FAQs
Why should I outsource my document shredding?
- Focus on what your business does best. Leave the compliance to us. Most people don’t know that there are many laws and penalties to mismanaging important information and documentation. For example there are HIPAA, HITECH, FACTA, FEPRA, GLBA, SOX, EEA, Safe Harbor Framework, and the Patriot Act.
- Having documents shredded on site is more secure than offsite options because there is less time between the documents leaving your establishment and being destroyed.
- On-site shredding is convenient because you can schedule a time for the shredders to come to your establishment so you don’t have to worry about transporting them yourselves.
- Certificates of destruction. A reputable shredding service should have no problem giving you a certificate of destruction if their policies and procedures are secure. This also provides your business with an extra level of protection in case there are any disputes on your practices.
- Convenient and less time consuming. Manually shredding all of your documents can take up precious time that could be spent towards value-adding activities. Also, office shredders often require you to remove all staples and paper clips whereas mobile shredding companies have the capability of just throwing it in and moving on.
- Secured containers with locks on site. To make things simple and convenient, shredding services provide containers where you can put all of your customer and employee sensitive information that are secured with locks so unauthorized personnel cannot access the documents.
- Environmentally friendly. In addition to compliance with regulations, shredding services will recycle your shredded paperwork so that it can be reused and reduce the number of trees that have to be cut down for future paper.
- Making the decision to outsource your shredding and paper recycling is only the first step in compliance with privacy regulations. The next step is to make an educated decision on which shredding company is the most cost effective and reputable in terms of following laws. The best way to do this is to verify other companies the company works with as well as ask for a certificate of destruction.
What is On-Site Shredding?
- Secure onsite shredding is an ideal solution for organizations requiring the immediate or witnessed destruction of confidential, copyrighted or royalty-based materials directly on-premises.
How secure is Arctic Shred’s Destruction Services?
- Security is our utmost concern as an information destruction company. When you use Arctic Shred, you can trust that your confidential documents are completely destroyed unrecognizable, that our process as well as yours will maintain compliance and chain-of-custody for your business. Your material will be locked in secure bins on site until we transport it locked all the way to the point where it gets mixed with millions of other shredded documents. All of our employees go through extensive background screening and our company is audited for internal controls for NAID AAA Certification. All of our trucks are tracked with GPS for internal compliance.
What is Chain-of-Custody?
- Chain of custody documentation” is defined as the historical sequential paper trail that records the “when, why, how, and by whom” in relation to physical or electronic evidence that is collected, handled, or analyzed.
How long should records be kept?
- Businesses need to retain certain records based on their records retention schedules. But in short, tax records, financial statements employment and HR records, organizational documents, property documents, health documentation and other legal documents must be retained for different periods of time. It is always important to check with State, local, Federal and industry-specific laws and consult with an attorney before proceeding. Arctic Shred is not a law firm and will recommend you reach out to your business attorney for specific retention requirements but because we have been in the information management industry for a long time, we know the general rules of thumb for most industries.
What needs to be shredded?
- If the documents contain any sensitive information play it safe and shred them. If its legal, health related, has personal information, is in regards to student information or education, has financial information or credit card information, etc. the list goes on. Also, compliance regulations require specific physical papers to be securely destroyed based on standard retention schedules. When in doubt, shred it! It is not worth the penalties and fines or lawsuit. We are way less expensive than your attorneys.
Are there any hidden fees?
- NO! We despise hidden fees. With Arctic Shred, what you see is what you get, we have built in any required costs and all other costs are clear and transparent before you ever sign up for service.
What happens if we put something in a bin by accident?
- Unfortunately, it happens that something gets placed in a bin that wasn’t supposed to. To maintain the Chain-of-Custody for document security and legal compliance if that happens give us a call and we can come unlock the bin for a call out fee unless we are already in the area then we will do our best to swing by quickly to retrieve it at no cost. This doesn’t happen often but when it does, we make sure to verify the known content of the document with the authorized person on the account to make sure there is no breach of information.
What is FACTA
- FACTA applies to virtually all persons and businesses in the United States, mandating that “any person who maintains or otherwise possesses consumer information, or any compilation of consumer information, for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” Under FACTA, consumer information is defined as personal identifying materials which extend beyond just a person’s name, including: A social security number, A driver’s license number, A phone number or e-mail address, A physical address. To comply with the FACTA Disposal Rule, businesses and individuals must take “reasonable measures” to ensure such information does not fall into the wrong hands. Reasonable measures include the “burning, pulverizing, or shredding” of paper documents, such as the contracting of a third-party engaged in the document destruction business to dispose of confidential information in a manner consistent with the Act. Failure to abide by FACTA may result in stiff penalties. Victims are entitled to actual damages sustained due to incompliance; they may also seek statutory damages, and, in some cases, file class-action suits. Federal and state authorities are also empowered to bring legal enforcement actions against businesses that violate the Act.
What is FEPRA?
- The Family Educational Rights and Privacy Act (FERPA) (20 USC §1232g, 34 CFR Part 99) is a federal law that protects the privacy of student education records. FERPA applies to all U.S. educational agencies and institutions that receive funding under any program administered by the U.S. Department of Education. FERPA regulates access to and disclosure of student education records. It gives students and parents the right to inspect and review the students’ education records maintained at the institution, and request corrections if they believe the records are inaccurate or misleading. Another important FERPA obligation is that the educational institution must obtain a signed and dated written consent from a parent or student before personally identifiable information is disclosed unless certain limited exceptions apply. The educational institution must keep a record of each disclosure of personally identifiable information from student records. These obligations are set out in 34 CFR §99.30 through §99.39. Improper disposal of student records may constitute an unauthorized disclosure under FERPA.
What is HIPAA?
- The Health Insurance Portability and Accountability Act (HIPAA) Signed into federal law in 1996, HIPAA was created to combat fraud and abuse in the health insurance industry. The Act stipulates that all United States health care organizations must “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” HIPAA protection attaches to all information relating “to the past, present, or future physical or mental health or condition of an individual, or the past, present, or future payment for the provision of healthcare.” Materials that would contain such protected information include patient histories, logs, notes, forms, billing, and insurance information, and any other records containing personal information in the possession of healthcare providers. Regardless of size, all healthcare providers in the United States must have documented policies defining reasonable measures that are being taken to protect personal health information and ensure the organization is protecting against unauthorized access to personal information. This includes all organizations or individuals who retain and/or collect health-related information, such as hospitals, medical centers, insurance companies, billing centers, collection agencies, doctors, dentists, chiropractors, psychiatrists, psychologists and any other institutions or individuals responsible for personal health-related information.
What is GLBA?
- Also known as the Financial Services Modernization Act, the Gramm-Leach-Bliley Act (GLBA) was enacted in 1999 to protect private consumer information held by financial institutions. The GLBA requires banks to develop privacy notices and to provide customers with the option of prohibiting the sharing of their confidential information with non-affiliated third parties. On July 1, 2001, the Act was amended, requiring financial organizations to have a comprehensive, written information security program in place. The GLBA applies to virtually every business in the United States engaged in the “financial services” industry: institutions that provide financial products and services to consumers. This applies to all national banks and federal branches of foreign banks that are required to follow US banking regulations. According to the Act, financial institutions are required to implement a comprehensive, written information security program that includes proper administrative, technical and physical safeguards, the nature of which are dependent upon the size and complexity of the organization. This requirement extends to any subsidiaries of the parent financial organization. The program must be designed to protect consumers’ non-public, personally-identifiable information by ensuring security and confidentiality of data, by preventing potential risks and threats to data, and by protecting against unauthorized access to or use of consumers’ private information. When using service providers such as an outsourced document destruction company, financial institutions have a duty to safeguard their customers’ information while it is in the possession of the outsourced company. To adhere to this, the financial organization must use due diligence in selecting, managing and monitoring the service provider to ensure consumers’ private information is protected. This includes entering into contracts with an outsourcer when appropriate.
What is HITECH?
- Effective September 23, 2009, Health and Human Services (HSS) implemented the Health Information Technology for Economic and Clinical Health (HITECH) Act requiring covered entities under the Health Insurance Portability and Accountability Act (HIPAA) and their Business Associates to provide notification in the case of breaches of “unsecured Protected Health Information” (PHI). Guidelines specifying the methods that render PHI unusable, unreadable or indecipherable for relief from the breach notification requirement are also in the Act. A covered entity must notify each individual whose unsecured PHI has been believed to have been accessed, acquired, used or disclosed as a result of a breach. Should a reach involve more than 500 residents of a state, the covered entity must notify HSS and the media. Business Associates (third-party administrators or service providers) requiring access to insecure PHI are also required to notify covered entities of breaches that occur while in their possession. Additionally, the Act stipulates that encryption of electronic PHI and physical destruction of paper PHI are the only two methodologies allowed for covered entities to be relieved of the breach notification requirement.
What is SOX?
- The Sarbanes-Oxley Act, also known as SOX, was implemented in 2002 right after several large financial scandals. Its goal is to improve financial transparency and protect shareholders as well as the general public from accounting errors and fraud. If your company fits one of the profiles below, then it must be compliant with SOX Council Standards: (A publically held American company, A company that has registered equity or debt with the U.S. Securities and Exchange Commission, An accounting firm that provides financial services to either of the above.) The size of your business and network determines the compliance requirements your network infrastructure needs to meet. Failing to comply with SOX standards could lead to one or all of the following consequences: (A 10-year jail term for unintentional violations, and a 20-year jail term for intentional non-compliance, Fines up to $1,000,000 for unintentional violations, and $5,000,000 for intentional non-compliance, Loss of customer trust and a damaged reputation.) One of the crucial requirements of a SOX compliance audit is the review of internal controls. Internal controls include all computers and network hardware that are used to process financial data. An audit of internal controls will look into the following parameters: Access: This includes both physical and electronic controls. The electronic aspects of access include the implementation of secure passwords and lockout screens. Security: This includes positioning of controls that will prevent any form of data breach. SOX compliance requires investing in services and hardware that will ensure your financial data is protected. Change Management: This requires having records of what was changed on the network, when it was changed, and who changed it. This information will help track and rectify issues when they occur. Backup procedures: SOX compliance requires backup systems be in place to protect sensitive data. All data centers—both onshore and offshore—are also expected to adhere to SOX standards.
What is the Safe Harbor Framework?
- The Safe Harbor Framework was an agreement between the United States and the EU starting in 2000. It was proven to be critical to protecting privacy on both sides of the Atlantic and to supporting economic growth in the United States and the EU. It has been replaced by the EU-U.S. Privacy Shield Framework.
What is the Patriot Act?
- The USA PATRIOT Act (commonly known as the Patriot Act) was a landmark Act of the United States Congress, signed into law by President George W. Bush. The formal name of the statute is the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, and the commonly used short name is a contrived acronym that is embedded in the name set forth in the statute. The Patriot Act was enacted following the September 11 attacks and the 2001 anthrax attacks with the stated goal of tightening U.S. national security, particularly as it related to foreign terrorism. In general, the act included three main provisions: (expanded surveillance abilities of law enforcement, including by tapping domestic and international phones; easier interagency communication to allow federal agencies to more effectively use all available resources in counterterrorism efforts; and increased penalties for terrorism crimes and an expanded list of activities which would qualify for terrorism charges.) This is just yet another reason to safeguard information.
What is a Certificate of Destruction (COD)?
- Arctic Shred is committed to protecting our client’s security with every shred job we complete for them. Proper destruction of confidential information requires providing a Certificate of Destruction to the client proving that in fact shredding of specific documents took place at a certain date and time. State and Federal privacy laws require majority of our clients, in all types of industries, to have a certificate of destruction once the shredding of their documents is complete. Whether you’re a law firm, medical facility, financial organization, educational institution, residential location, or any type of small/medium business, having a certificate of destruction ensures the final step in the shredding process for full compliance with privacy laws like HIPAA, HITECH, FACTA and GLBA. The Certificate of Destruction document certifies to our clients with: (Date and Time of the On-site Destruction, Name of Route Service Driver who picked up the documents, Name of Employee who witnessed the destruction and processed it for recycling.)
What is NAID AAA Certification?
- NAID (National Association of Information Destruction) NAID AAA-certified secure document shredding is the highest level of certification for document destruction companies. To be certified a company must apply and undergo an extensive audit process to ensure compliance within internal controls and processes in accordance to the i-SIGMA (International Secure Information Governance & Management Association) NAID regulations.
Where does my shredded paper go?
- All of the documents we shred get recycled by our own internal green initiative. We offload all of the shredded paper products at the local recycling facility where all the recycled paper is mixed together making it impossible to recover.