DOCUMENT DESTRUCTION CONTRACTS

Typically, commercial document destruction (a.k.a. Shredding) is promoted as a security service aimed at preventing unauthorized disclosure of information, such as customer or company proprietary data, or government sensitive materials.

The desired and hopeful end result is to prevent lawsuits that could result from exposure of this data in violation of strict federal and state privacy regulations.

In my experience, many cases involving a data breach of document privacy are the result of a failure to follow very basic security standards of practice: Either unknowingly or by design.

Many companies decide to out-source document destruction rather than maintaining the equipment and personnel for this process in-house. This article offers some starting points to help with your due diligence in the selection of a document destruction service.

Reasonableness and foreseeability are the objectives of Due Diligence in selecting a document destruction service. These objectives will vary because every company and every facility differ. Using a standardized checklist or questionnaire to determine risk can become problematic because those differing factors may be overlooked. Due Diligence helps to identify the reasonableness of the document destruction process and the foreseeability of risk that could result in an exposure of confidential data.

In your evaluation of reasonableness, consider how the document destruction service's statement of work (the process) will thoroughly protect your information throughout their custody of your materials. How would other persons with fair and sensible judgment, such as your customers, feel about the process if their personal data were involved? How do you think your decisions would be judged in mediation, arbitration, or with a jury? For example: Consider the repercussions if a data breach occurred and your company had contracted with a certified service that employed convicted drug offenders.

The spring 2020 Security Shredding News magazine reports that a Utah-based physician's office was penalized for a BA's (Business Associates) breach. The office apparently never conducted a risk analysis at the time of the breach and failed to complete a thorough after breach review that would have included implementing security measures to reduce risk. The consequences in that case cost the physician's office $100,000.

In a February 20, 2020 American Bankers Association article, Aaron Kirkpatrick reported that the California Consumer Protection Act now allows for private right of action against companies for negligent handling of personal data. Kirkpatrick, the chief information security officer at Venminder, claims that many professionals aren't aware of the possible pending legislation in their states.

As a consultant with direct operations experience in document destruction and information security, I believe that understanding a reasonable chain-of-custody for sensitive materials is the priority in Due Diligence. My expertise focuses on the statement-of-work portion of document destruction contracts to help companies develop terms based on specific business need and to comply with industry or regulatory guidelines.

I've seen many articles, business brochures, and on-line advertisements offering guidance for companies on how to prevent identity theft and data breaches. The catch-all simple solution is "Shredding." But many document destruction services neglect to explain that shredding comes in many different forms.

Consider these phrases commonly used in advertising and promotions: Guaranteed Unreadable, Tiny Strips, Complete Destruction, State-of-the-Art Certified Equipment, Cross-cut, Pulverized, #HIPAA certified, and Maximum Security, Certified Specialists, Background Certified Personnel, Meets Legal Requirements.

Such terms offer a wide range of starting points for Due Diligence and the review of the statement-of-work in the document destruction process.

President Reagan's famous 1987 quote, "Trust but Verify," says a lot about Due Diligence. Understanding the process used by a document destruction service will help you in evaluating the reasonableness of your document security and foreseeability of risk that may direct you toward a more secure service or process. The use of an independent consultant can be helpful for companies that lack understanding in the security standards or how to conduct Due Diligence.

I have been identified as an expert in the security shredding industry, with the following recognition:

* Assisted the US Department of Labor’s OIG office in identifying appropriate shredding practices in their shredding vendor selection.

* Instrumental in helping the South Carolina Department of Consumer Affairs with their shred vendor due diligence.

* Initiated Veteran Administration review of shred vendor procedures resulting in revised procedures, with thanks from a Congressman for helping protect the security of veterans personal health information.

* Identified security risks with GSA contracts which lead to a $1.1 million dollar settlement for taxpayers.

* Exposed risks with Department of Veterans Administration policy leading to VA Directive changes to increase security. The Department of Veterans Affairs, Assistant Secretary for Information and Technology writes “Mr. Knisely is correct” in describing shred policy vulnerabilities.

* Instrumental in the Veterans Administration removal of a trade associations certification requirement.

* Filed a federal Lanham Act suit against a shredding company resulting in a settlement.

* Initiated a Department of Army contract investigation concerning shredding specifications, resulting in a settlement.

* Consulted with the attorney of an individual who had their Personal Health Information (PHI) exposed on a shredding industry training video, resulting in a monetary settlement.

In my consultation, I specifically review the statement of work portion of a document destruction contract and provide feedback that guides the client in their own due diligence; allowing them to ask appropriate questions or seek additional verification during the contract selection process. It is important that as an independent consultant, bid specifications and rates are never part of the consideration of reasonableness, and I always require redacted service names and details, to avoid any inference of bias.

Letting the document destruction service or a trade association dictate your due diligence, could be a costly and unreasonable mistake

kniselysecurity.com/duediligence.html