There’s a certain amount of risk involved with just about every product or service a business purchases. Of course, this is mitigated in a large part by businesses doing their due diligence before committing to anything that would be considered risky. However, when it comes to purchasing IT asset disposition
and data destruction services, it carries little weight if a provider claims to comply with all state and federal laws pertaining to the industry. Why? Because unfortunately, there are currently few, if any, regulations that specifically protect companies that make use of these services. Individual consumers trust federal organizations like the Food and Drug Administration (FDA) and Fair Trade Commission (FTC) to protect them when they purchase goods and services. However, businesses are highly vulnerable when they engage a third party to handle, move or destroy their IT equipment and the data stored there. When you think about it, a week doesn’t go by without a medical practice, retail store or other business finding itself in the headlines after its clients’ sensitive information is suddenly recovered from computer drives that weren’t properly disposed of. Fortunately, for businesses that need data destruction services, as well as for the companies that supply this service, there’s hope. The smart answer lies in proper certification. And after spending more than 35 years supplying businesses with professional data solutions, I believe I’m in an excellent position to offer the following information and advice on R2 and NAID AAA certifications — and what each could mean to your business.
The Origins of R2 and NAID AAA
Back in 2008, the U.S. Environmental Protection Agency (EPA) was concerned about the potential adverse impact on the environment from electronics recycling and destruction. In order to encourage businesses engaged in these processes to follow safe practices, the EPA developed a voluntary certification program for electronics recyclers. And so the “Responsible Recycling Practices for Use in Accredited Certifications Programs,” or the R2 Standard,
was born. Once businesses began getting R2 certified, the R2 TAC (Technical Advisory Committee) was established. As a result of R2 members’ feedback and TAC observations and comments, the original R2 certification — commonly referred to as R2:2008 — was revamped and updated several times. The R2:2013 Standard is now the most current R2 certification — “The Responsible Recycling Standard for Electronics Recyclers.” In contrast to R2’s more recent beginnings, the National Association for Information Destruction (NAID) has been in existence since 1994. And as its name implies, NAID
’s chief mission is to promote the highest standards and ethics associated with information and data destruction. Though NAID is also a voluntary program, its concept and rigorous certification processes were developed by industry insiders, including security experts concerned with responsible information handling and destruction. Recognized by many of the most technologically developed countries on the planet, NAID has become the leading global professional association for data and information destruction businesses.
A Closer Look: Comparing R2 and NAID AAA
Now that you know a bit about these programs’ origins, it’s time to take a closer look at some of their respective standards. Before diving in, it’s important to note that no matter how safe and responsible a data destruction company claims to be, it’s not always its published procedures that make it a security concern. From my experience in the industry, more often than not, it’s an employee or facility error that can result in the most damage to clients. For this reason, let’s compare R2 and NAID AAA standards and certification requirements as they apply to employees and facilities, as well as to equipment and procedures:
- Employee screening and background checks: Under NAID AAA certification requirements, access employees are subject to both a seven-year criminal record search and employment history verification, as well as a pre-hire initial drug screening. R2 certification requirements, on the other hand, only state that security controls shall consider personnel qualifications.
- Employee monitoring: NAID AAA certification requires that employees be monitored for substance abuse through either training or 50% random screening on a regular basis. In contrast, R2 has no criteria that specifically calls for the training or screening of substance abuse by employees.
- Employee training: NAID AAA requires that employees pass an annual NAID AETP (Access Employee Training Program) or a NAID-approved employee training program. R2 states that data destruction employees receive regular, appropriate training and be evaluated for competency in data destruction competency; however, it does not list detailed training requirements.
- Off-site requirements: For a facility to obtain NAID AAA certification, there must be a secure area in the building devoted specifically to sanitization/degaussing and a separate area for the physical destruction of media. R2 certification calls for a security program be in place to control access to all or parts of the facility in a way that’s appropriate to the type of equipment, as well as the sensitivity of the data and the customer’s needs.
- Downstream recycling: NAID AAA certification requires all members to pass their script and e-waste downstream to an ISO 14001 certified recycler. This is the identical ISO certification that underpins R2’s recycling standard. The result is that if you want to safely dispose of e-waste, a certified NAID AAA member is just as environmentally responsible as an R2 member.
- Degaussing equipment: Under NAID AAA regulations, degaussing equipment must be listed on the NSA Evaluated Products List and be verified for proper calibration using specialized equipment in accordance with OEM specifications. In contrast, R2 lists no specific equipment requirements.
- Scheduled and non-scheduled audits: NAID AAA conducts both annual announced audits, as well as unannounced audits. These are conducted by NAID auditors who have earned their Certified Protection Professional accreditation through ASIS International (the American Society for Industrial Security). While R2 auditors are all required to pass a Sustainable Electronics International (SERI) training program and examination, all of R2’s audits are announced and scheduled with its certification-seeking members beforehand.
- Transfer of custody: NAID AAA requires that all companies involved with the media must meet NAID certification, including employee screening and background verifications. They must also provide written acknowledgment that they accept fiduciary responsibility for all media they come into contact with. Customers of R2 certified companies can request a copy of the names and locations of all vendors in the chain of custody that handle their materials.
Making a Choice
All in all, what matters most to your business should inform your choice of which provider you outsource your IT asset disposition and data destruction to. As we’ve seen from both certifications’ standards, if your company’s brand is solely concerned with the environmental impact of electronics recycling, then picking a company that’s either NAID AAA or R2 certified is a relatively equal choice. If, however, you’re in the business of handling highly sensitive information and are required to meet privacy and security regulations like HIPAA, then the clear choice is to work with a NAID AAA certified member. Naturally, since both certifications are achieved voluntarily, it’s good to recognize that a company with either certification holds itself to higher standards than is currently required by law. But when it comes to the responsible handling and destruction of data, NAID AAA certification goes out of its way to give your business the highest degree of protection currently in the industry. To learn more about the responsible handling and destruction of data, contact us