Misleading Claims

A Division of Knisely Security LLC

Don't you get tired of company misrepresentations. It seems that no matter the industry, you'll be told anything just so someone can sell a service or product. Once they have your money, you're at their mercy. The shredding industry is no different. We can't stress enough to verify what you're told. Seeing is believing. If you discover a false claim, point it out. If you believe you were hurt or could be hurt by these false claims, you should take legal action.

All shredding services state that they ensure complete and confidential destruction. No one is going to tell you that their service is substandard and hope that you still use them.

Below is a prime example. This company has a small shredder and offers off-site shredding, so why are they sending material out to be shredded? Do their customers know this? They advertise that clients should be confident that sensitive items will not fall into the wrong hands. An employee of this company confirmed what the photos show (that material is sent 3-4 hours away for shredding). They say a "Certificate of Destruction" will be your guarantee that the work has been performed confidentially and securely. Do you get a certificate from this company or the company that actually did the destruction? HOW CAN THEY CERTIFY SOMETHING THEY DON'T SEE DESTROYED?

Notice the gaylord boxes heaping with unshredded paper being unloaded from the blue trailer into the white box truck.

Records Centre personnel loading boxes and dumping shredding console bags into the back of a trailer outside their building. The trailer is taken away after a few weeks and then returns a couple days later (September 2010).

Click here to view complete video of the above.

You can not transfer your liability, so you must be sure you know who's doing your shredding, the size of the finished product and where it ends up.

"Consequences of an off-site shredding truck accident. Off-site shredding is the least secure process a shredding company can offer."

PIERCE AND TEAR

This is the reason you have to look in the back of the truck. These trucks miss a lot of paper, especially checks. Don't fall for distance photos or video of your paper going into the shredder. Tell them you want to see the finished product. Get up close and personal.

Companies that use this type of shred will often tell customers they cross-cut the material. Anyone who looks at this finished product knows this isn't cross-cut.

Companies who use this type of shred can get a "AAA" certification from a trade association. It's important to know that this trade association isn't a security association. Their goal is to promote member businesses. If security guidelines are too strict, very few members would get this certification.

Knisely Shredding challenges any competitor to a side-by-side comparison.

Another distance photo taken of a pierce-and-tear finished product. You can see how large this is without enlarging.

The above is proof that some shredding company owners and shred truck manufacturers know their trucks don't shred material small enough. The photo on the left is of a hammermill shredder. Notice the eye level viewing window. The photo on the right is the same truck, but with their pierce-and-tear machine. Notice that the eye level viewing window is gone. They don't want you to see this shred type. IF YOU CAN'T SEE THE FINISHED PRODUCT, YOU DON'T WANT THEM SHREDDING FOR YOU.

Another example of a large shred size. This photo was taken of someone standing in front of a bale of shredded paper. Notice how large the pieces are. You can use his ear for comparison. WOULD YOUR CUSTOMERS OR PATIENTS BE HAPPY IF THEY KNEW THEIR SENSITIVE DOCUMENTS WERE ONLY DESTROYED TO THIS SIZE BEFORE BEING SHIPPED OUT OF THE COUNTRY?

Many companies who shred paper to this size have the recycling company sign an agreement that they won't release the paper back into the public stream. Why would that be necessary if the paper was shredded to an unreadable size? They do this because they don't want the large pieces being traced back to them for liability purposes. Once the pieces leave the country, they don't care what happens because it would be difficult to trace back. ID thieves love seeing this material.

(IPSA) Information Protection Solutions of America - This group claims on their website what I believe to be a grossly misleading claim. Their website on 4/27/07 under the "FTC Disposal Rule" states: "To adhere to all guidelines of the FTC Disposal Rule related to shredding documents, you must use a NAID certified shredding provider or implement the same equipment and procedures internally.

A representative of the FTC informed me that this statement was "absolutely not true". I don't believe this misleading statement will stand too long.

Again, you must believe what you know is right when selecting a service and not blindly believe what any shredding service is trying to sell you.

I don't believe there should be a "shredding service industry". Shredding is a security function and should fall under the classification of the security industry. Don't let a shredding service dictate your security practices. The above is a prime example. If a company's security practices are solid, they shouldn't need to mislead.

Update to the above: I checked the IPSA website on 6/16/07 and the misleading statement about the "FTC Disposal Rule" is now gone from the site. It would appear that the FTC took some action here.

Knisely shredding has been trying to expose the false advertising and deceptive business practice issues in the shredding industry. Check out FTC News under the "About Douglas Knisely" section of this website.

ASIS PROFESSIONAL CERTIFICATION BOARD states that Certified Protection Professionals (CPP's) do not make recommendations involving the NAID "AAA" program and DO NOT CERTIFY ANY PROCESS. This deserves repeating, DO NOT CERTIFY ANY PROCESS!!!

If the internationally recognized SECURITY PROFESSIONALS (CPP's) don't certify the "AAA" process, where does the credibility come from? What's the purpose of using CPP's other than to possibly give an illusion of security. Have your security personnel thoroughly review the guidelines.

See the ASIS, PCB letter below.

Proof that what I'm saying is true.

Manufacturers of pierce-and-tear shred trucks call to invite me to look at their trucks, hoping for a sale. Below is an email I received from one of these manufacturers. I received this response because of my concerns of large shred and missed pieces.

"Subj: Re: Invitation to response

Date: 3/26/2007 11:03:11 A.M. Eastern Daylight Time

From: Purposely left blank

To: Dkknisely@aol.com

Hi Doug,

"All our shredders have been updated to prevent this from happening. In the past, on rare occasions, checks could slip through untouched on the edges of the shredder. Changes have been made to redirect paper into the knives by adding a deflector plate and blank knife to the shredder stack up.

From a shred size stand point there are machines that will shred finer than the ____________. The advantage of that is questionable. Most of this business is price driven and bigger profits can be had by buying the fastest, most efficient and reliable. Small shred size may win the occasional contract but it usually results in lower throughput numbers and additional time and money spent at each job.

Kind Regards,

_________________"

I know they didn't change all the old trucks and was told by a user that the new trucks have the same problem. This user told me they have to re-shred the material once they get it back to their building to get the material to a secure size.

I believe the above says it all. But, below is a portion of an email I received from another pierce-and-tear company asking me to remove a photo from my website of a pile of paper that came from their truck.

"I understand that you have a point to make about security, but we would have never...NEVER given you permission to take and illustrate this photo to benefit your company and paint our process and the process preferred by 95% of the MDS marketplace, in a negative light"

If the photo of a pile of paper paints their truck and 95% of the shred trucks in a bad light, this should put you on notice to demand to see the finish product.

These emails show that 95% of the shredding companies using the pierce-and-tear technology do so because the can make more money by shredding large, allowing them to service more customers in a day. It takes time to shred small and secure. It's preferred by the shredding companies because it increases profits, but it's not preferred by security professionals.

____________________________

If you still need convincing, keep reading. Below is another email from a pierce-and-tear shred truck maker.

Subj: RE: New Technology From ______________

Date: 2/4/2008 11:21:29 A.M. Eastern Standard Time

From: Purposely left blank

To: Dkknisely@aol.com

"Hi Doug,

The shred size on this system is the same (perhaps marginally smaller) than our other trucks. We have made big improvements to the cutting chamber, on all our machines, to reduce full checks and other oversized pieces from migrating through the system. This has been accomplished by altering the design at each end of the cutting chamber."

Note - they stated to "Reduce" oversized pieces and checks from migrating through the system. They admit these trucks miss paper. Keep reading.

"We are constantly evaluating throughput performance versus shred-size to make sure our equipment is positioned to accommodate most of the shredding market. According to our informal customer feedback we estimate that 90% of the end user market is price and service driven while only 10% of customers make a final buying decision based on shred size. Given these conditions we tend to choose higher throughput performance over smaller shred sizing."

Note - They're trying to accommodate the shredding market, not the security market.

"We have installed 3/8" knives in some of our machines which greatly improved the final product size. Increased wear factors and slower performance made the set up unpopular and we rarely sell it anymore."

Note - Shred companies using pierce-and-tear can have smaller size outputs, but they're more concerned about their bottom line than your security.

"In terms of achieving small shred size at a decent speed your hammermills probably provide the best option. Hammermill performance does come at a cost, namely dust and high maintenance. Given the current price driven market conditions most people are not willing to put up with these disadvantages."

When they say most people aren't will to put up with these conditions, they're saying most shredding companies don't want to go that extra mile for your security.

"The "security shredder" term is one we have used for some time and is simply the marketing description for our equipment. It is still the 5/8" knife width set up that is NAID "AAA" certifiable. Since that certification has been made to accommodate the majority of equipment in use its value as a "security standard" could be fairly questioned. DIN standards are much more stringent. I have attached a description for your reference."

This is huge. I appreciate this company's honesty about their shred size and their questioning the validity of the NAID "AAA" certification.

The DIN standard they are referring to is the European shred standard.

Level 1 GENERAL - LOW SECURITY (DIN 1)

This level of security is generally acceptable for home use. Machines will normally shred into long strips cutting a sheet of A4 paper into about 40 parts. Shred sizes can be up to 12mm or about 1/2 inch. Useful for general information but not for information that may contain bank account details or passwords,etc.

The European standard isn't much different from US standards. They don't think much about 1/2" for sensitive material. the IRS also doesn't want 1/2". The IRS standard is 5/16". Most off-site shredding companies shred to the 1/2" shred equipment manufacturers standard. You must be just as careful when selecting an off-site shredding company.

_________________________

The author of the above email sent me the following response.

From: ________________________

To: dkknisely@aol.com

Sent: Wed, 26 Mar 2008 1:47 pm

Hi Doug,

By being able to offer a cost effective service companies who are NAID members have done more to promote information security than any other group of businesses. If the service was too expensive less people would take advantage of it. It is also important to remember that there has never been a security breach involving material shredded to the 5/8" sizing.

Many operators who run screens (ie. Hammermills or Grinders) advertise the 3/16" hole shred size and then run with 2" or 3" screens.

Individual shredding service companies may misrepresent themselves sometimes but that happens with all types of equipment.

The real security is provided by process control. Customers should be made aware that the NAID standard shredded material is being securely transported to be further processed and ultimately destroyed.

I hope in the interest of fairness you will post this message along with the others or remove all my correspondence from your website.

Regards,

___________________________

Below is my response:

"I'd be glad to post your response to the website.

As a security professional, I don't agree with most of what you're saying. Material being shipped out of the country for processing isn't secure. The problem lies in the recycling centers, transportation and where the processing plant is. NAID background requirements aren't required for "non-access" employees (this includes shred company employees as well as recyclers), but they're the ones who are processing these whole checks and large pieces of paper that migrate through the systems. These employees most definately have "access" to confidential material. If this NAID standard is acceptable, why is it hidden from view? Do the NAID guidelines extend to China and other countries where a lot of this paper goes or do we just hope no one there reads English?

I've spoken with news reporters who covered shred events but were refused access when they wanted to look in the back of the trucks. People are getting suspicious. Each time whole checks and oversized pieces are dumped is a breach. There have most definately been breaches. I've had some sent and communicated to me. It's just that these breaches haven't hit the media or courts yet. NAID has done a good job covering things up with their agreements between the shredding companies and recyclers to not release the information back into the public stream. Why are these agreements necessary? Customers are paying for "destroyed", not "made smaller then shipped for further processing". Do the users of these trucks tell the customers this? No, that's what's misleading. The ones who could ultimately be hurt by these breaches don't have all the information. They can't make "informed decisions" without the truth.

I haven't personally seen anyone advertising 3/16" holes. I know some services want people to believe they're shredding to DoD specs which I know isn't true.

Doug"

_______________________________

On 9/26/2006, Bob Johnson of NAID conducted a presentation for ASIS titled “The Impact of Recent Legislation on Information Destruction Policy”

He states that “NAID’s mission is to “champion the responsible destruction of Confidential Information and Materials by promoting the highest standards and ethics”. The NAID website states their mission is to “promote the information destruction industry and the standards and ethics of its members”. It seems that NAID’s mission statement changes depending on the audience.

The presentation also included the following:

Secure Destruction v. Recycling Disposal Options - Paper Records

“When it comes to the disposal of personal information, recycling is

not acceptable as an option for disposal.”

“Let there be no mistake – recycling does not equal secure disposal.”

Dr. Ann Cavoukian

Information and Privacy Commissioner of Ontario

If material isn’t shredded unreadable before recycling, then it’s still unacceptable according to Dr. Cavoukian.

Define the criteria and process for selecting a secure destruction service

• Check References

• Inspect the Premises

• Select a Company Certified by a Recognized Trade Association

• Require a Contract

• Require Written Policies and Procedures

Note - he doesn’t mention anything about particle size for mobile shredding services or the fate of the destroyed materials. He does get a plug in for NAID “Certified” companies.

INTERNAL DESTRUCTION POLICIES

• Employee Screening

• Transport Procedures

• Access Control

• Facility Monitoring

• Destruction Timeframes

• The Use of Subcontractors

• Particle Size Requirements

• The Fate of the Destroyed Materials

• Indemnifications

• An Audit Trail

• Annual Review

Note - he feels it’s important that internal policies have a secure particle size and concern for the fate of destroyed materials.

Why would NAID exempt mobile services from particle size and the final fate of the material? ASK QUESTIONS. LOOK IN THE BACK OF THE TRUCK.

Remember, NAID isn't the law when it comes to secure destruction. The courts will decide if YOU took reasonable precautions and did your due diligence review.