Destruction of data and documents. On the surface it sounds simple. Get rid of outdated data and documents that you are no longer required to maintain. Just shred the documents or smash the hard drives and you’re good to go, right? Wrong.
While most companies focus on the “when” aspect of destroying data and documents – which is crucial – the “how” is just as vital and should not be ignored. In fact, the manner in which physical documents and digital data are destroyed is subject to government and industry regulations. Understanding the significance of this and following the rules when you destroy documents and data can protect your company. Failure to do so can expose it to significant risk, including financial and other penalties as well as damage to your reputation.
So, how can you protect your business? Understanding the various terms related to destruction is an excellent place to start. Certified destruction. SOC II, Type 2 certification. NAID certified. HIPAA compliant. Today, we’re breaking them all down and explaining what they are, what they mean and why they matter.
What is certified destruction?
Simply put, certified destruction refers to the methods used to destroy documents and data. Whether those are physical documents or digital data, and regardless of the industry, regulations typically exist that detail the manner in which those documents and data can be destroyed.
Certified destruction methods may include the secure shredding of documents or the purging of digital information from various devices such as hard drives, data tapes, CDs, microfilm, USB flash drives, access cards, credit cards, smart phones and more. Hardware is run through erasure equipment, and hard drives are removed and shredded through commercial shredders to ensure data is completely destroyed. Hardware may include personal computers, laptops, iPads, servers, switches, printers and backup battery packs.
The companies that provide these services and the employees who perform them are trained in proper destruction methods and ensure all appropriate procedures are followed. They secure your documents and data throughout the entire process and usually complete destruction in a secure facility and within a guaranteed timeframe. And, the entire destruction process can be viewed or recorded for compliance purposes if properly scheduled.
Why does certified destruction matter?
When your documents and data are destroyed by a company using certified destruction methods, you’ll receive a certificate of destruction for your records. This is particularly helpful if your company is ever audited by a government agency or industry regulator – or if there is ever a data breach at your company. The certificate states that your data was destroyed in accordance with all relevant requirements by trained destruction providers and normally includes the method used for complete destruction. This protects your organization from risk.
But what do those certified destruction acronyms mean?
There are three main types of verified qualifications for the destruction of documents, data and hardware. They are:
- SOC II, Type 2 certification
- NAID ratings
- HIPAA certification
We’ll get into the details about SOC II Type 2 certification, NAID ratings and HIPAA certification below, but for now it’s important to note that any document management company that offers document and data destruction services should be SOC II Type 2 certified, AAA rated by NAID, and HIPAA certified.
The basics of SOC II, Type 2 certification
While SOC II stands for “System and Organization Controls.” Created by the American Institute of Certified Public Accountants (AICPA), the controls are actually a set of standards that measure how well an organization manages and regulates the information within its oversight.
SOC II specifically refers to one or more of the following five key system principles: security, availability, processing integrity, confidentiality and privacy.
This includes the destruction or purging of digital data. In order to be SOC II Type 2 certified, a company must be audited by an independent CPA who confirms that the proper SOC-compliant processes and procedures are in place.
If your company currently stores or is considering storing data in the cloud, SOC II Type 2 certification offers a level of confidence that the information management provider can ensure the secure management and destruction of all digital information.
What is NAID and what’s an NAID rating?
The National Association of Information Destruction (NAID) is a non-profit trade association for companies in the secure destruction industry. An international organization, NAID sets standards and regulations for destroying information.
Among the many services NAID provides is the NAID AAA Certification Program. This voluntary program for NAID members has rigorous requirements for certification. Achieving an AAA rating from NAID is emblematic of an information management firm’s commitment to providing the highest level of secure information destruction. As with SOC II Type 2 certification, an NAID AAA rating is an excellent way to determine if you should entrust a firm with the management and destruction of your company’s data.
HIPAA certified destruction for healthcare companies
In 1996, the Health Insurance Portability and Accountability Act was enacted as a federal law designed to protect the healthcare rights and privacy of individuals in the U.S. HIPAA, as it is commonly known, was revised in 2009 and again in 2013. HIPAA regulations are strict and penalties can be costly, as companies that have failed to adhere to the rules have learned at a steep price. In addition to governing the manner in which personal health information (PHI) is accessed, stored, transported and shared, HIPAA also regulates the destruction of said data. This includes not only the timing, but the method as well, and refers to paper documents and electronic records.
An information management company that is HIPAA certified follows HIPAA-compliant policies and procedures. Employees who handle healthcare related information in any capacity are specially trained in HIPAA-compliant processes. This ensures that all PHI is handled and destroyed appropriately, and adds an extra layer of protection for your company.
Certified destruction: another line of defense
Your company has likely considered the potential consequences involved in failing to adhere to government and industry regulations regarding how and where and for how long certain records and information should be maintained. The ramifications associated with the destruction of those records and information must not be overlooked.
Whatever industry you’re in, when the time comes to destroy documents or hardware or to purge digital data, it’s worth the investment to trust an information management firm certified in destruction to handle it for you.