Secure Data Destruction - NAID AAA Certification

Professional service providers in the data destruction industry owe it to their customers to demonstrate a commitment to regulatory compliance when their data is entrusted to a contractor. Data destruction is a growing industry with players around the world who all provide verbal assurances that data is safe, but only a small percentage can actually show proof of their commitment to keep data secure and ensure that destruction is completed in a reliable manner.

Customers globally are more frequently requiring IT Asset Disposition contractors to hold NAID AAA Certifications to verify a provider’s compliance with all data protection regulations in order to fulfill a legal responsibility to do so. NAID AAA Certification follows requirements under HIPAA security rules and meets requirements for EU General Data Protection Regulations.

NAID AAA Certification is a third-party verification that requires consistency from accredited entities and provides assurances and compliance in the following areas:

• Audit quality – All NAID AAA Certified service providers are subject to regularly scheduled, onsite audits by trained, accredited security professionals. In addition, random, unannounced audits are structured so NAID AAA Certified operators will not know when they will be audited next.
• Regulatory Alignment – The program requires written policies and procedures for each company to ensure incident response preparedness, employee training, and regulatory compliance.
• Security Specifications – Accredited auditors review employee background screening and training, compliance with written procedures, access controls, operational security, destruction equipment, and confidentiality agreements.
• Provide Audit Reporting – A customer may request an audit report to monitor the service provider and to ensure they meet the regulatory risk assessment requirements.
• Compliance Monitoring – A customer may monitor compliance by subscribing to email notifications of the service provider’s certification renewal, audit, or lapse.
• Oversight – The Certification Review Board and the Certification Rules Committee oversee the program’s integrity, both of which contain industry veterans and outside, accredited professionals.
• Transparency – All documents and specifications are available to the public for free online. Audit reports and monitoring services are also provided to clients at no charge.
• Program Recognition – NAID AAA Certification is acknowledged by many accreditation programs, such as those offered by the International Association of IT Asset Managers, the Institute of Certified Records Managers, and the R2 IT asset recycling program certification offered by the Sustainable Electronic Recycling Institute (SERI).

NAID AAA Certification and NAID Membership are two separate standards, with NAID AAA Certification requiring compliance with the aforementioned standards and NAID Membership only providing companies access to resources regarding data destruction.  As of June 2020, there were 1,588 NAID Members but only 771 globally had obtained any form of NAID AAA Certification. Specialized Data Destruction certifications can be obtained to provide services at a customers site or at the contractor’s facility. There are only 22 companies worldwide who hold certifications to provide both onsite and offsite physical or overwriting data destruction with DMD Systems Recovery Inc. residing in that specialized category. DMD Systems Recovery Inc. is also the only provider certified for both services in the entire Western half of the United States.

    NAID AAA Certified service providers can be found at https://directory.isigmaonline.org/