How Good Is Your Secure Destruction Program?

Though Pacific Northwest Shredding has a reputation for competitive pricing, customers should never hire any shredding service based on price alone. When a customer wants to hire a company to destroy old computer equipment, they typically use the Internet to find a few local service providers and go with the lowest bid. Unfortunately, while it sounds logical, it’s also illegal. Really? Illegal? Yes, today’s data protection regulations, such as HIPAA, GLBA, FACTA, and at least 19 new state laws, require organizations to scrutinize potential data destruction service providers to make sure they have a sufficiently high level of security and meet regulatory compliance requirements. As a result, hiring a provider just because they have the lowest price violates those regulations. In fact, if ever there were to be breach or a regulatory audit, regulators would automatically want to see selection criteria used to hire such service providers. Keep in mind, because data protection and privacy regulations are enacted by governmental authority and are enforceable by law, violating them literally constitutes an illegal act. The fact is, however, though it is technically illegal to use pricing to make the decision, it is not the only reason for reviewing the compliance and security of any future shredding service. Unfortunately, there are too many shredding services with little or no security or regulatory compliance. Their continued operation is based solely on the fact that their customers neglect their legal obligation to look under the hood. And, while their low prices might seem attractive, those prices are often because they are not spending time and resources on employee screening and training, or proper insurance, or keeping up with constantly changing regulatory requirements. Often, they would be hard-pressed to define what appropriate security and compliance even looks like. Compounding the risk, should a shredding service cause a data security breach, the same regulations that require vendor selection due diligence would also hold their customers 100% responsible for breach notification costs. Even worse, when regulators learn that the service provider was hired without proper scrutiny, the customer would be found negligent, liable, and subject to further penalties and sanctions. WHAT SHREDDING SERVICE DUE DILIGENCE LOOKS LIKE 1. Verify the Service Provider’s Certification Certainly, requiring industry certifications, like NAID AAA Certification, can help with due diligence. But remember, such certifications are a floor not a ceiling. They represent the minimum that should be required, not the maximum. So, while requiring NAID AAA Certification should without question be a part of any shredding service due diligence, there are other things customers should be examining. 2. Verify the Service Provider’s Professional Liability Insurance The question here is straightforward; do they have professional liability coverage? Most service providers don’t. Ironically, firms that have the capacity to indemnify their customer for the service provider’s error and omissions are often the least likely to need it. The point of requiring it is not that there is heightened risk of a problem, but rather that it is a best practice for customers to expect shredding service to have a reasonable, limited capacity to indemnify the customer for their mistakes. And, by verify, we mean get proof. Too often a service provider says they have it, while they may not even know what it is. General business insurance policies do not cover a vendor’s errors and omissions. 3. Verify the Service Provider’s Regulatory Expertise The customer has the right to expect their shredding service to be the expert in secure disposition and regulatory compliance, not the other way around!! The simplest way to determine whether a shredding service is capable and trustworthy is to evaluate qualifications of the person on their team who is responsible for their regulatory compliance. In the past few years alone, 19 states have enacted new data protection regulations that have impacted shredding services. In fact, many international regulations now impact large customers doing business around the world. No service provider could be expected to respond to these changes without internal expertise driving their compliance program. Many shredding services lack the capability or willingness to make such accommodations, preferring to take an “off-the-shelf” and “one-size-fits-all” approach. This inevitably puts the customer at risk. Clearly, we hope customers choose Pacific Northwest Shredding to meet their shredding needs. But, if that’s not in the cards, we want them to know how to best protect themselves. Please don’t hesitate to contact us at any time with questions or concerns. We pride ourselves on our internal compliance expertise and are pleased to be of assistance to any organization looking to do the right thing. Contact Pacific Northwest Shredding today. We can make performing the required due diligence on our service simple and easy. © 2025 Pacific Northwest Shredding – All rights reserved.

We are all aware that state and federal regulations require the secure destruction of personal information. What many don’t appreciate, however, is that there are also important legal considerations supporting the need for the secure destruction of competitive information. 1) Casually Discarded Information is Not Protected It was none other than the U.S. Supreme Court that ruled that casual disposal results in the loss of all rights and expectations of privacy and ownership. In the precedent setting case, California v. Greenwood (1988), the state was attempting to uphold the conviction of a drug dealer, where probable cause for his arrest was based on evidence police found in his trash. Though Greenwood was originally convicted, an appeals court overturned the verdict, saying the man’s right to privacy had been violated when police confiscated his trash. The U.S. Supreme Court disagreed with the appeals court, instead saying that Greenwood (or anyone else) has no right or expectation of privacy when something is discarded in an unprotected manner. Since then, Greenwood v. California has been cited in a wide array of related cases, the most recent being People v. Dorado (2024), where the California Court of Appeal, Fourth District, again upheld the principle that there is no legal right or expectation of privacy when media is discarded in an unsecure manner. 2) Improper Disposal of Information Nullifies Intellectual Property Claims For decades, courts have upheld the legal principle that the failure to safeguard proprietary information can nullify intellectual property claims. Whether through premature public disclosure or casual disposal, these precedents highlight the importance of protecting intellectual property. The precedent is DuPont v. Christopher (1970), where the defendant was sued by DuPont for illegally obtaining its plans for a new manufacturing process. DuPont prevailed specifically because it could demonstrate that it had gone to significant lengths to protect the information. The ruling inferred for the first time that had DuPont not demonstrated those security measures, they would have lost their claim of ownership. Over time, a number of cases have reinforced this precedent, including Relational Database Systems, Inc. v. FileNet Corporation (1991), Magnesystems, Inc. v. Nikken, Inc. (1996), Hayes Microcomputer Products, Inc. Patent Litigation (1992) and, Mattel, Inc. v. MGA Entertainment, Inc. (2008). 3) Even Casual Business-related Notes are Considered “Official Records” There have been any number of cases where, informal documents—like handwritten notes, internal emails, or even customer letters—have been admitted in court as business records. Take, for instance, the well-known case where a cocktail napkin was treated as binding evidence in a legal dispute in the Kolniak v. Bridger Logistics case. In 2012, Jonathan Kolniak alleged that he was offered an employment agreement by James Ballengee, an executive at Bridger Logistics, which was written on a cocktail napkin during a meeting. When Bridger Logistics was sold for $820 million in 2015, Kolniak claimed he never received the equity promised. Although the case was settled before trial, the incident highlights how informal agreements, even when scribbled on napkins, can be considered a valid business record. In fact, courts have long relied on the premise that the threshold for treating a document as an official business record is relatively low. This is why it is important that even the most innocuous documentation like phone memos and hand-written notes – or, in some cases, cocktail napkins, should be properly destroyed. These Concerns are Not Just for Big Companies It is a common mistake to think of intellectual property protection is an issue only affecting large corporations. The fact is that small- and medium-sized enterprises (SMEs) have lots of trade secrets, including pricing, customer lists, and proprietary systems, and are equally or even more vulnerable. If an SME cannot demonstrate it is properly protecting their information, it risks losing its ability to enforce non-competition and non-disclosure agreements (NDAs). Unlike a large corporation that may be able to survive such an event, the inability to defend non-competes or NDAs can severely compromise or even mean the end of a smaller business. This is just one more reason why secure destruction should be the default for all discarded paper and electronic records. Allowing for two options not only opens the door to improper disposal, but it also undermines the ability to emphatically establish that the organization took strong measures to defend its trade information. Contact Pacific Northwest Shredding today to learn how we can help. © 2024 Pacific Northwest Shredding - All rights reserved.

No company would allow every employee to use its checkbook or offer them the choice of shotting off the Internet firewall. However, as ludicrous as these ideas sound, they are not much different from allowing each employee to decide what should or should not be shredded. Simply directing employees to discard information that “they” feel is confidential jeopardizes the organization's future. If they make the wrong decision about what is and isn't safely destroyed, or if they are distracted, too busy, or too sluggish to do the right thing, the consequences could be disastrous. There are numerous studies that demonstrate the severe effects of data breaches (defined as any illegal access), including their financial impact. The heart of the "employee discretion" problem is providing them with several disposal alternatives for discarding paper. The better way is to give them only one disposal option that assures the material will be securely destroyed. Every piece of paper, including mail, notes, reports, drafts of letters, and proposals, may include sensitive or confidential information. If an employee is given the option of putting these goods in the trash, the recycling bin, or the destruction receptacle, they may make the wrong decision. The organization's data security is not only determined by their judgment, but also by their state of mind. Did they get a horrible night's sleep, are they hungover, tired, or even disgruntled? Are they simply too preoccupied with their work to worry about selecting the correct bin? A data leak isn't the only issue with having several disposal routes for paper and electronic devices. It also undermines future challenges to the integrity of regulatory compliance and jeopardizes intellectual property legal rights. All the lawyer, auditor, or regulator needs to do is ask, "How can you tell the court you're sure it was properly destroyed when you gave every employee the option of not destroying it?" The solution to this problem is to eliminate employee discretion by creating a single "destruction-by-default" disposal policy that applies to all media. Many groups are already doing so. They have sensibly determined that the risk and related cost of giving employees control over what is and is not destroyed is unreasonable.  In this new model, all of the organization's discarded media is considered confidential and deserving of shredding, which is more than likely the case. Contact Pacific Northwest Shredding today to learn how we can help! © 2024 Pacific Northwest Shredding, Inc. - All rights reserved.

ESG obligations are increasingly important to Pacific Northwest Shredding's clients. Academic research from the University of Washington and Oregon State University, as well as surveys by the Pew Research Center and Gallup, indicate that the Pacific Northwest is more sensitive to environmental, social, and governance issues than other regions in the United States. This is no surprise to those of us who live here. As a result, organizations in the region are increasingly proud of their dedication to ESG issues, which are routinely affect their buying decisions and are baked into annual reports, investment plans, and political lexicons. It is clear, therefore, that when hiring service providers, organizations in the region should examine how such vendors can contribute to their own ESG profile. ENVIRONMENTAL RESPONSIBILITY Pacific Northwest Shredding recycles 100% of the recyclable material that is destroyed. Almost everything is reused, even shredded paper and computer hard drives. In fact, if these objects were shredded in-house, they would almost surely end up in the trash. As a result, using Pacific Northwest Shredding to secure essential documents is one of the most crucial components of our clients' environmental responsibility efforts. SOCIAL RESPONSIBILITY Pacific Northwest Shredding's services help to support a local, minority-owned family business. In an environment where alternative options for commercial shredding are enormous, national corporations, our clients may be proud that they are supporting a Washington-based firm with a decades-long history. RESPONSIBLE GOVERNANCE. Pacific Northwest Shredding is one of the only secure destruction service providers that supports their clients' governance priorities. Our internal capabilities, which include an internationally recognized Data Protection Officer, a globally recognized certification, and cutting-edge policies and contracts, allow us not only to exceed regulatory compliance, but also to assist our clients in understanding and meeting their own compliance requirements. We may help our clients establish the necessary disposition policies and procedures, respond to regulatory inquiries, or simply address concerns about any data-related regulation. It is crucial to note that if a secure destruction service fails to comply, so will its customers. As a result, Pacific Northwest Shredding's activities are critical to our clients' compliance, which is consistent with their governance aim. Ironically, while misaligned governance is the most likely to get a company in trouble, it is also the most misunderstood and overlooked ESG responsibility. Fortunately, Pacific Northwest Shredding clients don't have to worry about this. SAY "NO" TO ESG-WASHING Unfortunately, since more clients are looking for service providers that can improve their ESG profile, many vendors misrepresent their capabilities. It's called "ESG-washing," and the fact that it has a name shows how widespread it has become. Pressing service providers on such statements is one of the most effective ways to see if they are walking the talk. It's one thing to state that ESG is important but find it more difficult to explain how. Of course, another option is to contact Pacific Northwest Shredding. We welcome such conversations and are glad to help. Copyright 2024 Pacific Northwest Shredding, LLC. - All rights reserved.

The accumulation of old records and electronics plagues most organizations, so we wanted to provide some reasons why it’s time to finally get rid of them the right way. 1. Keeping old records undermines an organization's records retention policy. An organization violates its own policy if it permits the existence of records that are beyond the set retention periods' control or controllable parameters. When the business must rely on the integrity of the retention schedule to validate ultimate disposition during a legal or compliance situation, this could come back to haunt it. 2. Old records and electronics pose a security threat. It makes sense that the longer records and electronics are kept, the greater the possibility that they will end up in the wrong hands and that they will be retained longer than is necessary. Let's imagine an old laptop is taken from the storeroom a year after it was placed there because an employee decides no one cares (or is looking). Exactly why not? Who will be aware? No one, up until the employee sells it on eBay and the data becomes public later. Of course, this risk also applies to collections of unnecessary paper records that are kept. An aging warehouse is cleaned out by a diligent custodian. Four hundred cartons that a hospital placed in a dilapidated outbuilding 20 years ago go unremembered. These are not merely speculative examples. They have happened and will continue to happen as long as they are allowed to accumulate. 3. Uncontrolled ​​documents and outdated devices make legal discovery dangerously more difficult. In a legal proceeding, “discovery” mandates that the opposing sides turn over to the other all the records associated with a criminal investigation or civil lawsuit. The problem is that unsupervised records (either paper or electronic) are stashed away in offices, backrooms, and self-storage facilities. And woe to the organization that claims that "discoverable" records were destroyed in accordance with a retention schedule when it later comes to light during a deposition that those records might still be accessible in another way. And when the opposing party or the judge learns that a self-storage facility is full of long-lost documents or electronic equipment that could be remotely relevant, not only will a lawyer soon begin searching through them to see what is there, but it also raises suspicion and may result in significant retaliation, such as giving the jury an instruction on adverse inference. You see what I mean. Legal discovery becomes a nightmare when unmanaged records or electronic equipment accumulate. 4. Accumulated records and electronics violate new privacy laws. Nineteen states have passed privacy laws that forbid organizations from retaining personal information for longer than necessary. And since most old records and electronics have such information on them, retaining them longer than needed is a violation of those new laws. Additionally, those same privacy regulations grant people the right to, one, have their information destroyed after the transaction is over, two, access all information maintained by the data controller, and three, know how their information is stored. Accumulating old records and electronics flies in the face of these rights as well. What to Do? There are three methods for reducing the danger posed by accumulated records and electronics. The first is not to accumulate them in the first place. Employees should routinely be reminded of the dangers of obsolete and unmanaged documents, as well as old electronics, emphasizing the negative effects of their unwarranted buildup. The second thing is to set up a method for disposing of devices that have amassed and are out of control through semi-annual purges. The third step is to make sure that the organization’s stored records are securely destroyed once a year according to a predetermined retention schedule. Fortunately, there is an easy, cost-effective way to do this. Why not make an appointment for a visit from one of our mobile shredding trucks? Our polite, screened, and trained driver and our state-of-the-art equipment can shred years’ worth of old documents in minutes.

A person’s medical records are widely considered the most private of all, with recognition of the need for confidentiality dating back as far as the Hypocritic Oath in 400 BC. Presently, Washington’s My Health Data Act and national regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act impose much more direct and consequential privacy requirements, including severe penalties and large fines for allowing unauthorized access. This means that when smaller medical facilities such as doctors’ offices, laboratories, surgical centers, and pharmacies fail to fulfill their legally mandated data destruction obligations, as many do, it is both risky and potentially very costly. Especially when one considers that medical data breach notification is now a national law and healthcare identity theft is the most troublesome form of identity fraud. Many of these medical offices report that they have tried office shredders, discovering after that no one used it or that, when they did, the machine was too slow and easily broke down. Some medical offices feel they are so small, and their volume of destruction is so little, that they are safe to tear it up or just toss it in the trash. That’s probably what the Arkansas chiropractor fined $321,000 for improper disposal of records last year thought. Same for the Beth Israel Senior Health Center when their trashing of records made headlines in the New York Times, and the North Carolina doctor fined $40,000 when patients' records were discovered in his dumpster. What makes these events even more unfortunate is that most healthcare professionals want to do the right thing. These problems resulted because the solutions available to them haven’t worked. Some have given up, intentionally remaining in the dark about what happens to the daily flow of paper from their offices, or they run out and buy a shredder, hope their staff will use it. Pacific Northwest Shredding to the Rescue Fortunately, there is a solution that works: Pacific Northwest Shredding’s on-site service. Whether cleaning up a backlog of material or for routine removal, why not make an appointment for a visit from one of our mobile shredding trucks? Our polite, screened, and trained driver and our state-of-the-art equipment make the process painless, and you can rest assured everything’s properly destroyed.  Contact us today to learn how even the smallest medical offices can benefit from our cost-effective, routine service.

Aware that discarding sensitive information is illegal, many cautious, cost-conscious businesses believe an office or personal shredder is the solution. What they fail to realize is that, whether it is the office or the home, relying on a small shredder is among the most expensive and least secure options. The Shredding Imperative At work, securely shredding sensitive information prior to disposal is the law. Any organization with customers or employees must comply with one or more regulations that require sensitive information to be destroyed prior to disposal. And, while the regulatory fines for disregarding this requirement grow by the day, so do client and employee retribution. At worst, they can bring a lawsuit. At minimum, they will find another place to do business. In the home, it is a little different. While there is technically no law requiring an individual to protect their own personal information, it is important to avoid putting one’s family at risk of identity theft or privacy violations. Personal Shredders Are Not the Solution The first problem with relying on personal shredders, either at home or work, is that people avoid using them. Shredders are slow and laborious (not to mention noisy), and there is a strong temptation not to use them. Before long, the shredder is unplugged and collecting dust. Secondly, even if the shredder is used, it is going to end up in the trash, where dumpster divers can easily find it. It is widely known by identity thieves that shredded paper can be reconstituted (and even admitted as evidence by courts). Now, in an environment of high-speed scanners and AI, this ability is at everyone’s fingertips. The fact is, putting shredded paper in the trash—even crosscutting—only tells the bad guys what to take. They probably appreciate that. The third problem with personal shedders is that, if used with any regularity, they are prone to breakdowns. This is especially true in the office. As a result, instead of being shredded, the sensitive information piles up. Finally, someone gets frustrated and tosses it out. All anyone knows is that it’s gone. Never mind how. Fourth, and finally, even if the shredder is being used conscientiously and stays in good working order, its use provides no ongoing documented record of compliance with data protection or records retention policies. Why is this important? Because data protection regulations now require the ability to demonstrate compliance over time. Pointing to a shredder in the corner of the copy room isn’t sufficient. And so, with this additional requirement in mind, using a personal shredder takes on a new level of inconvenience, since to be compliant with regulations would require elaborate chronicling of each use. The unfortunate part is that those who attempt to use personal shredders have the right idea and the best of intentions. They just want to do right by their families and their customers. Luckily, there is a better option. Pacific Northwest Shredding’s mobile service is used by an increasing number of businesses and households to protect themselves.  Contact us today to learn how we can help.