Looking Under the Hood: How Clients Can Look Beyond False Assurances

July 26, 2019

By Bob Johnson
The unethical business practices found in every business have one thing in common; they prey on customers who don’t know any better.

It’s not the customer’s fault. They’re not supposed to be experts. I know more than most about cars, but that doesn’t mean some unethical auto mechanic couldn’t pick my pocket. Of course, left unchecked, unethical behavior casts an unfavorable shadow on everyone in that space. Ask any used car salesman (or automobile mechanic).

Enter trade associations. If widespread unethical behavior casts a negative shadow on the whole industry, there can be no argument industry trade associations have an obligation to act. Some do and some don’t. While many make reference to their Code of Ethics, few encourage complaints, post a complaint form, and post their process for investigating them.

i-SIGMA does. It not only holds NAID and PRISM International Members to its Code of Ethics, it makes its Ethics Compliant Form and Complaint Resolution Guidelines readily accessible on the association’s website and offers an active Complaint Resolution Council to oversee such matters.

Aware Customers Equal a Good Marketplace
In the end, i-SIGMA arming customers with information to recognize unethical behavior is selfish. An educated client is the best way to ensure a marketplace for thousands of ethical service providers providing legitimate, safe solutions.

What follows is a list a some of the more troubling ethical transgressions, any of which should send the customer running in the other direction (and hopefully lead to an ethical complaint).

1.Falsely Claiming to be Certified by NAID or PRISM International
Customers that use electronics recyclers, paper shredders, and records management services are required by law to ensure their service providers’ data security and regulatory compliance. As a result, thousands of customers rely on NAID AAA Certification or PRISM Privacy+ Certification to fulfill their due diligence obligation. Both certifications are conducted by trained, accredited outside auditors to inspect and verify the necessary elements and one or the other is required in thousands of contracts around the world.

Learn more about NAID AAA Certification and PRISM Privacy+ Certification audits and contact our certification department.

Due to the popularity of both certifications, occasionally a vendor will falsely claim NAID AAA Certification or PRISM Privacy+ Certification in an effort to trick customers.

Clients should verify a company’s NAID AAA Certification or PRISM Privacy+ Certification using the association’s Service Provider Locator.

2. Falsely Claiming to Meet Certification Standards (Variation on #1)
This happens when a service provider represents they meet the NAID AAA or PRISM Privacy+ Certification standards but fails to complete the required audits. They do not claim to be certified but instead claim to “meet” the requirements.

The claim to “meet” NAID AAA Certification or PRISM Privacy+ Certification standards is a “false” claim; the third-party audits, scheduled and unannounced, built into the program are as critical as any other specification. A service provider cannot “meet” the standard if they are not subject to the audits. Self-declaration defeats the integrity of submitting oneself to the scrutiny of unannounced audits, which is an essential component of the program’s ability to ensure a customer is fulfilling their due diligence obligation reference earlier.

Same as #1… Clients should verify a company’s NAID AAA Certification or PRISM Privacy+ Certification on the association’s Service Provider Locator.

3. Misrepresenting Membership as a Form of Certification
NAID and PRISM International are part of a trade association and many service providers join to access member benefits. Membership is NOT the same as Certification. NAID AAA Certification and PRISM Privacy+ Certification require that the member undergo third-party audits.

Due to the popularity of both certifications, occasionally a member will misrepresent that their membership in NAID and/or PRISM International equals certification or infers that they are held to some higher standard of operations. It does not. Members do agree to abide by the Code of Ethics; however, there is no verification of operational security in membership alone.

Same as #1… Clients should verify a company’s NAID AAA Certification or PRISM Privacy+ Certification on the association’s Service Provider Locator.

4. Promoting Use of “Certified” Software or Equipment as a Qualification
Computer recyclers sometimes advertise their use of “certified” software overwriting solutions. Additionally, service providers that provide physical destruction or degaussing of media, sometimes advertise their use of “certified” or “approved” equipment.

The fact that a service provider uses “certified” software or equipment says nothing about their employee screening or training, regulatory compliance, access controls, or breach notification preparedness. Despite many requests, NAID and PRISM International have refused to certify the efficacy of software and equipment specifically because customers could be misled that its use implies the services using them meet overall operational requirements.

Clients should not rely on the use of certified software or equipment as a measure of a service provider’s operating qualifications and, furthermore, clients should be suspect of any service provider proposing their use of certified software or equipment as the sole measure of their security and regulatory compliance.

5. Falsely Claiming NAID and/or PRISM International Membership

A company falsely claims to be a member of NAID and/or PRISM International hoping the affiliation will infer credibility onto the company and services.

The first thing the client should remember is that NAID and PRISM International membership are not the same thing as NAID AAA Certification or PRISM Privacy+ Certification. In any case, a client should always check with the association’s Service Provider Locator,, to validate the membership and/or certification status of a service provider.

6. Claiming an Inferior Certification
Regulatory requirements for clients to validate service provider qualifications have led to the creation of questionable and inadequate certifications.

Service providers hoping to prey on clients’ unfamiliarity with legitimate certifications, obtain inferior, selfcertification, requiring no audits and no transparent specifications. Often, these certifications are created and sponsored by a for-profit organization with little transparency or accountability.

When presented with a questionable certification as a vendor qualification, clients should verify the certification body itself is legitimate, and that it’s corporate structure is that of a non-profit required to maintain the appropriate level of transparency.

7. Claiming to Meet an Un-Auditable Standard
There are some legitimate standards that do NOT require an audit regime. Because no audit is required, there is nothing inherently wrong with a service provider claiming to meet them. NIST 800-88 is an example; any firm may claim to meet the standard with no third-party verification.

The unaudited claim to meet the NIST 800-88 for media sanitization or the D.o.D. standard for hard drive wiping (no obsolete) is intended to infer some assurance to the client, when it is really no more than a claim. It may or may not be true, and there is no assurance in and of itself.

Where a service provider suggest they “meet” a standard, it is important to know who is auditing it and how it is audited (frequency, random, auditor qualifications, etc.) to understand the validity behind the claim.

8. Accepting Professional Liability without Proper Indemnification
Because clients know they are responsible for the mistakes of their service provider, some clients contractually require their electronics recyclers, paper shredders, and information management service providers take responsibility for any financial damages they cause. It’s called professional liability and it has become a best practice in data-related contracts.

Unfortunately, some service providers will accept such liability with no ability to pay it. And, while there is no law preventing a service provider from accepting professional liability without the proper insurance, it is unethical.

Where contracts transfer liability for damages to the service provider, the customer should verify the vendor has properly-worded professional liability insurance in place. It is also advisable to have the contract require an indemnification clause in the contract.

9. Accepting Unlimited Professional Liability
A variation of #8 above, unaware of their mistake, the client contractually transfers unlimited liability for financial damages caused by the service provider.

The service provider is not able to insure themselves to an unlimited amount. By accepting unlimited liability, most service providers are entering into an agreement they are by definition unable to indemnify.

The client is better off identifying a reasonable level of professional liability, based on the risk and the value of the contract, which therefore allows the service provider to obtain a commensurate level of insurance.

Next-Gen Due Diligence
Regulations require clients to perform due diligence and yet it isn’t practical to expect them to know how. It’s no wonder they seek help. They’re on the hook if something goes wrong.

As this article demonstrates, however, even with the best of intentions, navigating data-related service provider qualification (a legal imperative) requires a degree of healthy suspicion about the boasts and assurances given as evidence of compliance.

Customers need to look behind the curtain and kick the tires.

As I said from the outset, legitimate service providers benefit from a world of knowledgeable customers who are aware that some are feeding them a line.

The good news is there are plenty of good guys out there, and bad guys aren’t hard to find when the client looks under the hood.

Customers can help ensure they are doing their due diligence by leveraging a NAID AAA Certified or PRISM Privacy+ Certified company, which is subject to the industry’s most rigorous specifications including announced and unannounced audits. Learn More.

Bob Johnson is the CEO of i-SIGMA.
Reach him at [email protected].