflect changes in regulations.

Hire a compliance officer

If your business is large enough, consider hiring a dedicated compliance officer who will oversee the compliance program and ensure that all employees are following the policies and procedures. The compliance officer should have a thorough understanding of the regulations that apply to your business and should be able to keep up with any changes in these regulations.

Use technology to automate compliance tasks

Technology can help you automate many compliance tasks, such as tracking employee hours, filing tax returns, and monitoring data privacy compliance. By automating these tasks, you can reduce the risk of human error and save time and resources. Consider investing in compliance software that can help you manage compliance more efficiently.

Conduct regular compliance audits

Regular compliance audits can help you identify areas where your business may not be meeting regulatory requirements. These audits should be conducted by an independent third party who has expertise in the relevant compliance areas. The findings of the audit should be used to improve the compliance program and make any necessary changes to policies and procedures.

Monitor regulatory changes

Regulatory requirements are constantly changing, and it’s important to stay up-to-date on these changes. Subscribe to regulatory newsletters and attend relevant conferences and events to stay informed about any changes that may impact your business. Update your compliance program and policies as needed to ensure that you are meeting the latest regulatory requirements.

Train employees on compliance

All employees should be trained on the compliance program and the policies and procedures for meeting regulatory requirements. This training should be provided on a regular basis and should cover all relevant compliance areas. Ensure that employees understand the importance of compliance and the consequences of non-compliance.

Implement a whistleblower policy

A whistleblower policy can help you identify and address compliance issues before they become serious problems. This policy should provide employees with a way to report any suspected violations of regulations or company policies without fear of retaliation. Ensure that all employees are aware of the whistleblower policy and understand how to use it.

Maintain accurate records

Accurate record-keeping is essential for compliance. Keep all relevant records, such as financial statements, tax returns, and employee records, organized and up-to-date. Use a secure storage system to protect sensitive information and ensure that only authorized personnel have access to these records.

Seek professional help

If you’re unsure about how to meet regulatory requirements or if you’re facing a compliance issue, seek professional help. Consult with a lawyer or compliance expert who can provide you with guidance and advice on how to meet regulatory requirements and avoid compliance issues.

Compliance is a critical aspect of running a business, and it’s important to ensure that your business is meeting all regulatory requirements. By following the ten steps outlined in this article, with the help of an i-SIGMA Certified Service Provider, you can help run your business more efficiently with compliance and reduce risk.

The post Efficiently Keeping Your Business in Compliance appeared first on i-SIGMA.

• Maximizing the Cares Act Incentives – Webinar
• Maximizing the Cares Act Incentives – Article

Following the webinar, i-SIGMA received a few member inquiries under our Ask the Professionals program and are sharing the responses.

Please Note: i-SIGMA is not a Certified Public Account and is not providing specific legal or accounting advice. We recommend that you reach out to your local tax professional to determine what specifically applies to your business in your local jurisdiction.

Question

Dear Ask the Professionals,

We are excited about adding ERC funds to the PPP money we already qualified for but I’m confused if these funds will be consider taxible income later on. Please advise.

Sincerely,

Tax Ignorant

Answer

Dear Tax Ignorant,

We reached out to CPA Kristina Morgan of Sechler Morgan CPAs PLLC, who advised us of the following:

Nonprofit entities will NOT have to file an amended tax return (other than the required payroll tax return).

For-profit entities WILL have to file an amended tax return for the years they claim the credit. Those amounts will increase the companies’ profits (or reduce losses or carryover losses) and will therefore be taxable.

i-SIGMA also discovered that if a business claims the credit and is not eligible but certifies that they are, this is considered tax fraud. As such, we advise our members to work with a professional to understand the many requirements and calculations that are involved, especially if they also received a PPP Loan(s).

Sincerely,

i-SIGMA & Professionals

Question

Dear Ask the Professionals,

I attended the webinar that i-SIGMA held regarding the Employee Retention Credit (ERC). We have a very small team with only a handful of employees. It seems that most firms want to work with large businesses and are focused only on revenue loss as a basis for applying for the credit. Do you have any information on the other ways of qualifying?

Sincerely

Small But Mighty

Answer

Dear Small But Mighty,

We followed up with Daniel Risen who did the presentation as well as spoke to other members applying for the credit. You are correct that initially, firms assess revenue. However, less than 5% of businesses that have received ERC have qualified under this criteria. (What qualifies? In 2020, if you saw a 50% drop in revenue, compared to the same quarter in 2019, you would be eligible for all of 2020. In 2021, if you saw a 20% reduction in revenue, compared to the same quarter in 2019, you would be eligible for that entire quarter in 2021.

More businesses qualify for ERC via the “Governmental Orders” criteria. If in your state or federally you were affected in your ability to conduct COMMERCE, TRAVEL, or GROUP MEETINGS by the pandemic under certain criteria, you could qualify. A few examples of qualifiers Daniel has seen within our industry in some states include:

1. Supply Chain Disruption
2. Requirement of the company to spend time and money on PPE to clean and sanitize equipment
3. Furloughed Employees
4. Sales were forced to go virtual (if you were unable to attend tradeshows or sales conferences)
5. Employees may not be “active” all day or were forced to perform work outside of their normal job duties

One member did share with us that while his CPA was reluctant to work with him, after approaching another CPA, their business is getting back $250K. His advice was to keep looking for firms who are willing to sit and take the time to work with you!

Sincerely,

i-SIGMA & Professionals

Important: Some experts contend that since our industry was mostly exempted from the shutdown, due to our industry being deemed essential, some businesses may not qualify. We advise our members to work with a professional to understand the many requirements and calculations that are involved with your specific business and local jurisdiction.

The post Ask the Professionals About the Employee Retention Credit (ERC) (US companies) appeared first on i-SIGMA.

What happened that fines are still being assessed and we are still talking about this mayhem?

Morgan Stanley originally hired the moving company, Triple Crown, in 2016 to decommission IT assets from two data centers. It was known that Triple Crown was strictly a moving company and not experienced with electronic data destruction. The contract identified an unnamed e-scrap management company that would sanitise the devices and resell them for a commission, with Morgan Stanley obtaining a cut. It’s become known that early on, Triple Crown stopped working with the unidentified company and began working with AnythingIT without Morgan Stanley’s knowledge. AnythingIT was sold the eletronics with data still on them, having been told by Triple Crown that they had already been wiped. They in turn resold these devises downstream to KruseCom, who either destroyed or sold them on an auction site.

Truly a story in passing the buck and a loss in accountability. Where is the certificate of destruction? Where is the vendor due diligence? There was none, which is why Morgan Stanley is paying dearly.

If you look-up AnythingIT today, you’ll note that they are NAID AAA Certified. There has been some confusion on if this third-party vendor who worked in the Morgan Stanley debactle was certified, how could all of this have happened? As you can see, 1) they were given misinformation and not contracted to do the actual data wiping, AND 2) at the time of them being contracted they were not yet NAID AAA Certified. Since this incident, AnythingIT has become NAID AAA Certified and shown that they in fact DO robust quality best practices, even submitting to unannounced audits.

There are many lessons learned through this incident for everyone, clients and service providers alike.

Morgan Stanley did not take the correct precautions to ensure they hired a reputable service provider, such as a NAID AAA Certified company who would have had rigorous guidelines in place for wiping the hard drives. And it seems that service provider to service provider contracts may have been lacking as well regrading the goods being transferred (do you have language in place when you take acquisition of assets without destroying it?).

Why You Should Earn Your NAID AAA Certification >>

Why You Should Use a NAID AAA Certified Company >>

The post Updates on the Morgan Stanley Data Breach appeared first on i-SIGMA.

As readers already know, the premise of Data Processor certifications has changed. Where once they simply provided a general reassurance that a reputable third party had signed off on the vendor’s practices, now, if properly constructed and managed, those certifications fulfill a client’s regulatory due diligence requirements. Certification has gone from providing a warm and fuzzy intangible, to a very real, tangible benefit.

Another way to look at it is that clients have two options to meet their vendor selection due diligence requirements. 1.) They can review their prospective Data Processors themselves – both initially and ongoing after hiring – against the relevant regulatory and security requirements, or 2.) They can rely on a reputable, bonafide certification program to do it for them.

So, what is this about looking beyond certification?

The fact is, there are two things a certification cannot do… and should not do… which are equally important to a client compliance and/or risk, namely, the quality of their data processor contracts and insurance.

All data protection regulations necessitate a contract between the Data Controller (the client) and the Data Processor (service provider)

I specifically use the word “necessitates” because some U.S. regulations are silent on such contractual engagements, but, in all practicality, the absence of such a contract would almost certainly be deemed negligent. In court the question would be, “Do you mean to justify to the court that you were entrusting this vendor with personal information your firm was required to protect and you had no contract with to hold them accountable?”

Again, for the most part, regulations, even in U.S. do require a Data Controller-Data Processor contract. Furthermore, with data protection regulations now applying to citizens versus territories, the only prudent course is to default to the most rigorous.

Contracts are by nature not something a certification can have much overlap, besides, that is, the obvious overlap of a contract requiring a vendor maintain a certified status. Beyond that, however, a certification cannot (and should not) be expected to stipulate all the various particular issues and clauses that a Data Controller-Data Processor contract would. There are simply too many variables and subtleties.

The same can be said about insurance, and, more specifically, Professional Liability Insurance (PLI). PLI would be the insurance a service provider would rely on to cover the expense on any accident or negligence in the performance of their professional duties. From the Data Controller’s perspective, the availability and quality of PLI are critical, since the insurance is what allows the Data Processor to be held financially responsible.

As a side note, I cannot tell you how many times I have seen Data Controllers passing on financial liability to a Data Processor with no reciprocal requirement for that Data Processor to have PLI. Of course, this stipulation would be useless unless it was accompanied by the Data Controller’s evaluation of the PLI, since there is the strong possibility that the policy has problematic exclusions.

Back to the topic at hand, though, this is exactly the reason a certification cannot simply mandate Data Processor maintain PLI, since the certification cannot evaluate the insurance anymore than it can mandate necessarily specialized, custom contracts.

So what?

Well, for the client requiring certification it means there is more to do, and that there is no shortcut. Contracts and the professional liability of the service provider are always going to be something requiring they get into the weeds.

For the service provider, it means opportunity. Being able to help clients understand and navigate their contract and insurance requirements and risks will both set them apart from their competition as a true professional and earn them the margins they deserve as such a professional.  Looking at it from another angle, it is only a matter of time before clients become aware of these issues. It will certainly reflect more positively if the service provider that has already made it known that they are aware of these issues, or at least is able to respond intelligently, versus simply looking back at the client, shrugging and clueless.

End note for clarity: Contracts fall under both compliance and risk management. Insurance, on the other hand, is not a compliance issue but definitely falls very high on the risk management continuum.

The post Beyond Certification appeared first on i-SIGMA.

Conventional media collection containers are provided as a convenience, not a security measure. And while they do serve to prevent access by unauthorized individuals, they were never intended to secure information from a malicious individual who could simply wheel the bin away, bust it open with a hammer, or slice it open with a razor knife.

The actual “security” stems solely from the controlled confines of the client’s building; it has locks on the front door, the watching eyes of employees, and the security alarm and CCTV of the building…and not from the container itself.

Understanding this is important for a number of reasons.

Key Control

It sometimes strikes clients as inappropriate (or unsecure) that the keys to their containers open containers placed at other clients. Doesn’t that mean those other clients could open their bins too?

The misconception here is that the “key” is the source of the security. It is not. If an unauthorized person is walking around their office opening bins, the problem is with the security of the building, not the container. As already mentioned, that same malicious unauthorized individual walking around the office could have gotten into the containers without the key.

The idea that a key that is exclusive to one client is more secure is both misguided and dangerous. No client should believe – or be led to believe – that anything but the security of the overall environment in which the containers are deployed is the actual source of the security.

Furthermore, from the service provider’s perspective, suggesting the key and container are the source of the security suggests that they – the service provider – are responsible for that security of material in the client’s office. It is extremely reckless, both for the service provider, and the client, to foster that belief.

Care and Custody

Clients sometimes believe (or act as if they believe) that custody of the media transfers to the service provider once it goes into the collection container. That is not the case. Regardless of who provided the collection container, the service provider is not responsible for the care and custody of personal information until they take possession of it. Again, the security of the environment is the important thing, and, as a result, it is very important that service providers do nothing that suggests otherwise.

Written by Bob Johnson, CSDS | 11 May 2022

The post Media Collection Containers, Key Control, & Custody appeared first on i-SIGMA.

In its role as a member-owned organization, i-SIGMA provides a robust repertoire of member benefits, including state-of-the-art contracts and agreements, marketing materials, regulatory intervention, and educational events. Find the full list and details of all i-SIGMA benefits on the association website, and all members are encouraged to review and make use of them.

Certifications: Included among the benefits of i-SIGMA membership benefits is access to information protection’s two leading service provider certifications, NAID AAA and PRISM Privacy+. With the overwhelming majority of its more than 1,200 member-locations holding one or both of those certifications, they are the most success programs i-SIGMA has offered to date.

By now, it is well known that i-SIGMA membership replaces NAID and PRISM International membership at the end of this month, and that going forward the use of NAID and PRISM will be limited to their respective certifications.

A Personal/Business Decision: Over the years, our surveys have consistently shown that the vast majority of non-certified members fully intend to become certified as soon as they can find the time. And whether now is the right time or not, it is critical for those members to know they are still benefiting from the association’s efforts and their contribution to the association continues to promote client education and adoption of their services.

It is also important, however, for non-certified members to take stock. In a matter of weeks, NAID and PRISM will only be associated with each respective certification program. If past surveys are correct, and certification is a future goal, there is no better time to do it than now; thereby maintaining your link to the two most recognized information protection brands in the world.

How to Become Certified: Becoming Certified is not as complicated as some may think.

1. Meet all required specifications as outlined in the i-SIGMA Certification Specifications Reference Manual
2. Submit a completed certification application
3. Successfully complete an initial scheduled audit verifying all aspects of compliance

Contact the i-SIGMA Certification Department for more information.

Written by Bob Johnson | 30 November 2021

The post If Certification is in Your Plans, Now is the Time! appeared first on i-SIGMA.

Those attending the i-SIGMA webinar on How to Overcome the Labor Dilemma in an Evolving COVID Economy w/ Tom Adams hear him say these tasks require the same focus, the same planning, the same intensity of effort as sales and marketing. In short, service providers can no longer afford to take it for granted.

With that in mind, i-SIGMA would like to share what we have learned since first starting this discussion, and, more importantly, hear what others are doing.

1. Hiring and retaining drivers is the most troublesome issue. Drivers are the face of the company. They need to be presentable and capable when dealing with clients and the inevitable issues that can arise in the field. In fact, the drivers our industry needs interact with clients far more than the delivery driver that knocks on your door and leaves a box.
2. Increasing compensation is a solution, but there are nuances. Of course, increasing pay will attract and keep employees, but bumping them up 20% in one stroke, could cause problems. Additionally, hiring a new driver (or other employee) at the same rate or higher than a long-time employee has a number of risks too, such as losing or de-motivating the long-time employee.
3. Paying higher wages and showing more appreciation is the least expensive strategy. Keeping a client is a lot less expensive than finding a new one… and the same can be said of good employees. Recruiting and training are expensive, even more so when you know how much effort it takes to find and attract new people. A bad interaction with an under-trained employee can cost you customers.
4. Poaching (especially drivers) is okay but should be strategic and discrete. Let’s face it, the person sitting at home who’s benefits just ran out might not be the best choice. Better is someone who is working (and working hard). Water delivery services and appliance delivery are two industries providing a good source of drivers who are used to hard work and dealing the public but finding them and luring them requires tactical diligence. Keep in mind, this is a two-way street. While i-SIGMA does not condone poaching among its members, good, hard-working employees—no matter where they are presently—are at a premium. There is a good chance someone is eyeing yours.

We know there are more ideas and considerations out there. Some readers might disagree. PLEASE COMMENT! We want to hear from you. In fact, your comment may end up in a more complete examination of this issue printed in an i-SIGMA publication.

Share Your Comments in the i-SIGMA LinkedIn Group Post Now >>

The post The Struggle to Hire & Retain Good Employees appeared first on i-SIGMA.

And, in this regard, it is also understandable that their initial focus is determining the appropriate particle size for the media they wish to destroy.

Unfortunately, when searching for such guidance online, the only information available often pertains to government classified information, resulting in unnecessary expense and often a high degree of unnecessary inconvenience.

Here are a few things to consider:

• No data protection regulation in the world specifies a particle size for destroyed paper or electronic equipment. They simply mandate the information be reasonably inaccessible and not reconstructible.
• Most particle size specifications issued by and for government agencies must anticipate that the materials are not controlled after the destruction process.
• Unnecessarily meeting a very small (and irrelevant) particle size can cost 5 to 10 times what would be reasonable by regulators.
• Because of the factors above, requiring an unnecessarily small particle size may discourage compliance by front line employees, which, ironically, ends up putting the organization at greater risk.

Also consider:

• NAID AAA Certified media destruction services are required to demonstrate they prevent access to destroyed particles after the destruction process.
• Commercial media destruction firms destroy large amounts of material from multiple sources, all of which is co-mingled prior to being baled and securely recycled or responsibly discarded.
• Hundreds of thousands of organizations around the world rely on NAID AAA Certified service providers to meet the security and regulatory media destruction requirements.

i-SIGMA is a global, non-profit association dedicated to the proper destruction of discard information for more than 27 years and believes that organization is ultimately responsible for the protection of personal and competitive information in its possession.

The advice above is simply provided to help organizations decide what particle size best meets their needs, while avoiding the expense and risks of acting without a complete perspective.

NAID AAA Certified Company Marketing Resources

Companies who are NAID AAA Certified should use the following resources to use as marketing material for clients asking questions pertaining to particle size:

“What is the Correct Particle Size for Your Destroyed Media?”

“What is the Correct Particle Size for Your Destroyed Media?” – ANZ & UK

Please Note: It is acceptable for Certified members in good standing to also translate this file into other languages

Written by Bob Johnson | 29 July 2021

The post What is the Correct Particle Size for Your Destroyed Media? appeared first on i-SIGMA.