Interview with Bob Johnson, CEO of NAID - Feb 22 2012
Blancco caught up with
the CEO of the National Association for Information Destruction recently. We
asked him a few questions relating to the future of the industry.
Blancco: What are the
latest legislative changes affecting data destruction?
Bob: There are two legislative changes most significantly affecting the world of data destruction and they affect both service providers and their customers.
In the US, we now await the final ruling from the US Dept. of Health and Human Services (HHS) on the full implementation of new data protection provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH was passed as part of the American Recovery and Revitalization Act (ARRA) on Feb. 17, 2009 and is dramatically increased the data protection requirements within the Health Insurance Portability and Accountability Act (HIPAA).
The second legislative issue that will most dramatically affect our industry is the revised European Commission (Commission) Data Protection Directive. The first directive, issued in 1995, was desperately in need of an upgrade.
Under the guidance of Viviane Redding, EC Vice President and highly respected consumer advocate, advanced previews of the new directive demonstrate that the Commissioner intends to incorporate many of the most advanced and aggressive data protection provisions, including strong data breach notification, data controller registrations, and mandatory enforcement.
The last legislative
issue most significantly affecting our industry is better described as a
trend. As evidenced by HITECH and in the upcoming Data Protection
Directive, data breach notification has and will continue to spread like
wildfire. Of all the issues affecting service providers and clients, data
breach notification, in its continually evolving iterations, poses the most
significant challenges.
Blancco: How are
business drivers and certification requirements changing the data destruction
landscape?
Bob: Of course, with escalating data protection requirements, more intense scrutiny and more severe consequences, clients must look for solutions. Invariably, customers will turn to specialized service providers to help them meet these new data protection needs. Just as inevitably, those service providers qualifications also become a bigger concern in this environment. Certifications help to reassure the client they are dealing with a reputable service provider. Eventually, even the certifications themselves have to stand up to scrutiny of those relying on them as well.
Certifications serve another role as well that goes beyond client reassurance. In many ways, simply by incorporating a vendor certification requirement into their vendor selection and auditing process, the client establishes their own compliance with such regulatory requirements.
The other growing challenge, or should I say opportunity, is in the area of professional liability. The vast majority of professional liability products on the market have no relevance to data-related vendor indemnification and yet they are purchased simply to meet some contract requirement. As customers become more concerned about their vendors; ability to indemnify them from claims resulting from service provider error and omissions, such as a data breach, customers will demand more.
Of course, vendors who address this now, and drive the issue instead of reacting to it, will fare much better as this unfolds.
Blancco: Do you see any new products or technologies that require special attention?
Bob: Of course, NAID members look to their trade association to develop marketing tools, certifications and insurance solutions for the evolving data protection climate and we do our best. So, yes, NAID tries to do its part.
We are also happy to see vendors such as Blancco helping the data destruction industry address information disposal on solid state devices and mobile phones. NAID's role is to validate the effectiveness of the process but we are not able to invent the technology to do. So we see developers and equipment manufacturers as the frontline. The good news for everyone is that these areas also represent amazing opportunities.
Blancco: In general, are corporate users (data controllers) staying abreast of these changes?
Bob: Yes and no. Certainly there are major clients out there who personnel dedicated to privacy and data protection. The problem we see in some of the larger organizations is that they theory and policy development at the top end are not filtering down to the implementation level.
And, of course, there are many, many more organizations that do not have a clue.
In both cases, we view this as an opportunity. The service provider who is able to effectively convey to an organization, or even better, have solutions for training, processes, contracts and indemnification can do very well. That opportunity would not be there if the customer were already ahead of the issue.
Blancco: Who will benefit from these changes?
Bob: Reputable service providers and clients that want real solutions are the ones who benefit most from the current and coming changes in the data protection environment.
NAID has always maintained that the best way to prevent marginal operators from ruining the marketplace is to create customers who know how to tell the difference. As the new regulations force customers to take data protection more seriously, we have a better opportunity to create that awareness.
Of course, in the end, the person whose information is now better protected is the ultimate beneficiary.
Blancco: Can you give any advice to ITADs on how to be proactive and not reactive, and is this even possible?
Bob: The best strategy for being proactive is to stay educated and use the tools that are available. For the most part, it is not a matter of throwing money at it. It is actually more of an issue of philosophy and discipline.
I would add that data destruction services need to wean themselves from too much reliance on scrap revenue. High scrap revenue has been used to mask many service and security oversights but that will not hold up in the long run. The added profits are nice and it makes it easy to cut prices, but it should nothing on which any business model should rely.
NAID website: www.naidonline.org
Blancco’s solutions for ITADs: www.blancco.com/en/solution-for-ITADs