The real value of NAID Certification
October 23, 2012
From any perspective, the NAID AAA Certification Program has been an amazing success. The program will soon certify its 1,000th member location. Also, hundreds of state and federal government agencies recognize it, including a growing number outside the U.S., and tens of thousands of private organizations now require it of their service providers. Over its 12-year history, it has evolved from a three-tiered program based solely on scheduled audits to a single standard based increasingly on unannounced audits. Further, it has expanded from simply certifying paper destruction to a program that now certifies micro media and hard drive destruction operations as well as operations involved in hard drive and solid state drive sanitization for plant and on-site platforms.
Despite its success, about half of NAID member locations are still not certified. Contrary to what many people think, NAID has never disparaged a member that is not certified. All NAID says about non-certified members is that they are not certified. Period. There is no value judgment, just facts. Non-certified members do not subject their operations to the rigorous standards and third-party audits required of the program. In fact, NAID assumes non-certified members are doing what they say and running a secure, ethical business. After all, anything less would be a violation of the NAID Code of Ethics.
When non-certified members are asked why they are not participating in the program, the responses generally fall in two categories. The most common response is they have not gotten around to it but they plan to do so some time in the future. The other response can take many forms but boils down to they do not see the value of getting certified. It is this latter, more troubling, response that I want to address here.
Anyone who says, “I do not see the value,” or “customers don’t seem to know or care about it,” is missing a key point. NAID Certification is something that should be done as a value-added service for customers. Even NAID members that participate in the certification program miss this point.
Any organization hiring a data destruction company is required, by law, to make sure their contractor has the security required to adequately protect their information. Such due diligence could arguably include evaluating and verifying employment screening, employee training, access control and other factors covered by NAID Certification. The regulations also required the customer to make sure the service provider’s policies and procedures have the requisite regulatory linkage. And, the regulations require some system be in place for ongoing audits.
Now ask yourself, how is the average customer supposed to do that? First, they have no knowledge of what to ask or how to evaluate all the factors. Data destruction, though important, is a small sliver of their overall responsibilities and they have neither the time nor expertise to adequately comply with the regulations. That is why when a service provider becomes NAID Certified, they are actually providing a new, value-added service to their clients. The service provider’s NAID Certification provides compliance.
The decision to remain uncertified is like telling the customer, “We are going to leave you on your own for your own due diligence, even though you don’t have a clue that you are required to do so or how to do it.”
So, when I hear a member say, “NAID Certification doesn’t mean anything to the customer,” I respond with, “Then, as a secure destruction professional, why aren’t you telling them what it means to them?”