The actual number of businesses in the United States providing secure shredding services has never been able to be determined. Many of you reading this article may not be offering shredding services, but just contemplating doing so. You may have joined the National Association for Information Destruction (NAID) and many have not. Of those of you that did join NAID, you may have even gone further to become “AAA” Certified™; and many of you made the decision not to, or are still contemplating the step.  

This article is designed to shed some light on that from a former NAID insider’s point of view and with information that is not known by those outside the leadership of NAID. It is offered, not with the intent of casting a shadow over the Association, but to give the reader information not readily obtainable, on which to make a strategic business decision.  

Information security is protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. Information is an asset that, like other important business assets, is essential to an organization's business and consequently needs to be suitably protected. Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. 

Information security is important to both public and private sector businesses, and to protect critical infrastructures. In both sectors, information security will function as an enabler and to reduce relevant risks. If we don't take it seriously internally, we can't help secure our customer's information. We spent over seven years in a national association's program and found it lacking in the levels of compliance we sought for ourselves and our customers. Therefore, we made the strategic decision to no longer associated with it, choosing to meet the higher and better recognized international standards. 

My company was the first company to achieve NAID Certification in Texas and the 4^th to do so in the United States over eight years ago. I have been involved in the development of the program all of that time and last year served on their newly developed Certification Review Board (CRB). We were certified for both mobile and plant-based operations. I had always voiced concern that the program was heavily biased against plant-based operations and far too lenient on mobile operations. In May of 2006 my company made a strategic decision to drop the plant-based certification and in August we left NAID altogether (click to see why) . We closed out 2006 with a 17% increase in sales ($1.4 million) over the previous year and December was our best month since starting in 1997. We have lost no business as a result of our decisions to leave NAID. 

When my company first became NAID Certified, I saw it as a tremendous marketing leverage point for the new business and it did in fact help us achieve the largest market share in our area of operation. Few in NAID believed in the program in the beginning; however, over the years others followed and standards in the industry were raised because of it. Customers benefited from the competitive nature beginning to be seen from lost market revenues. Others came on board, simply because the program achieved national recognition for lack of any other standards out there.

NAID continues to market their Association as the best way for consumers to be assured of professionalism – but is that true? What makes an Association a leader in the field? I would suggest it is how they present themselves, their members, and non-members alike. Are companies that do not belong to their trade association any less professional? Does simply belonging to NAID or being NAID Certified make your company more professional than those that are not? I would suggest the answer is no. 

The NAID Certification process was to have been one where an applicant NAID member company applies for a Certification Audit, signing off on the application that they meet all requirements and are ready to prove it! When the program was set up, if you did not pass the audit on the appointed day, you had to reapply and pay the application fee again. But the audit was simply designed to be a snap-shot in time of your security operations and part of the standard. Once the auditor left, you could go back to what you normally did and not face another audit for a year. Therefore, in late 2005 the NAID Board of Directors created an Unannounced Audit (UA) program and a Certification Review Board to give the program more credence. 

The UA would be randomly selected (30% of those Certified) for audit during the course of the year by NAID staff. No notice of the auditor’s arrival or action would be given to the member company. It was suppose to make sure the Certified Member’s company was still operating fully in compliance with the high standards. 

The Certification Review Board’s stated purpose was to approve or deny the award of NAID Certifications to applicants that have been audited based upon a review of the findings of the auditor; review the results of unannounced audits; investigate credible claims of non-compliance; and a couple other things. It would be comprised of seven people recommended by the Certification Committee of NAID. The CRB would be the watch-dogs of the program. Having such a Board would further legitimize the program in the eyes of the consumer, or it should have. What in fact happened was we immediately discovered all of the flaws in the NAID Certification Program. Six months later I would resign from the CRB in disgust with the program. 

One of the early new certification audits we conducted back in late February of 2006 was on a site owned by the then Past President of NAID and as such a  member of the Board of Directors. At conclusion of the initial audit the auditor sent in his report recommending they be approved, after he did some follow-up. The CRB got the report in late-March with no mention of anything other than a truck that didn’t meet state licensing requirements. I requested a follow-up unannounced audit be conducted the next time the auditor was in the market area and it was conducted April 12^th. By that time, I became aware of a major security violation at the time of the initial audit in February that NAID staff had not made the CRB aware of. As a Board of Directors member I requested a copy of the auditor’s full report. In his report to NAID, the auditor reported that the vehicle to be audited was not on site at the time of the audit, but was in fact in a repair shop in town. When he and a member of the company went to the shop, they discovered the truck contained 15-20 boxes of customer documents not destroyed and the cargo door unlocked. It was never determined by NAID how long the truck had been left at the repair shop unattended or secured. The company’s certification was approved by NAID in February, we had the auditor do several re-audits and the only recourse was that they had to write some new company policy to cover vehicle breakdowns in the future. A few months later we learned that the now former Board Member’s company, and that of the current NAID President was sold to CINTAS – so you reach your own conclusions.

The President of NAID did not step down when his company was sold but simply became a CINTAS representative and kept his office as President of NAID. In the history of NAID it had never elected a national company representative as President; it had always been an association for small business owners, it was extremely careful that national companies would not take control of the association and have an unfair advantage against the smaller mebers. I voiced my displeasure with the favoritism shown this Board Member privately with the Executive Director and President of NAID during the annual conference and told them I would not stand for it to happen again. 

Other issues we saw dealt with standards such as shred size, video and alarm monitoring, employee background investigations, auditors being able to access facilities and confidential information before being noticed by employees, mobile only shredding companies taking material back to their home, a rental shed, or warehouse to shred the material or taking the shredder off their truck to do it. 

As late as June 2006 I wrote to several members and NAID staff stating, “As I have so emphatically stated recently, the CRB is not protecting the integrity of the certification program, as directed by the Board of Directors, when it permits so much leeway in meeting standards during an audit, during unannounced audits, and in handling violations of the standards. We either police the program and have strict audits – or we have just a sham of a program for marketing purposes of our members. Why waste so much time of the CRC, CRB and BOD dealing with members that don’t live up to the standards we set?” The program was a sham, the consumer was placing their trust in a program that was designed for nothing more than market share gain by it’s members. 

I also told the CRB in June, “At this juncture, I do not feel comfortable signing off on certification audits that I have not seen the full audit report on. It is insufficient, based on recent examples of paperwork not being completed properly, to simply approve an audit based on an email from NAID staff that states the auditor found no deficiencies and recommends approval.” It had come to the CRB’s attention that the NAID Executive Director had permitted one applicant to substitute a 24/7 contract guard for the provision of 24/7 alarm monitoring -an action he did not have the authority to do without Board of Director’s approval. He had also deliberately disobeyed the wishes of the BOD for over a year to have him run more Certification Program advertising with the funds set aside in the budget specifically for that purpose.

To say that I was not liked by many of the leaders of NAID would be an understatement. They did not see me as a team player and one of the "boys." Yet the membership in May of last year elected me as their President-Elect because of just that reason. They knew that I was devoted to the small company members.  

For over a year, from their Association meeting in San Antonio in 2005, I fought an issue that involved a Chicago S-Corporation formed on May 20, 2004 named Information Protection Solutions of American, Inc. (IPSA) (they are not a member of NAID). A Summary and Motion for the NAID Board that I wrote in July of 2005 stated the fact that two individuals represented the marketing group according to their web site (names deliberately left out for this article and one of those individuals is now a NAID Director. 

The NAID Board of Directors would spend the better part of the next two years dealing with this marketing group that was not a member of NAID and two companies owned by the same persons that were members of NAID (one in Chicago and one in Dallas). All three companies would be sanactioned by NAID in 2005-06.

IPSA has a very strong presence and influence in NAID still today, even though they are not an associate member. The NAID By-Laws forbids any non-member from displaying the NAID logo or for any non-certified member from displaying the NAID “AAA” Certification™ logo. To this day, IPSA is still displaying the certification logo on their web site, even though complaints were filed with NAID last summer about it. And one of IPSA’s representatives is now on the NAID Board of Directors, in violation of the NAID By-Laws. This occurred because of the confidentiality requirements that Board Members are under and the membership was not aware of his involvement with IPSA and the sanctions that were imposed, making him ineligible to serve on the Board. 

Why is that part of this article? Because if you are a non-certified member of NAID, you are at a business marketing disadvantage caused by NAID and it’s Board of Directors. IPSA group members, for the most part, must be NAID Certified and pay their IPSA fees to be given a territory for participation in their regional/national bids. Last year, IPSA’s web site even went as far as to state that they were endorsed and supported by NAID. One should ask why does NAID continue to permit this S-Corp to display their trade marketed logo against their association By-Laws? Why aren’t the other marketing groups that participate with NAID members permitted to do so? On May 11^th, 2005 I wrote to the Executive Director of NAID voicing my continued concerns with the actions of this marketing group and NAID’s passive acceptance of their practices through national pricing contracts, “which may unnecessarily attract the attention of the FTC on our industry.” Their representatives have been members of the Board, members of the Complaint Resolution Council and the CRB. 

So what do you do, if you are considering joining NAID or becoming certified by NAID? How do you compete with those that are? For several years I openly expressed that the success of my business (or yours) is not affected by NAID membership or certification; e.g., Iron Mountain has also come to that conclusion and no longer participates in the NAID certification program. As I stated at the beginning of this article, I dropped our plant-based certification (the largest part of our business) in May of 2005 and left NAID altogether in August after retaliatory action was taken against my company by NAID for my actions to make them do what was right (click for article). We have not lost any business and in fact, continue to seize market share. 

We can expect NAID to counterpoint this article and my insider perspective, but remember ladies and gentlemen – I stepped down as President-Elect of NAID after they trumped up some issues to sanction me for, because I came to the conclusion it was no longer worth the stress of trying to fight them internally. I am no longer bound by their rules of confidentiality which are designed to hided the truth from the members.  I can now freely speak out and have the documents to prove everything I’ve stated here (and more). 

Our security operations are among the highest in the industry. As a former Police Chief, Federal Agent, and both military and Homeland Security expert - my background in security, law enforcement, fraud investigations (I once held credentials as a Certified Fraud Examiner) and counter-terrorism serves as the foundation for our operations. While we were the first company in Texas to earn "trade association" certification from the National Association of Information Destruction (NAID), we believe their standards no longer represent the higher standards that we set for ourselves and that which our customers expect.  

It is why we recently initiated steps towards accomplishment of the International Organization for Standardization's (ISO) 17799:2005 Standard for Information Security as well as the ISO/IEC 27001:2005 Standard for Information Security Management System; and a portion of our operations are preparing for a SAS 70 audit to make us more attractive to the banking and financial industry customer. 

We have also had employees finger printed for complete criminal history background checks to meet government security clearance requirements, utilize GPS tracking of our fleet, and carry professional E&O liability - no association program goes that far with their standards. We (members of the NAID certification committee) attempted to add them to the standards but others wanted to maintain the marketing advantage and not have everyone required to do those things. That plan fact has been an instrument in development of the standards since the program was initiated. Even to the point where the Board looked at being certified as a requirement for membership in NAID – if they did that, everyone in the association would be equal and no one would have a marketing advantage.  

I have been a long-time member of the American Society for Industrial Security (ASIS) going back to my professions prior to starting my company; and currently we are the only record management company that is a member of the American National Standards Institute (ANSI) - which is the USA member of ISO. 

To conclude, I would suggest that membership in NAID is not a major issue on whether your business will succeed or not. That being NAID Certified, or not, could possibly be a detriment to your business if their program is not fixed soon. For you to be successful, you must demonstrate to your customers your professionalism and commitment to their operational security. You must not rely on a trade association doing that for you, no one can.  - John E. Miller.