Embed Size (px)
DESCRIPTION
Nov/Dec 2012 issue of Security Shredding & Storage News
Citation preview
Volume 9, Issue 6 NoVember / December 2012
PRSRT STDU.S. Postage
PAIDMentor, OH
PeRMIT No. 2
&Security Shredding Storage News
Serving the Security Shredding & Paper Recovery Markets
PRSRT STDU.S. Postage
PAIDMentor, OH
PeRMIT No. 2
Continued on page 3
Using ARMA’s GARP Principles to Create a Compliant Records Management Program
Chicago Election Board Confirms 1200 Personnel Files Exposed
NAID Acquires Shred School
Easing of Medical Record Restrictions Ensures Post-Sandy Patient Care
InsIde ThIs Issue
13
4
10
ATTENTION: READERS !
Are you looking for Products, Equipment or Services for your business? If so, please check out these
leading companies advertised in this issue:
6
ColleCtion & Storage ContainerSBig Dog Shred Bins – 10
Bomac Carts – pg 7Jake, Connor & Crew – pg 5
equipment FinanCingTransLease Inc – pg 12
loCk & loCking SyStemSLock America Intl. – pg 10
mobile truCk ShredderSAlpine Shredders Ltd – pg 14
Shred-Tech Limited – pg 6ShredFast – pg 8
Vecoplan LLC – pg 7
moving Floor SyStemKeith Manufacturing – pg 6
paper balerSIPS Balers, Inc. – pg 10
replaCement partSDun-Rite Tool – pg 12
ShredSupply – pg 9
Stationary ShredderS & grinderSAllegheny Shredders – pg 5
Schutte-Buffalo Hammer Mill, LLC – pg 16UNTHA America – pg 15
WaSte Commodity purChaSerSDan-Mar Components – pg 13
Visit us online at www.securityshreddingnews.com
By P.J. Heller
ocument destruction companies that handle protected health information for healthcare providers may face greater scrutiny — and hefty
mandatory fines — in the coming year as the government steps up enforcement of privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA).
New rules to be announced soon are expected to make business associates — such as document destruction companies or other service providers — subject to the most substantive provisions of HIPAA, as well as all of its Security Rule, rather than allowing them to rely on their business associate agreements.
Also expected are automatic mandatory fines for violations of “willful neglect” by either the healthcare industry or business associates of $10,000 to $50,000 per record, up to a maximum annual cap of $1.5 million.
That maximum figure applies only on a per provision basis; violations of separate provisions are capped separately, not cumulatively.
A document destruction company involved in a data breach that is subsequently found not to have trained its employees and to not have any written policies in place could be cited for willful neglect.
“So whatever the data breach was, the U.S. Department of Health and Human Services (HHS) is going to hold them to the highest standard, the highest level of fines, because they’re finding it inexcusable that any organization touching data would not have written policies in place and employee training in place,” notes Bob Johnson, chief executive officer of NAID (National Association for Information Destruction).
Health and Human Services reports that business associates have been responsible for 62 percent of the total number of patient records breached, according the Association of Corporate Counsel, a global bar association.
Another major issue to impact healthcare providers and their business associates will be an audit program anticipated in the coming year. The audits are mandatory under HITECH (the Health Information Technology for Economic and Clinical Health Act). HITECH was passed by Congress as part of the 2009 American Recovery and Reinvestment Act, more commonly known as the “Stimulus Bill.”
“Health and Human Services has announced there will be a formal unannounced auditing program of both covered entities and business associates,” Johnson says.
Covered entities include healthcare providers, health plans and healthcare clearinghouses.
Although it is not known how many resources will be devoted to the audit program, “everybody’s on notice that they’re going to be checked by Health and Human Services at some point or they stand the possibility of it, and you never know where it’s going to come from,” he says.
Leon Rodriguez, director of HHS’ Office for Civil Rights, has confirmed that
New HIPAA Rules to Impact Document Destruction Industry
D
Security Shredding & Storage News. November / December 20122
R2/RIOS™ certification makes recycling electronics more profitable.
TM
What if you could reduce your business risk, enhance competitive advantage, and improve your company’s bottom line – all at the same time?
Now you can. By investing in R2/RIOS™ certification your company is upgrading to the highest, most responsiblestandards in electronics recycling. Here’s how certification has helped others and can benefit you:
• elevates quality of products and services, reducing customer issues
• secures employee retention and job satisfaction• improves employee safety and decreases OSHA
recordable incidents
• boosts environmental footprint and decreases risk of environmental issues
• decreases commercial insurance premiums• provides due diligence to meet customer requirements• assures compliance with domestic and international laws
What’s more, certification gives you the peace-of-mind of knowing your company has the highest “seal of approval” in electronics recycling.
To get certified today, visit www.ISRI.org/certifyme
We make recycling look completely different.
Visit the R2/RIOS™ booth at the E-Scrap 2012 Conference.
final.indd 1 8/6/12 5:10 PM
Security Shredding & Storage News. November / December 2012
Security Shredding & Storage News
3
Continued from page 1
Continued on page 5
PUBLICATION STAFFpublisher / editor
Rick Downing
Contributing editors / WritersChad Bevington
P. J. Heller
production / layoutBarb Fontanelle
Christine Pavelka
advertising SalesRick Downing
Subscription / CirculationDonna Downing
editorial, Circulation & advertising office6075 Hopkins RoadMentor, OH 44060Ph: 440-257-6453Fax: 440-257-6459
Email: [email protected]
For subscription information, please call 440-257-6453
Security Shredding & Storage News (ISSN #1549-8654) is published bimonthly by Downing & Associates. Reproductions or transmission of Security Shredding & Storage News, in whole or in part, without written permission of the publisher is prohibited.
Annual subscription rate U.S. is $19.95. Outside of the U.S. add $10.00 ($29.95). Contact our main office, or mail-in the subscription form with payment.
©Copyright 2012 by Downing & Associates.
Printed on 10% Post-Consumer Recycled Paper
enforcement of HIPAA’s privacy and security rules would be stepped up in 2013. His agency has been conducting the pilot audit project; an estimated 115 covered entities are expected to be audited with a permanent compliance audit program which could be launched in the coming year.
“This audit program has exposed vulnerabilities and issues that we can’t find any other way,” Rodriguez says. “I think it will be good policy for us to really keep this audit program going.”
The audits in the pilot program, conducted by consulting firm KPMG, do not involve business associates such as document destruction companies or cloud computing providers, but those service providers and others are expected to be included in future audits, according to Linda Sanches, senior adviser and health information privacy lead in the Office for Civil Rights (OCR).
“A s t h e O C R a u d i t program moves from pilot to a fully enforced program in 2013, the number of surprise audits and fines are expected to skyrocket,” predicts Mike Klein, president and chief operating officer of Online Tech in Ann Arbor, Mich., a provider of co-location, managed servers and private cloud services. “While no one enjoys the threat of a government-sponsored audit program, and even worse, the possibility of multimillion dollar fines, the U.S. government is demonstrating that they are taking HIPAA law enforcement seriously . . .”
The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
Increased enforcement efforts also involve state attorneys general, who have been trained to enforce HIPAA. At least four states have pursued HIPAA enforcement actions since July, according to Elizabeth Johnson, a lawyer with Poyner Spruill in North Carolina.
“Covered entities should anticipate the trend of increased state enforcement will continue as reported security breaches, HHS audits, and individual complaints continue to uncover compliance problems that reaffirm to government agencies their pursuit of such enforcement is often fruitful,” she says.
How fruitful that enforcement is can be seen in cases such as one against the Alaska Department of Health and Social Services. That agency agreed to pay $1.7 million to settle a HIPAA case involving a USB drive possibly containing electronic protected health
information (ePHI) that was stolen from the vehicle of a department employee. It was OCR’s first HIPAA enforcement action against a state agency.
In another case, Minnesota settled for $2.5 million an action against a business associate that alleged numerous violations of laws including HIPAA, Johnson reports.
And in yet another case, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc., agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule.
Although the president’s budget for fiscal year 2013 cuts the OCR budget by about
$2 million, it is not expected to have much impact on enforcement efforts.
“We will be able to, given the pace we’ve already had of monetary recoveries — and this is just the opening threshold of our work — the monetary recovery is really what will provide us a pretty decent way of keeping our investigative capacity up and perhaps adding some,” Rodriguez said in an interview with HealthcareInfoSecurity.
“If Health and Human Services or state attorneys general receive a credible report
of an incident that could rise to the level of willful neglect it’s mandatory that they investigate,” says NAID’s Bob Johnson. “They have to investigate if they get such a report.”
He stresses that service providers need to train their employees and have policies and procedures in place to address privacy and security concerns. Any employee who finds the slightest discrepancy that suggests a customer has a potential data breach, for example, must report it to management. Management must then report it to the customer.
“A service provider doesn’t have to inform the authorities,” Johnson notes. “A service provider’s only responsibility is to inform their customer. The service provider will never have to do the data breach notification. It’s always going to be the customer. It’s going to be the primary data custodian that has to clean up the mess, even if it’s caused by the service provider.”
Because of that, however, customers are now looking at having service providers indemnify them for damages they cause. In the past, this wasn’t much of an issue in the document destruction industry, Johnson says.
“But now we’re seeing where virtually every contract has a clause in it that says the service provider will be liable for any financial damages or breach notification costs that they cause,” he says, noting that NAID offers its certified members an insurance policy to cover them.
Elizabeth Johnson says business associates should
New HIPAA Rules to Impact Document Destruction Industry
“But now we’re seeing where virtually every
contract has a clause in it that says the service
provider will be liable for any financial damages or breach notification costs
that they cause.”
Security Shredding & Storage News. November / December 2012
Security Shredding & Storage News
4
Using ARMA’s GARP Principles to Create a Compliant Records
Management Program— A Guide to Assist with the Proper Implementation of a Records Management Program —
Developing a compliant records management program is essential for a productive, organized business, but it can be a challenging task. With numerous file labels, retention schedules and varying points of contact, organizing a system that achieves specific business goals while keeping
operations compliant can leave records managers and IT professionals frustrated and confused.
“In the insurance industry, there are multiple types of files and varying file requirements for each state in which we operate,” said Cathy Marsh, Assistant Vice President, Corporate Services at Ohio National Financial Services. “While it took us awhile to develop a consistent and streamlined records management program, it has been an integral step in keeping our business running smoothly.”
To assist businesses with the creation, organization, security and maintenance of a records management program, ARMA International published the eight Generally Accepted Recordkeeping Principles (GARP®). As an authority of education on information management issues, ARMA International developed the principles with the help of individuals fully involved in recordkeeping.
The eight key principles upon which GARP was developed can provide a framework for a successful records management program. These principles include:
Principle of Accountability.1. Appoint an appropriate person to oversee the entire records management program. This person will be responsible for structuring the program, delegating tasks and assigning appropriate contacts within departments.
Principle of Integrity.2. Ensure records are authentic, unaltered and accurately reflect the represented organization. Be able to prove an acceptable audit trail and creation of the record.
Principle of Protection.3. Implement standards to protect records and information that is confidential, privileged, secret or essential to business continuity.
Principle of Compliance.4. The records management program follows the standards, laws and other binding authorities set by legal organizations or company standards.
Principle of Availability.5. Records are stored and organized in a manner that allows for timely, efficient and accurate retrieval of requested information.
Principle of Retention.6. The records management program follows a retention schedule that was developed considering legal, regulatory, fiscal, operational and historical requirements.
Principle of Disposition.7. The organization takes secure measures to properly dispose of records at the end of their lifecycle.
Principle of Transparency.8. The records management program is easily understandable to employees and outside parties, including government authorities, auditors and investigators.
Customizing Records Management Processes
By using these eight principles as a framework, records managers can begin building their own program that reflects their specific business processes. It is important to understand how each principle applies to the organization. For
example, when establishing the principle of accountability, records managers should consider the size of their business. For a small organization, it may be acceptable to have one person in charge of the records management program. This setup, known as a centralized system, appoints one individual who handles all information and decisions related to the program. This person is also responsible for implementing and executing all activity relevant to the records management policy.
However, a large business with multiple departments and types of records will require additional oversight. This system would benefit from a decentralized records
management program where a lead records representative oversees the activity of several departmental records representatives who assist with the implementation and execution of the program in specific areas of the business. These individuals manage the retention schedules, employee training and day-to-day functioning of the program. With this system, records representatives meet on a regular basis to discuss program successes or challenges, changes in the principles and ideas to further develop the system. This system helps delegate responsibility and ensures individual employees can easily contact a records representative when necessary.
Similarly, records managers should consider the size and scope of their business when evaluating the principle of retention. Developing and following a retention schedule can be a challenge if an organization operates in multiple states with different regulations and laws and/or if they receive payments from customers in multiple states. To simplify the program and avoid multiple retention requirements, implement a retention schedule based on the state or region with the strictest regulations and longest longevity for retention. Using this method, the organization will meet all legal and regulatory requirements while streamlining the records management process and eliminating the need to separate files by state. To ensure compliance, decide the appropriate retention period for each type of record with the help of an attorney.
“In our situation, we reviewed all the state recordkeeping requirements and found that Pennsylvania had the most rigorous standards,” said Marsh. “We used this as our benchmark and developed our program around that. It made the program a lot easier rather than negotiating around the legal requirements of several different jurisdictions.”
When considering the availability and transparency principle, records managers are encouraged to review how documents are titled and create a standardized labeling system throughout all departments. Most employees will label records according to personal preference; however, as convenient as this is for individual employees, it results in an unorganized system. This can create a problem if an audit requires proof of a certain type of record and that record is unable to be retrieved.
To create a streamlined system and reduce the amount of time spent filing and retrieving items, implement standards for labeling and storing records that can be integrated throughout all departments.
“When we conducted an audit of our system, we found that we had more than 3,000 different records names,” Marsh advised. “For a journal voucher record, they were titled ‘JV’ or ‘J Voucher’—we had more than 100 different names for the same file. By setting a standard for titling documents, we were able to reduce the number of files to just 120 record names.”
Purging Old Records
When paper records reach the end of the pre-determined lifecycle, GARP recommends secure and appropriate disposal. To ensure the highest standards of security are met, records managers should partner with an AAA NAID-
certified shredding provider that destroys documents on a scheduled basis and provides a certificate of destruction for a legal audit trail.
While sometimes daunting, the task of organizing a company’s records is not an impossible task. By using GARP as a framework, records managers can develop a compliant and effective records management program that meets the specific needs of the business and ensures that documents are readily available—or destroyed—at pre-defined points in the process.
Chad Bevington is Regional Business Director of Cintas Document Management. For more information, visit www.cintas.com/DocumentManagement.
By CHad Bevington
Security Shredding & Storage News. November / December 2012
Security Shredding & Storage News
5
For the right solution, contact:www.jakeconnorandcrew.com or call 1-877-565-JAKE (5253)Jake, Connor & Crew’s containers are recyclable, comply with LEED® and CARB II regulations and are JCAHO compliant.
[ Document protection? ]
Document protection is never in question with Jake, Connor & Crew consoles and bins.
We don’t just protect documents, we protect your reputation.
JCAC_SSSN_QuarterPgLockItAds.indd 2 12-08-30 1:59 PM
Info Request #105
Continued from page 3
attention: readers!Would you like more information about products and equipment
advertised in this issue? If so, please complete the equipment Locator Service form located between pages 8 & 9 and fax to 440-257-6459.
New HIPAA Rules to Impact Document Destruction Industry“carefully review any business associate agreements provided to them by clients, because those contracts are much more likely now to include unfavorable terms for the business associate regarding breach notification, security obligations, liability and indemnification.
“Business associates also should focus efforts on implementation of the Security Rule, which has been a special focus of HHS’s audits this year,” she advises.
As liabilities for customers go up, service providers now will have those same liabilities, Bob Johnson says.
“They’re in lockstep,” he says.Elizabeth Johnson agrees, noting that new rules, including the HIPAA
Security Rule, will now apply directly to business associates, not just covered entities.
“Under prior rules, business associates were only required to abide by the terms of their business associate agreements, not the rules directly,” she explains. “As a result, HHS can take enforcement actions against business associates and, due to a 60-fold increase in their fining authority, can seek a maximum monetary penalty of $50,000 per violation.”
Although the government stresses the importantance of security and privacy for protected health information, it provides no specific information about destruction of that material.
“Nowhere in any of the five HIPAA rules does it say a word about data destruction, particle size, or anything about how or where PHI has to be destroyed,” Johnson wrote in a recent blog on the NAID website.
Health and Human Services does say that proper disposal methods for paper records may include, but are not limited to, “shredding, burning, pulping or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable and otherwise cannot be reconstructed.
“Depositing PHI in a trash receptacle generally accessible by the public or other unauthorized persons is not an appropriate privacy or security safeguard,” the agency says. “Instead, covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.”
Bob Johnson says the fact that document destruction is not addressed under HIPAA rules is not an issue.
“Even though data destruction is not specifically required in writing by HIPAA, it is a requirement,” he says. “Like every other data protection law on the books, HIPAA is based on the reasonableness principle. No one could ever say it was ‘reasonable’ to discard information without destruction and still meet the requirement to prevent unauthorized access to PHI.
“It is still important that destruction professionals know the distinction and talk about it correctly in the marketplace,” he adds. “To say HIPAA requires data destruction is not accurate. It is better to say HIPAA requires the prevention of unauthorized access to PHI, which, in turn, necessitates destruction.
“It remains to be seen whether clearer requirements for destruction will emerge in the long overdue HITECH Final Rule,” he says.
For both covered entities and their business associates, complying with HIPAA is no easy task.
Shred Nations, a network of more than 500 shredding companies across North America, offers one solution.
“What’s the best way to avoid a problem with the HIPAA police,” the Lakewood, Colo.-headquartered company asks on its website. “Release nothing without a release, employ a certified contractor and shred everything as soon as permitted, get incontrovertible proof, and make sure the world knows it.
“Prescription: Take two aspirin, and call your shredder tomorrow morning.”
www.alleghenyshredders.com
Info Request #106
Built with impact-resistant tool steel cutters and an extremely powerful drive train, these babies are the most rugged in the industry!
Make the smart choice–and spare yourself any collateral damage!
800-245-2497■ Complete destruction with no
retrieval possible■ Destroys 25–45 hard drives per min.■ Ideal for contract shredding services,
e-scrap recyclers
“Our Allegheny Hard Drive Shredder can shred 1500 hard drives in half a day – it’s already paid for itself tenfold.”
TIM EARLEY - Advantage E-cycling
Opt instead for the most e�ective solution for TOTAL DESTRUCTION of electronic storage devices – the Allegheny Hard Drive Shredder!
■ Complete destruction with noretrieval possible
■ Destroys 25–45 hard drives per min. Ideal for contract shredding services,
Opt instead for the most e�ective solution for TOTAL DESTRUCTION of electronic storage devices – the Allegheny Hard Drive Shredder!
Need to DestroyHardDrives?
Need to DestroyHardDrives?
THE SHREDDING INDUSTRY ICON SINCE 1967
Security Shredding & Storage News. November / December 2012
In the News
6
www.shred-tech.com
www.shred-tech.com
www.keithwalkingfloor.com
Info Request #117
NAID-Canada Members Elect Candidates to Board
In recent NAID Canada elections, Kevin Perry of Shred Guard in St. Johns, New Brunswick, Canada was elected to a two-year term as chairman of the NAID-Canada Board of Directors. Additionally, Greg Olynyck of
EnviroShred based in Calgary, Alberta, Canada was elected to serve a two-year term as a director.
Perry replaced Dave Carey of Iron Mountain as NAID-Canada’s chair, who will now assume the post of past chair.
Wendy Banting of Secural Datashred in Vaughan, Ontario, Canada continues her term as director and Krisjan Backman of Phoenix Recycling in Winnipeg, Manitoba, Canada continues his term as secretary/treasurer. Both terms will expire November 2013.
The chair of NAID-Canada also serves as a director on the NAID Global Board of Directors, which Perry will assume in March. NAID-Canada has experienced dramatic growth over the past few years, and currently boasts 120 member locations, 63 of which are NAID Certified.
Hospital Marketing Methods Questioned
Columbus, OH—The Columbus Dispatch reports that patient privacy may be compromised through popular marketing strategies that are being used by hospitals.
Often administered under the rubric of “customer-relationship management,” the strategies employ predictive methodologies involving patient files. Patient data is used in this way to deliver specific promotional messages. For example, new mothers or patients with diabetes and heart conditions may find themselves receiving customized mailers and reminders. Attendees of health fairs and seminars, as well as health screening participants, may receive notifications promoting other hospital events and services.
Hospitals such as OhioHealth and Mount Carmel say their marketing communications are largely educational and useful in developing preventive healthcare programming. They stress that that individual patient data is not revealed in ways that violate HIPPA rules. Both health systems say they use third-party companies to process their patient data, which is encrypted. In addition, they say such business associates are bound by health data privacy laws.
Medseek, a provider of patient data processing services, reports that electronic health records make it possible for some 25 percent of U.S. hospitals to identify and reach such target audiences.
Read more: http://www.ihealthbeat.org/articles/2012/11/13/some-hospitals-using-patient-data-to-boost-marketing-campaigns.aspx#ixzz2EdGgr8vX.
Chicago Election Board Confirms 1200 Personnel Files Exposed
Chicago, IL—According to an article on Chicagotribune.com, 1,200 job applicant files were exposed inadvertently on the Chicago Board of Elections website recently. The information security company,
Forensicon, which discovered the mistake, alleges that the breach also may include personal information of up to 1.7 million registered Chicago voters.
An election board spokesman said the voter information is normally publicly accessible and no sensitive data was involved. However, for approximately one week in November, the names, addresses, driver’s license numbers and the last four digits of social security numbers of some 1,200 poll work applicants were displayed on a publicly-accessible page. The Board of Election Commissioners had the page removed immediately after being notified by Forensicon, and each of the job applicants whose personal data had been exposed was contacted. The breach occurred when a temporary website was created on November 6 to accommodate increased site traffic caused by Chicagoans searching for their new polling places.
In 2006, the board had to correct a breach that involved the sensitive information of some 780,000 registered voters.
Info Request #157
Security Shredding & Storage News. November / December 2012
In the News
7
www.vecoplanllc.com
Info Request #116
Phone: (336) 252-4421
vecoplanllc.com
Sometimes big is just....weird!Introducing the “Smaller”Vecoplan VST-32 Shorty
Non-CDL Mobile Shredder
Featuring the NEW VNZ-80 Shredder•VariableandControllable, Screened Particle Size
•ElectricDrive
•LargeInfeedHopper
•Jam-ProofDesign
•26,000GVW,Non-CDL Mobile Shredding System
•Curb-SideToterLift
•“SureTrac”™GlidingFloor Discharge System
The“Mighty-Mite”
ContactVecoplanTodayForMoreInformation
Iron Mountain Announces Appointment of New CEORichard Reese to Retire from the Company after 31 Years
Iron Mountain Incorporated (NYSE: IRM), the information storage and management company, recently announced that its Board of Directors has voted unanimously to appoint William Meaney President and Chief
Executive Officer and a member of the Board, effective Jan. 7, 2013. He will succeed longtime Executive Chairman and CEO Richard Reese, who announced his intention to retire after 31 years at the Company.
Meaney, 52, comes to Iron Mountain with more than 20 years of experience successfully overseeing diverse businesses in the United States, Europe, Asia and Africa. According to the Company, Meaney’s track record reveals a proven ability to drive growth even in challenging environments and maximize returns on investment in capital intensive businesses. Most recently, Meaney served as CEO of the Hong Kong-based Zuellig Group, a $12 billion, primarily business-to-business conglomerate that saw sales triple during his eight-year tenure from 2004-2012.
Iron Mountain’s Board also announced that Al Verrecchia, lead independent director, will succeed Reese as Chairman of the Board effective in March 2013, when Reese will also retire from the Board. According to the Company, their Board believes that separating the chairman and CEO roles at this time represents the best leadership structure for the Company and is consistent with best practices for corporate governance. Verrecchia joined Iron Mountain’s Board of Directors in March 2010. He has also served as Chairman of the Board at Hasbro Inc. since 2008.
Reese served as CEO from December 1981 to June 2008 and returned as CEO in April 2011. He also served as Chairman beginning in 1995 and as Executive Chairman since June 2008. During his tenure, he grew the business from a regional provider with $3 million in annualized revenues to a global leader in information management and storage with more than $3 billion in sales.
Info Request #133
Phone:262.882.1227Fax: 262.882.3389
www.bomaccarts.com
CollectingSorting
Recycling
Security Shredding & Storage News. November / December 20128
www.shredfast.com
Info Request #158
Security Shredding & Storage News. November / December 2012 9
www.shredsupply.com [email protected]
Info Request #129
Security Shredding & Storage News. November / December 2012
In the News
10
www.ipsbalers.com
Tel: (951) 277-5180Fax: (951) 277-5170www.laigroup.com
Now Even More Options for CustomersWho Want Their Own Key Codes!
Lock America Adds More Common Key Codes for Padlocks and Console Locks.
• Give your drivers and customers a single key that fits all the locks at a site.• Ask your console or bin supplier for new available
key codes, or contact Lock America directly.
One Key Fits All Your Locks with No Restrictions!
9168 Stellar CourtCorona, CA [email protected]
Info Request #152
Info Request #145
www.bigdogshredbins.com
NAID Acquires Shred School
NAID recently announced it has acquired the rights to the trade name Shred School® from Total Training Services, Inc.
“As far as we were concerned, it was a no-brainer,” said NAID President Scott Fasken. “Shred School was a strong brand with a good reputation and a mission that aligns perfectly with NAID’s mission.”
Regarding the transition, Total Training’s former President Ray Barry said, “It was very important to me that Shred School had a good home. The acquisition of the brand by NAID ensures it will. I can think of nothing better for it.”
NAID intends to use the Shred School as a platform for providing advanced training for the association’s growing list of sales and marketing programs as well as traditional secure destruction sales techniques and regulatory issues.
“We’re in the process of retooling the Shred School list of services and events,” said NAID CEO Bob Johnson. “In February 2013, we will reintroduce the program with a new website and a full explanation of new member benefits offered under its name.”
Macy’s Parade Confetti Compromising
This season’s Macy’s Thanksgiving Day Parade was colorful for more than just the floats. The confetti – consisting of recycled shredded paper – represented an
embarrassing security breach. According to an article posted on Securitymanagement.com, the confetti was sourced from legal documents involving several financial institutions.
Nassau County Police Department officials immediately began investigating the data breach when a parade watcher brought in a strip of paper showing a Social Security number. The shred used for the confetti was traced to the police department itself.
As NYPD was reviewing their document destruction policies, news of the incident prompted comment from the CEO of the National Association for Information Destruction (NAID), Bob Johnson.
According to Johnson, documents that are outsourced for destruction are pulverized in massive volumes, commingled with the papers of hundreds of other businesses, and sent to a paper mill for destruction and recycling. This ensures that no identifiable information remains.
All the links in the chain of custody are important because mistakes can happen. Last May, Boston’s South Shore Hospital was fined $750,000 when boxes of unencrypted computer tapes that contained protected health information were lost on the way to the document destruction company. In 2009, after the New York Yankees won the baseball World Series, shredded pay stubs, trust fund balance sheets, and financial information as confetti were showered on the team as it paraded up Broadway.
Security Shredding & Storage News. November / December 2012
In the News
11
TM
Downstream Data Coverage® is sold in the United States as a surplus line, claims-made policy through Association Insurance Management. Downstream Data Coverage and the Downstream Data Coverage logo are registered trademarks of the National Association for Information Destruction, Inc.
It’s not just a policy, it’s a conceptDownstream Data Coverage is professional liability indemnification offered to NAID certified members that better protects data-related service providers and their customers.
While competitors may copy the policy, they can’t copy the concept.
• By linking coverage to NAID Certification, policyholders are grouped with other safe insurance risks. Over time, this translates to substantially lower premiums.
• With the support of NAID, Downstream Data is an effective marketing differentiator.
• Eventually Downstream Data will be member-owned, captive insurance, giving policyholders more control.
• The policy can be modified individually or across the board to improve coverage.
Learn how Downstream Data can give you more control of your business.
Visit www.downstreamdata.com or call 877-710-2498.
Product/Equipment ProfilesSEM Paper Shredder Exceeds NSA/CSS 02-01 Security Requirements
Security Engineered Machinery (SEM) recently introduced the Model 344 High Security Paper
Shredder, which exceeds current government requirements for the destruction of Top-Secret / Classified data. Already evaluated by the National Security Agency (NSA) and listed on the NSA/CSS 02-01 Evaluated Products List for high-security paper shredders, the Model 344 reduces paper to miniscule 0.8 mm x 2.5 mm particles that are up to 60% smaller than the shreds of competing units on the NSA EPL.
Easily maneuverable on heavy-duty casters, the Model 344 shredder weighs 106 lbs. and is 19½” wide, 18½” deep, and 36½” high. It accepts up to eight sheets of paper at a time. A built-in automatic cutting-head oiling system includes a one-gallon bottle of oil that can be mounted on either side or the back of the machine.
To ensure optimum safety, an electronically controlled safety flap in the 10¼” feed opening prevents fingers and ties from entering the cutting area. An auto-reverse/shutdown system prevents paper jams. The unit also shuts down if the 28-gallon waste bin is full, the door is ajar, or the shredder has been idle for 30 minutes.
For more information, contact James t. norris, norris & Company at 508-510-5626 or [email protected] or visit www.semshred.com.
Jorgensen Conveyors for Multiple Applications
Jorgensen Conveyors designs and manufactures a line of process feeder conveyors for most
material recycling applications. The conveyors include hinged steel belt conveyors, Z-Pan metal belt conveyors, combo metal chain and rubber belt conveyors, slider bed and troughing idler conveyors.
The conveyors and systems are designed for a wide variety of recycling operations and can be used for handling paper, corrugated materials, metal, rubber, plastics, wood, construction, electronic and municipal waste as well as co-mingled materials. They also integrate with bailing, shredding, compacting, sorting, crushing, mixing and incinerating processes.
Frame construction is open and modular, built in 5- and 10-foot bolt-together sections, with bolt-on side skirting. Frame sections are interchangeable. Belt tracking is made from durable ASCE 30 pound rail. Guarding is per industry standard requirements.
Metal belt and combo belting are offered in 4, 6 and 9 inch pitch construction with standard belt widths of 48, 60 and 72 inches to suit the application.
For more information call 262-242-3089 or visit www.jorgensenconveyors.com.
Security Shredding & Storage News. November / December 2012
In the News
12
Terry LeeDirect: 303-301-7651 . Cell: 937-620-9400
[email protected] . www.transleaseinc.com
Financing The World Of Transportation
•Low Initial Investment•Lease or Loan Financing•Financing new or pre owned
equipment
Shredder Truck Financing Made Easy• Simple Application Process• Serving the U.S. & Canada•Competitive Rate Structure
Info Request #160 Employees Fired for HIPAA Violations in Ohio Hospital Shooting
Akron, OH—Federal privacy rules under HIPAA, the Health Insurance Portability and Accountability Act, prohibit healthcare workers from looking at patient files unless the information is needed to do their jobs.
A violation of these rules occurred at Akron General Medical Center in Ohio last August, according to a report on ohio.com.
Hospital management learned that an unspecified, but “small” number of employees had viewed the electronic medical files of a patient who was shot while in the hospital’s intensive care unit. The employees, who weren’t involved with the patient’s care, were terminated. The employees had accessed the records after John H. Wise, 66, fatally shot his wife, Barbara.
Hospital spokesman, Jim Gosky, said the recent violations were “isolated incidents,” and the patient information was not shared by the employees with others. He added that the closed system limits who can access patient files.
“It doesn’t happen a lot, fortunately, because employees know, but you can’t let the curiosity get the better of you,” Gosky said. “That’s human nature and we understand that, but it still doesn’t justify the fact that the policies were violated.”
The Professional Staff Nurses Association, which represents about 800 nurses at Akron General, has not confirmed whether any nurses were fired.
Privacy violations in high-profile criminal cases have happened elsewhere. Thirty-two employees were fired last year at a Minnesota hospital for unauthorized viewing of medical records involving a mass overdose.
In 2010, a California hospital was fined $95,000 by state health regulators for allowing unauthorized employees to view medical records that sources told the Los Angeles Times were the files of Michael Jackson.
A survey of patient privacy breaches by technology security firm Veriphyr found that the majority of such violations involve fellow workers, friends or relatives who are curious to see the medical records.
State of South Carolina Tax Records Database Hacked
Columbia, SC—According to an article on greenvilleonline.com, the hacking of South Carolina’s Department of Revenue database is one of the nation’s biggest electronic heists.
The tax returns database holds 3.6 million unencrypted Social Security numbers and 387,000 mostly encrypted credit and debit card numbers. Thought to be at risk are individuals who filed returns going back to 1998.
Officials termed the initial intrusion, which occurred in August, a “scouting mission.” That was followed by two browsing hacks. The actual data theft happened on September 13. The breaches went undetected until October when a computer crimes office of the U.S. Secret Service made the discovery. Since then, security surrounding the breach has been tight. Details, other than the dates and acknowledgment that the hacker was foreign, have been out of bounds to the media while the investigation unfolds.
South Carolina Gov. Nikki Haley ordered an assessment of all the state’s computer systems, but specifics about that investigation are being kept under wraps. What’s more, officials can’t (or won’t) tell whether the state’s computer system is still vulnerable. The Department of Revenue has contracted Mandiant, a computer security firm recommended by the Secret Service, to fix the leak.
Questions remain as to whether the files in the hacked database were removed or copied and whether the state had paid a ransom to the hacker to retrieve the data. Officials say that all but 16,000 of the credit and debit cards were encrypted. Whether Social Security numbers in the state’s system can be encrypted is not known. Affected individuals have been notified and the state is paying for a year of credit-protection service to monitor any identity thefts that occur.
The international investigation is further complicated because South Carolina’s computer system is decentralized. As is with many states, the boards, agencies, universities and commissions operate their own systems.
Subscribe Today! Call 440-257-6453 or Email [email protected].
www.dun-rite.comInfo Request #143
800 209 3145www.dun-rite.com
Manufactured in the Midwest
Allegheny Cresswood GranutechShred-Tech SSI Untha Vecoplan Weima
LOW-RPM, SINGLE-SHAFT SHREDDERS/GRINDERS
REPLACEMENTTOOLING –
ForMobile &
Plant-BasedSystems
Security Shredding & Storage News. November / December 2012
In the News
13
Help Your Customers Find a Home for Their Outdated Electronics
ATTENTION: DOCUMENT DESTRUCTION CONTRACTORS!
Do what many ‘leading recyclers’ have done ... Partner with Dan-Mar and turn your scrap into cash! Precious metal value is going up and so is the demand for electronic scrap. As a global leader in asset recovery, Dan-Mar is ready to present you with fresh thinking on how you can maximize your profits. Call Dan-Mar today!
ph: 631-242-8877 • fax: 631-242-8995150 West Industry Court, Deer Park, NY 11729
e-mail: [email protected] • www.dan-mar.com
Dan-Mar Buys: • Precious Metal • Military Electronics • Semiconductors • Components • Scrap PC Boards • Telecommunications • Integrated Circuits • Networking & Test Equipment • E-ScrapThe Name to Trust in Surplus™
Info Request #114
Registration is Open for NAID’s Annual Conference
Online registration for the National Association for Information Destruction’s (NAID) annual conference opened Monday, Nov. 26. The 2013 NAID Annual Conference will be a three-day event in Nashville,
Tenn., at the Gaylord Opryland Hotel and Convention Center.“We’re so excited to be coming to Nashville this year,” said NAID CEO
Bob Johnson. “The location is easy to get to, and Nashville has a charm and atmosphere that will strike a chord in NAID members around the world.”
Joe Calloway, author of the bestselling book “A Category of One” will be the keynote speaker at this year’s conference, NAID in Nashville: Tune in for Success. There will be sessions about social media, expanding residential markets, sales and marketing techniques, the current state of the destruction industry and much more.
Those individuals who register for the conference before Feb. 1, 2013, will receive a 25 percent deep saver discount. Register at https://www.etouches.com/NAID2013AC and learn more about the speakers, sessions, and venue. For questions about the event, contact NAID Director of Events and Programs Jamie Steimer at [email protected].
Cintas Announces New Nationwide Hard Drive Destruction ProgramSolution uses secure and efficient process to safely and sustainably destroy digital data
Cintas Corporation (NASDAQ:CTAS), recently launched its hard drive destruction program. According to the Company, the new service safely and efficiently destroys computer hard drives through a compliant
recycling process, eliminating risks of data breaches and helping organizations stay compliant with state and federal disposal laws.
“Many discarded hard drives contain information that is confidential and recoverable,” said Karen Carnahan, President and COO, Cintas Document Management. “Complete destruction is the best way to protect this sensitive business data. Our certified solution offers organizations the assurance that confidential files will not be exposed and they will remain compliant with data privacy standards.”
Easing of Medical Record Restrictions Ensures Post-Sandy Patient Care
Albany, NY—According to a report on bloombergnews.com, New York Governor Andrew M. Cuomo asked the federal government to temporarily waive certain medical records privacy restrictions. He took
this action to help expedite care for patients affected by Hurricane Sandy. Waivers required by Medicare, Medicaid, the Children’s Health Insurance
Program (CHIP), and the Health Insurance Portability and Accountability Act were approved for New York and New Jersey by Health and Human Services Secretary Kathleen Sebelius under Section 1135 of the Social Security Act.
Emphasizing good faith inherent in the easing the restrictions, the changes that Cuomo requested affect administrative and recordkeeping rules, including documentation, patient relocation, billing and reimbursement requirements. Patient care and billing now can be provided even where standard documentation is missing. Patients can be relocated from damaged facilities to more secure settings. The changes also help streamline procedures for acceptance of new patients and approvals for relocating provider operations.
For more information: The New York Section 1135 waiver is available at http://www.cms.gov/About-CMS/Agency-Information/Emergency/Downloads/Hurricane-Sandy-PHE-Declaration-and-Section-1135-Waiver-for-New-York-10-31-12.pdf.
The New Jersey Section 1135 waiver is available at http://www.cms.gov/About-CMS/Agency-Information/Emergency/Downloads/Hurricane-Sandy_PHE-Declaration-and-Section-1135-Waiver-for-New-Jersey-11-1-12.pdf.
Lock America International CEO Frank Minnella Announces Lock America Reorganization
F rank Minnella, CEO of Lock America International, Inc. of Corona, California announced recently that he will be stepping back from daily involvement in company operations to move to an advisory strategic role.
“I’ve been active in the security lock business for over thirty years, and it’s time for a new generation to take over operations and marketing for Lock America. Watson Visuwan, who is moving up from Sales Manager to Vice President of Marketing, has proven himself in many roles at Lock America over the last 15 years. With the promotion of Dan Walsh to Sales Manager, and the development of the rest of our team, Watson has the resources to take the company into new markets while building on our success in our present businesses,” says Minella.
Lock America International has developed and marketed a wide range of innovative locks and security products for many industries, including amusement, coin-op, information destruction, newspaper distribution, recycling, self-storage, propane and vending.
Reach More of Your Market ...Advertise in Security Shredding & Storage News.
Call Rick Downing at 440-257-6453 or email [email protected].
Security Shredding & Storage News. November / December 2012
In the News
14
www.alpineshredders.com
Info Request #101
Analysts Predict $14 billion in US Government Security Spending by 2017
Herndon, VA—The website govWin.com reports that US federal government spending on information security will
increase in the next five years, which is mostly good news for providers of a wide range of security-related services. The biggest drivers for increased spending will include cloud and mobile computing technologies.
The assessment on government information technology spending was conducted by forecasters from the contracting services company, Deltek. Their report highlights the fed’s changing priorities. Information security expenditures – from hiring specialists to administering programs that support cybersecurity policies – now rank in importance above the fed’s other IT needs. GovWin is a government contracting service of Deltek.
The analysts report that modernization, data center consolidation, mobility and telework, as well as analytics and big data, now top the Fed’s security needs lists. Threats to data, networks and other hard-asset security areas continue to grow in frequency, complexity, variety and persistence. Meanwhile, security compliance policies, such as FISMA, CyberScope, HSPD-12 call for expansion and investment, the analysts say. Spending on development of security-related technologies, including vulnerability awareness, intrusion detection, identity/access management, etc., is expected to increase to meet the challenges of technology gaps. Employee outsourcing will decline even though qualified cybersecurity professionals are hard to come by. This is because the government plans to rely more on internal human resources initiatives, the report notes.
Budget cuts, and appropriation delays, in addition to the integration of continuous monitoring capabilities and improved risk management, tend to moderate outsourcing demand for the near term. Yet Deltek analysts predict US government spending on vendor-furnished information security products and services will increase to $14.3 billion in 2017, up from $9.9 billion in FY 2012.
For more information: Federal Information Security Market, FY 2012-2017http://www.dhs.gov/federal-information-security-management-act-fisma
Europe Paper Recycling Increases, Quality Improves
Brussels, Belgium—According to an article posted on letsrecycle.com, EU countries overall are recycling an average of 70.4
percent of paper that is collected. The amount recycled is increasing and, importantly, the quality of recycled paper is improving.
The 2011 figures, which are the latest ones available, show that the UK’s paper recycling topped the list at 78.7 percent, while the twelve other countries reported recycling rates near 60 percent. Paper recycling is monitored by the European Recovered Paper Council (ERPC). In 2000, this Brussels-based industrial organization, adopted and launched its First European Declaration on Paper Recovery to help the countries meet recycling targets.
To determine the recycling rates, ERPC’s annual report uses data compiled by the Confederation of European Paper Industries (CEPI) through questionnaires to national member associations. The report now includes figures on carbon reduction and other indicators along with the volume of paper collected and the recycling rate the agency monitors.
Approximately 58 million tons of paper was collected in 2011– the same as in previous years-- but 9.2 million ton (16 percent ) of it was sent for recycling, led by Norway and Switzerland, which are not part of the EU-27.
The paper recycling industry is looking at ways to divert previously rejected types of paper (packaging bearing adhesive residue, for example) from the waste stream and make valuable use of it.
The ERPC report also notes research by CEPI which shows that paper and paperboard were the most recycled materials in Europe in 2010, followed by steel coming in second place (71 percent), glass (68 percent) and aluminium (64 percent).
In the US, paper recycling is hovering at 66.8 percent, with 52.7 tons collected, according to the American Forest & Paper Association’s report for 2011. The organization has launched its Better Practices Better Planet 2020 initiative, establishing a goal of 70 percent paper recovery by 2020.
For more in for mat ion : h t tp : / /www.paperrecovery.org/ http://paperrecycles.org/stat_pages/recovery_rate.htmlhttp://www.afandpa.org/Sustainability/
Mark Your Calendar!Plan now to attend Security Shredding /Medical Waste Mgmt Conference november 3-5, 2013orlando, Fl
Security Shredding & Storage News. November / December 2012 15Info Request #130
UNTHA shredding technology America Inc.5 Merrill Industrial Drive, Hampton, NH 03842
Phone 603 601 2304, Fax 603 601 2423 [email protected], www.untha-america.com
The RS SeRieS: ReVOLUTiONARY ShReDDiNG TeChNOLOGY –
UNCOMPROMiSeD UNThA ReLiABiLiTY
The reliable brand!
• High Capacity
• Tough & Economical
• Continuous Feeding
• Low Noise and Dust
• Simple to Operate
• Low Maintenance
UNTHA shredding technology America Inc.5 Merrill Industrial Drive, Hampton, NH 03842
Phone 603 601 2304, Fax 603 601 2423 [email protected], www.untha-america.com
The RS SeRieS: ReVOLUTiONARY ShReDDiNG TeChNOLOGY –
UNCOMPROMiSeD UNThA ReLiABiLiTY
The reliable brand!
• High Capacity
• Tough & Economical
• Continuous Feeding
• Low Noise and Dust
• Simple to Operate
• Low Maintenance
UNTHA shredding technology America Inc.5 Merrill Industrial Drive, Hampton, NH 03842
Phone 603 601 2304, Fax 603 601 2423 [email protected], www.untha-america.com
The RS SeRieS: ReVOLUTiONARY ShReDDiNG TeChNOLOGY –
UNCOMPROMiSeD UNThA ReLiABiLiTY
The reliable brand!
• High Capacity
• Tough & Economical
• Continuous Feeding
• Low Noise and Dust
• Simple to Operate
• Low Maintenance
[email protected] www.hammermills.com
E-CYCLERunlike a shredder, the
doesn’t just cut it...
America’s fastest growing hammermill company
1-800-447-4634
it E-nihiLatEs.
6 1 D e p o t S t r e e t , B u f f a l o , N Y 1 4 2 0 6 • 7 1 6 . 8 5 5 . 1 5 5 5 • f a x : 7 1 6 . 8 5 5 . 3 4 1 7 • e - m a i l : i N f o @ h a m m e r m i l l S . c o m • w w w . h a m m e r m i l l S . c o m
Schutte-Buffalo hammermill’s e-cycler is the alternative to a shredder. unlike the cutting action of a shredder, the
e-cycler hammer mill pulverizes e-scrap, scouring confidential data and liberating recyclable components in one pass.• ½ the cost of a shredder with lower maintenance costs and a higher production capacity • completely scours information to illegibility • renders electronic
components unusable and unrecognizable • four-way reversible steel hammers crush and shatter the material • interchangeable screens guarantee a properly-sized end product
• liberates components for easy separation and recycling • pulverizes hard drives, printed circuit boards, cDs & DVDs, cellular phones and more
590-14_Security_Shrednews_mag_FT_M.indd 1 11/3/11 10:34 AMInfo Request #132
