Security Shredding News Spring 2020 by Downing and Associates

Volume 17, Issue 1

spring 2020

Security Shredding News Serving the Security Shredding & Records Storage Markets

Visit us online at www.SecurityShreddingNews.com

Shred Biz Employers, Employees Study New Coronavirus Response Act By P.J. Heller

newly enacted federal law designed to provide U.S. workers with extended emergency paid sick leave and emergency paid family and medical leave in the wake of the coronavirus pandemic may be of little help to some employees in the document destruction industry. Employees at some document destruction companies may not be eligible for benefits because their firms are too large to qualify under the Families First Coronavirus Response Act. Small companies which might not be able to afford the added costs, meantime, are likely to seek an exemption from the U.S. Department of Labor. The Families First Coronavirus Response Act was passed by the Senate on March 18 and signed into law that day by President Trump. The comprehensive bill includes new emergency paid sick leave provisions as well as expands existing emergency family and medical leave rules. It took effect April 1 and runs until Dec. 31. It applies to private employers with fewer than 500 employees. However, employers with fewer than 50 workers can seek an exemption by the Labor Department from the family medical leave mandate if the leave requirements would jeopardize the viability of their business. The department can also exempt employers from the emergency sick leave provisions. Guidelines for those exemptions were not immediately spelled out by the Labor Department. P r e v i o u s l y, t h e Fa m i ly M e d i c a l Leave Act applied to companies with 50 to 500 employees. The federal sick leave requirement is entirely new. Employees at large document destruction companies may find themselves ineligible. Shred-it, for example,

has more than 5,000 employees and says its top 10 competitors average 563 employees. Most shredding companies have fewer than 50 employees and independent, single market dedicated data destruction firms have fewer than 15 employees, according to an industry spokesman. Most local shredding companies operate only 1 to 2 trucks, according to Shred Nations. Some small document destruction fir ms, however, may be part of a larger organization that offers recycling, IT asset disposition (ITAD) and/ or records management services. It was not known how many small

document destruction businesses might seek an exemption from the government. “We have no way of telling how many will apply for the exemption but I can assume most would, since it poses an undue burden on small businesses,” said Bob Johnson, chief executive officer of the trade group i-SIGMA (the International Secure Information Governance and Management Association). He said i-SIGMA had gone on record requesting that provision be amended prior to it being signed into law. The trade organization includes the National Association for Information Destruction (NAID) and PRISM International. Workers who have been laid off or do not meet certain employment requirements will be ineligible for the added aid, although they might qualify for state unemployment benefits. More than 10 million jobless claims were filed nationwide in March. Regardless of employment status, however, help should be on the way after a $2 trillion Continued on page 3

SECURE DOCUMENT

DESTRUCTION

18 TONS

SHREDDED IN 3 HOURS

INDUSTRIAL

SHREDDING EQUIPMENT

{

{

BRILLIANT DESIGN, RESULTS IN AMAZING THROUGHPUT

With its’ heavy duty design, the ST-75E double shaft shredder is perfect for shredding confidential documents, data tapes, CD’s and more. Our engineers design each knife profile and configuration to suit the application for maximum throughput and optimal shred size.

Contact one of our experts today! www.shred-tech.com 1.800.465.3214 | Shred-tech.com

Follow us on: Copyright©2020 Shred-Tech Corporation. All rights reserved. Specs correct at press time, and may change without notice. Throughput capabilities vary with model, application and material being processed and are not guaranteed. 200228

2 Security Shredding News Spring 2020

Security Shredding News

Shred Biz Employers, Employees Study New Coronavirus Response Act Continued from page 1

PUBLICATION STAFF Publisher / Editor Rick Downing Contributing Editors / Writers P.J. Heller Sandy Woodthorpe Production / Layout Barb Fontanelle Christine Mantush Advertising Sales Rick Downing Subscription / Circulation Donna Downing Editorial, Circulation & Advertising Office 6075 Hopkins Rd. Mentor, OH 44060 Ph: 440-257-6453 Fax: 440-257-6459 Email: downassoc2@oh.rr.com www.securityshreddingnews.com For subscription information, please call 440-257-6453 Security Shredding News (ISSN #15498654) is published bimonthly by Downing & Associates. Reproductions or transmission of Security Shredding News, in whole or in part, without written permission of the publisher is prohibited. Annual subscription rate U.S. is $19.95. Outside of the U.S. add $10.00 ($29.95). Contact our main office, or mail-in the subscription form with payment. ©Copyright 2020 by Downing & Associates Printed on Post-Consumer Recycled Paper

Kingdom, Italy, Canada, and South Korea, emergency spending bill was signed into law it is clear that information management, IT March 27. That measure will send direct asset disposal and secure data destruction are payments of $1,200 to most Americans, included in ‘essential services,’” i-SIGMA said. depending on their annual income. The massive “Governments across the globe are aware spending bill also provides nearly $1 trillion and worried that organizations will lose sight in business loans and guarantees to millions of their broader legal o f l a rg e a n d s m a l l and ethical obligations companies throughout under the stresses of the the economy. “The legislation will outbreak,” i-SIGMA Under the Families said. “Compliance F i r s t C o r o n av i r u s enable employers to with privacy laws, data Response Act, covered keep their workers protection regulations, employees can get up to and records retention two weeks (10 days) of on their payrolls, obligations would be put sick leave at full salary at risk if such services if they are quarantined while at the same time were unavailable. In the or are experiencing ensuring that workers end, that is why those COVID-19 symptoms. services are so clearly Employees also are are not forced to essential, and it is why allowed two weeks of choose between their i-SIGMA members paid sick leave at twochoos e t o cont i nue thirds of their regular paychecks and the service at this critical salary if they can’t work time.” because they’re caring public health measures With many fo r s o m e o n e u n d e r needed to combat businesses shut down quarantine or for a child across the nation by under 18 years of age the virus,” the Labor state and local officials whose school or place who have issued stay-atof care is closed, or if Department said. home orders in order to a child-care provider try to slow the spread of is unavailable due to the coronavirus, it was not immediately known COVID-19 related issues. how much demand there still was for document Workers employed for at least 30 days are destruction services. At least 25 states have eligible for up to an additional 10 weeks of paid issued stay-at-home orders. family leave to care for a child under certain Johnson said the vast majority of i-SIGMA circumstances related to COVID-19. members, both secure data destruction services, Businesses will receive tax credits as ITADs and records management services, reimbursement for providing employees with continue to service the essential businesses paid leave, according to the measure. they serve. “The legislation will enable employers to I-SIGMA has cancelled its 2020 NAID & keep their workers on their payrolls, while at PRISM International Conference and Expo the same time ensuring that workers are not scheduled for May 14-16 in Orlando, FL. forced to choose between their paychecks and In addition to the employee leave the public health measures needed to combat stipulations in the Families First Coronavirus the virus,” the Labor Department said. Response Act, the bill guarantees free Guidelines for employers and employees coronavirus testing, enhances unemployment were still being formulated by the department insurance, expands food security initiatives and more than a week after the measure was passed. increases federal Medicaid funding. Spokesmen for the document destruction It was the second of three – so far – industry say their members are considered emergency measures passed by Congress in “essential services” both in the U.S. and response to the coronavirus pandemic. The overseas and can continue operating during the first bill, the Coronavirus Preparedness and coronavirus outbreak. Response Supplemental Appropriations Act, “Based on a thorough review of the was approved March 6. That $8.3 million guidance from the U.S. Department of appropriation went to federal agencies to help Homeland Security (DHS), New York State, improve preparedness and response efforts. California, as well as sources from the United

Security Shredding News Spring 2020

Security Shredding News

COVID-19 Essential Services Include Information Management, Data Destruction & ITAD

s governments around the world close non-essential businesses to stem the spread of the Coronavirus Disease 2019 (COVID-19), they are fully aware some services are essential to ensure the communities they serve remain protected. Based on a thorough review of the guidance from the U.S. Department of Homeland Security (DHS) (https://www.cisa.gov/ publication/guidance-essential-critical-infrastructure-workforce), New York State (https://www.governor.ny.gov/news/governorcuomo-issues-guidance-essential-services-under-new-york-statepause-executive-order), California (https://covid19.ca.gov/img/ EssentialCriticalInfrastructureWorkers.pdf), as well as sources from the United Kingdom, Italy, and South Korea, it is clear that information management, IT asset disposal and secure data destruction are included in “essential services”. For instance, the following list of essential services from New York State clearly applies in some way to secure information disposition, electronic equipment disposal, and information management. •

Trash and recycling collection, processing and disposal

•

Storage for essential businesses

•

Services related to financial markets

•

Security

•

Logistics

Providing Services for Other Essential Services

eturning to the guidance offered by New York State, two general categories that clearly include information management are listed: IT asset disposal and secure data destruction.

•

Essential Services Necessary to Maintain the Safety, Sanitation, and Essential Operations of Residences or Other Essential Businesses

•

Vendors that Provide Essential Services or Products, Including Logistics and Technology Support, Child Care, and Services

Both of the above categories classify critical ancillary services as essential, precisely because they are required by other essential businesses such as healthcare, finance, communications, information technology, and security.

Security is Never Non-Essential

overnments across the globe are aware and worried that organizations will lose sight of their broader legal and ethical obligations under the stresses of the outbreak. Compliance with privacy laws, data protection regulations, and records retention obligations would be put at risk if such services were unavailable. In the end, that is why those services are so clearly essential, and it is why i-SIGMA chooses to continue service at this critical time.

About i-SIGMA:

-SIGMA, The International Secure Information Governance and Management Association™ is the trade association for secure information lifecycle management. NAID® has always been the watchdog association for secure shredding operators worldwide and together with PRISM International™ the joint association now represents all four pillars of records and information management: physical records and information storage, data protection and media vaulting, digitizing and scanning, and confidential records and information destruction services. i-SIGMA™ is the umbrella association for these two divisions that stand united, heralding the proper information lifecycle management needed in today’s regulatory climate. www. isigmaonline.org.

ADVERTISER NEWS Vecoplan Hires, Promotes Key Staff

RCHDALE, NC — Vecoplan LLC, to support company growth, has hired a new marketing department head and has named a new director over its parts and service operation. Also in its employee news, the company has named its employee of the year. Kirsti Nelson has been hired as Director of Marketing & Communications to lead the department into new and increased market concentration. She brings to Vecoplan over 15 years’ experience in industrial manufacturing industries including paper, furniture, recycling and waste. She has served in both marketing and sales roles for American businesses and German-owned companies with US operations. Additionally, Vecoplan’s after-market department has new leadership with the promotion of Mike Wilhoit to Parts & Service Director. Wilhoit has worked for the company for 17 years. Also, within the parts and service department, Phillip Thompson has been named Vecoplan’s 2020 Employee of the Year. Thompson has been with Vecoplan over 12 years. North Carolina-based Vecoplan, LLC, is a subsidiary of Vecoplan AG located in Germany. The company is a manufacturer of industrial and mobile shredders for size reduction of virtually any material, selling into plastics, wood, biomass, paper, recycling, and waste, and waste-to-energy markets.

4 Security Shredding News Spring 2020

Allegheny Shredders Announces New Sales Team

s many of you may have already heard, Evelyn Jefferson (aka Shredder Mom) has retired from her position of VP sales at Allegheny Shredders after 30 wonderful years. Evelyn has been a pillar in the document destruction industry and will be missed by Allegheny and the shredding industry as a whole. We wish Evelyn the best with her retirement and she will be sorely missed. Allegheny is planning to move forward with the same commitment to excellence in customer service and equipment quality even in Evelyn’s absence. The sales department will be taking on a team approach, with Joe Barush and Sarah Lewey being the main sales representatives. Joe and Sarah worked under Evelyn for a number of years and are excited to try to fill the role of Shredder Mom. Please feel free to contact either Joe (josephb@alleghenyshredders.com) or Sarah (sarahl@alleghenyshredders.com) if you have any questions about Allegheny moving forward!

Â®

www.keithwalkingfloor.com

Security Shredding News Spring 2020

Security Shredding News

HHS Urged to Update HIPAA to Protect Patient Medical Records

ccording to a Heartland Institute opinion article, the data sharing deal between Google and Ascension Health raises significant patient privacy concerns. The HIPAA privacy rule, which became law in 1996, allows patients to “opt-out” of information sharing; however, a spokesperson for the Citizens’ Council for Health Freedom (CCHF) calls the documents patients are expected to sign at visits, as “single-signature coercive consent forms.” After a patient data sharing deal came to light between Google and Ascension Health, CCHF issued a statement saying that the federal government needs to update the Health Insurance Portability and Accountability Act (HIPAA) to allow patients to opt in—not opt out—in such arrangements 20 and to outlaw coercive consent forms. CCHF said it believes the Ascension-Google arrangement is legal because both companies curityrefer Shredding & Storage to the 400-word long News list of “health care operations” under HIPAA, including 65 non-clinical ombo business, like Google. A health care operation is a “covered entity” authorized to disclose or receive health individual consent. alf Island - 5information 7/16”(w) without x 7 1/8”(h) The data sharing deal between Google and Ascension Health involves the names and private medical records of approximately 50 million people from 21 states.

PLANT-BASED AND MOBILE SHREDDING SYSTEMS

Downturn From Coronavirus Hits UK Paper Recycling Sector Hard

ORTHAMPTON, UK — Interruptions in container shipping, port closures and other impacts of the COVID-19 pandemic are expected to result in higher costs and lower prices in the paper recycling industry, reports RecyclingInternational.com. UK’s Recycling Association, which represents more than 80 UK recycling organizations, has been observing impacts of COVID-19 on ports around the world. In a statement, the industry group observed, “Container availability has become tough and the generation of paper is lower due to fewer people shopping and more people working from home. Plus, it is causing uncertainty for the industry of what the outlook will be like over the coming months.” With shipping lines increasing container prices, there is a danger this this will be a knockout blow leading to lower prices in a market suffering from painfully low prices. Even before the spread of COVID-19, the market for mixed paper and other grades of paper was soft. The raised standards and increased inspections by Chinese customers, for example, has led to rejection of some shipments of mixed paper. That country’s gradual reduction in its quota for cardboard and office paper has largely taken away the UK’s most significant buyer, as well. Other markets such as Indonesia, India, Vietnam and Malaysia are taking up some of the slack. The situation is causing some recyclers to make plans for storing unsold or unshipped paper outdoors.

Advertise Here Reach Over 3,000 Businesses Involved In... cDL • NON-cDL • PIERcE-&-TEAR • SINGLE-SHAFT (336) 285-0021 • 5708 UwHARRIE ROAD, ARcHDALE, Nc 27263 www.vEcOPLANLLc.cOM 6 Security Shredding News Spring 2020

• Document & Product Destruction • Records & Media Storage • Waste Paper Recycling For more information, contact Rick at 440-257-6453 or email rickdowning@oh.rr.com.

Security Shredding News

Small Business Guidance & Loan Resources for Businesses Affected by COVID-19

ere is a general listing of Small Business Administration (SBA) assistance programs to help business owners through the COVID-19 pandemic. For detailed information, call your local SBA District Office or SBA Development Center. Or, access the website and make your applications online at: https://www.sba.gov/page/coronavirus-covid-19small-business-guidance-loan-resources Th e Pa yc h e c k P ro t e c t i o n P rog ra m prioritizes millions of Americans employed by small businesses by authorizing up to $349 billion toward job retention and certain other expenses. Small businesses and eligible nonprofit organizations, Veterans organizations, and Tribal businesses described in the Small Business Act, as well as individuals who are self-employed or are independent contractors, are eligible if they also meet program size standards. Under this program, eligible recipients may qualify for a loan up to $10 million determined by 8 weeks of prior average payroll plus an additional 25% of that amount. The loan payments will be deferred for six months. If you maintain your workforce, SBA will forgive the portion of the loan proceeds that are used to cover the first 8 weeks of payroll and certain other expenses following loan origination. Economic Injury Disaster Loans and Loan Advance. In response to the Coronavirus (COVID-19) pandemic, small business owners in all U.S. states, Washington D.C., and territories are eligible to apply for an Economic Injury Disaster Loan advance of up to $10,000. The SBA’s Economic Injury Disaster

Loan program provides small businesses with working capital loans of up to $2 million that can provide vital economic support to small businesses to help overcome the temporary loss of revenue they are experiencing. The loan advance will provide economic relief to businesses that are currently experiencing a temporary loss of revenue. Funds will be made available within three days of a successful application, and this loan advance will not have to be repaid. SBA Debt Relief. The SBA Debt Relief program will provide a reprieve to small businesses as they overcome the challenges created by this health crisis. Under this program, the SBA will also pay the principal and interest of new 7(a) loans issued prior to September 27, 2020. Also, the SBA will pay the principal and interest of current 7(a) loans for a period of six months. Express Bridge Loan Pilot Program allows small businesses who currently have a business relationship with an SBA Express Lender to access up to $25,000 with less paperwork. These loans can provide vital economic support to small businesses to help overcome the temporary loss of revenue they are experiencing and can be a term loans or used to bridge the gap while applying for a direct SBA Economic Injury Disaster loan. If a small business has an urgent need for cash while waiting for decision and disbursement on Economic Injury Disaster Loan, they may qualify for an SBA Express Disaster Bridge Loan. Will be repaid in full or in part by proceeds from the EIDL loan.

Fed Relaxes HIPAA Privacy Rule Requirements During COVID-19 Crisis

ASHINGTON, D.C. — In response to the COVID-19 crisis in the U.S., the Department of Health and Human Services’ Office for Civil Rights (OCR) moved to allow business associates of covered entities to more easily share protected health information (PHI) to help prevent and control the spread of the novel coronavirus. According to its statement released on March 26, the agency is now exercising “enforcement discretion” for violations of certain provisions of the HIPAA Privacy Rule involving “good faith” uses and disclosures of protected health information by business associates for public health-related activities during the crisis. The change is intended to expedite sharing of critical information needed by federal public health authorities and health oversight agencies, including the Centers for Disease Control and Prevention and Centers for Medicare and Medicaid Services, as well as state and local health departments and state emergency operations centers. Under the “Notification of Enforcement Discretion,” business associates remain liable for complying with HIPAA requirements to implement safeguards to maintain the confidentiality, integrity and availability of electronic PHI, including by ensuring secure transmission of ePHI to the public health authority or health oversight agency. In an interview with GovernmentInfoSecurity.com, a privacy attorney for the security consultancy CynergisTek cautions that, while business associates may supply government agencies - and their contractors - PHI from HIPAA covered entities without first notifying those entities, the covered entity may only learn of the disclosure if the business associate provides a notice later. Covered entities should make sure they receive notification and full accounting of disclosures by business associates. The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first.

www.creweb.com/secure

Security Shredding News Spring 2020

Security Shredding News

Hawaii’s E-waste Recycling Center Closed

ILO, HI — Closure of the Big Island’s e-waste recycling center due to a budget shortfall means residents and businesses will not be able to recycle TVs, computers and other electronic devices, HawaiiTribuneHerald.com. The state of Hawaii gives each county $160,000 annually to recycle computers, printers, monitors, telephones and other electronics. On the Big Island, even with additional local funding sources, wages, equipment, fuel and other operating costs have strained the budget. Government officials closed the island’s recycling center as of March 25 and have been holding hearings to discuss alternate sources of funds. While e-waste recycling is on hold, curbside recycling is reduced. Meanwhile, a proposal to raise the state grant to $210,000 is on the table. Under the Hawaii Electronic Waste and Television Recycling and Recovery Law, which became effective January 2010, manufacturers of covered electronic devices (CEDs) and televisions (TVs) whose products sell in Hawaii must register with the state Department of Health (DOH), pay an annual registration fee of $5,000 and operate recycling programs. Covered electronics include computers, printers, monitors, and televisions. Apple, HP, Inc, Dell Marketing LP and Samsung Electronics of America, Inc. recycled more than 824,000 pounds of e-waste in 2018, according to the DOH roster of manufacturers.

Solo Practitioner Penalized for Business Associate Breach www.bomaccarts.com

sales@bomaccarts.com

www.paperstockreport.com ken@paperstockreport.com

8 Security Shredding News Spring 2020

ashington, D.C. — The practice of Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, according to an OCR news release. OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. OCR found that the practice permitted the business associate to create, receive, maintain, or transmit ePHI on the practice’s behalf at least since 2013, without obtaining satisfactory assurances that it would appropriately safeguard the ePHI. Although the Ogden, Utah-based physician followed breach reporting rules, OCR’s investigation grew in scope when it was determined that Dr. Porter had never conducted a risk analysis at the time of the breach report. The OCR, despite significant technical assistance throughout the investigation, found the doctor’s office had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Dr. Porter claimed in his breach report that the business associate was impermissibly using the practice’s patients’ electronic protected health information (ePHI) by blocking his practice’s access to such ePHI until he paid $50,000. According to a JD Supra article, “the Resolution Agreement highlights a tension between the HIPAA regulatory framework and practical operations for covered entities.” The article offers three ways a covered entity can mitigate risk: •

Keep its own HIPAA house in order with risk management, training and IT security measures.

•

Carefully vet business associates prior to engaging them.

•

Pay close attention to negotiation of indemnification provisions in their business associate agreements (BAAs).

In addition to the monetary settlement, Dr. Porter will undertake a corrective action plan that includes two years of monitoring.

Security Shredding News

Court Decision Limits Patient Access and Control of Their Medical Records

ASHINGTON, D.C. — In January, D.C. District Court Judge Amit P. Mehta handed down a decision which, in effect, makes it harder for patients to obtain digital files of their own protected health information. The decision limits the HIPAA Privacy Rule for covered entities to provide access to records by only allowing individuals the right to direct PHI in an electronic format to third parties. Additionally, the ruling allows HIPAA covered entities and business associates freedom to set the fees they charge to transmit PHI to third parties. According to a NationalLawReview.com summation by Polsinelli PC attorneys, Iliana L. Peters and Lidia Niecko-Najjum, the Court struck down OCR’s 2013 and 2016 implementation of the HITECH Act, in part. In the case, Ciox Health, LLC v. Azar, the plaintiff challenged OCR’s 2013 HIPAA Omnibus Final Rule. The D.C. court also deemed that OCR’s broadening of the fee limitation language did not follow the requisite notice and comment procedure. Specifically, in his decision the judge wrote that “HHS’ 2013 rule compelling delivery of protected health information (PHI) to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress.” Previously, the HITECH Act placed a cap on cost-based fees (not including search and retrieval costs) for copies of PHI, electronic or otherwise, which extended to transmitting PHI from covered entities (and business associates) to third parties. Now, individuals may only direct the transmission of PHI in an electronic format. In addition, the fee amounts are left up to the covered entities and business associates. All other requirements for patient access remain the same, including required time frames for the provision of access to individuals, and to third parties designated by such individuals.

Gonzo

Bulk Container

Patented Design for a low-impact footprint. Upper Lifting Holes for easy un-nesting. Securely Stacked when used with lids. Also available in a larger size - Gonzo XXL.

& The Truckster

Rolling Cart

Heavy Duty, 'Nested' Design. Shown with Optional Lid.

Simply the BEST Containers and Carts! See our video on-line at

www.RubiconCarts.com RubiconCarts.com |

262-993-4494

Bulk Handling Systems Unit Will Build Pulp Plant in Chesapeake

HESAPEAKE, VA — Total Fiber Recovery, LLC (TFR) will be building a $49 million pulp production facility in Chesapeake. According to the announcement by Virginia’s Governor Northam and Virginia Economic Development Partnership, the plant will make pulp from recovered fiber to be shipped and utilized domestically and internationally to paper plants where it will be created into new products. The project is a culmination of efforts by TFR, a unit of recycler Bulk Handling Systems, Virginia Economic Development Partnership, the City of Chesapeake’s Economic Development Department and the Port of Virginia. Governor Northam approved a $200,000 grant from the Commonwealth’s Opportunity Fund to assist the City of Chesapeake with the project. TFR is eligible to receive benefits from the Port of Virginia Economic and Infrastructure Development Zone Grant Program, as well as funding and services to support the company’s employee training activities. Training will be provided through the Virginia Jobs Investment Program. The plant will employ 68. Plant operations are slated to begin in 2021. TFR says it will annually process 300,000 tons of mixed paper and other recycled fiber from the region’s materials recovery facilities (MRFs). The plant will be a regional processor of recycled fiber, providing a local destination for collected paper waste. TFR will sell the pulp product to domestic and international paper plants. TFR is registered in California and Oregon as a unit of Emerging Acquisitions LLC, which is doing business as Bulk Handling Systems, Inc. Emerging Acquisitions LLC has an office in Amsterdam, the Netherlands, as well.

WORKING FOR YOU LOCALLY AND NATIONALLY

Advocacy • Internationally • Nationally • State level

Be an advocate: join the PSI today. www.PaperStockIndustries.org PaperStockIndustries.org | Email: PSI@isri.org

Security Shredding News Spring 2020

Security Shredding News

Private Right to Action Option – Why You Should Know About It

riting in the American Bankers Association’s Banking Journal, Aaron Kirkpatrick, chief information security officer at Venminder, cautions that most financial institutions aren’t ready for the consumer privacy laws and regulations many state legislators are proposing and enacting. Much of the proposed legislation is modeled after the California Consumers Protection Act, or CCPA, which became effective on Jan. 1, 2020. The CCPA was conceived and created to ensure Californians’ personal data is protected. So far, Connecticut, Hawaii, Massachusetts, Mississippi, New Jersey, New Mexico, Rhode Island, Texas are considering legislation similar to CCPA, and other states have been presented with similar models. The CCPA’s private right of action allows consumers to sue companies for monetary compensation should their data be negligently handled. Nevada is one state that has chosen to only include under the law’s umbrella organizations that sell personal data. From a business risk management point of view, Kirkpatrick points out that very few privacy and security professionals are aware of this new development on the legal horizon within their own states. “. . It is important to understand that we as professionals in the privacy and security industry aren’t hearing about what the legislative branches of many states are working on. We’re all focused on CCPA and understanding

its Gramm-Leach-Bliley Act exemptions, or just keeping up with existing regulations and standards, yet privacy laws and regulations are in the works in many more states,” Kirkpatrick writes. He takes particular issue with troublesome terms contained in the CCPA, specifically, “reasonable security” and “abusive.” “Without a definition, expectations become blurry,” Kirkpatrick notes. “It’ll likely come down not to whether an organization had “reasonable security” but whether that organization’s security was not reasonable, based on the current industry trends and the risks posed to that information by the organization.” Kirkpatrick urges financial and other potentially affected organizations to monitor for legislation modeled after CCPA and to review their internal control environments that protect personally identifiable information of any type. “Don’t just think social security numbers. Dig deeper and think about IP addresses, names, biometric, location and so many other types of data that may possibly be tied to an individual,” he warns. “The definition of PII is no longer the same with these new and proposed privacy and data security laws. Ask yourself if you’ve implemented a control environment that your security and privacy professionals feel covers the industry’s expectations based on types of data held and potential threats.”

Product/Equipment Profiles Packaging Material Shredder Turns Corrugated Waste Into Versatile Netted Packing Material

Compact, Multimedia Shredder Destroys SSDs, Optical Media and More

ntimus PacMaster S Packaging Material Shredders turn corrugated cardboard waste, up to 4 ply thick, into versatile high-quality packaging material in seconds. The shredder’s unique cutting head configuration creates a series of perforations in the cardboard creating a flexible, expandable material that can be used to line boxes or wrap breakable items such as glass, ceramics, electronic assemblies, or other goods that require protection against shock, impact, or damage during shipping. With each pass the PacMaster creates packaging material up to 16.75” wide by any length. However, since the feed slot is open on 3 sides the PacMaster can accommodate much wider sheets. The excess width is automatically trimmed off and can then be refed. A measurement guide on the work surface allows users to create packaging material to any width under 16.75”. The environmentally-friendly PacMaster S not only reduces waste in landfills, it facilitates the intelligent reuse of corrugated cardboard — before it is recycled.

he FlashEx from Intimus is a rugged, durable shredder designed to quickly, easily and safely destroy a wide variety of electronic media. Because of FlashEx’s compact size, quiet operation and 120V power requirement it can be used anywhere, including office environments. Even small companies can take control of electronic media destruction avoiding the hassles and potential liabilities that come with storing obsolete data bearing devices and later releasing them to a 3rd party destruction service. Items that can be easily destroyed by FlashEx include Solid State Hard Drives (SSDs), Cell Phones, Smart Phones, Mini Tablets, USB Sticks as well as Optical Media (CDs/DVDs), Floppy Disks, Credit Cards and ID Badges. Despite the FlashEx’s compact size of only 23” x 24” x 39” it boasts an impressive throughput capacity of up to 100 mobile phones or 500 USB Sticks per hour. FlashEx waste particles meet the following DIN Levels: O-3 / T-4 / E-3. FlashEx waste particles fall from the destruction chamber into a plastic collection bin in the base cabinet. The unit is mounted on casters for easy relocation from one area to another.

For more information contact Peter Dempsey at 800-775-2122 or visit www.intimus.com.

10 Security Shredding News Spring 2020

Est. 1991

YOU BUY IT, WEâ&#x20AC;&#x2122;LL HELP YOU FINANCE IT

WE PROVIDE A CONVENIENT AND COST-EFFECTIVE SOLUTION! Lease or Loan Financing Simple Application Process Low Initial Investment

Financing new or pre-owned equipment Serving the US & Canada Competitive Rate Structure

FINANCING THE WORLD OF TRANSPORTATION TERRY LEE

DOUG FERRANTE

Eastern States 303-301-7651 tlee@transleaseinc.com

Western States 509-389-1267 doug.ferrante@transleaseinc.com

www.transleaseinc.com WWW.TRANSLEASEINC.COM Security Shredding News Spring 2020 11

PRSRT STD U.S. Postage

PAID

Cleveland, OH Permit #1737

6075 Hopkins Rd • Mentor, OH 44060 • Ph: 440-257-6453 • Fx: 440-257-6459 • Email: downassoc2@oh.rr.com

Inside This Issue

VOL. 17 NO. 1

Spring 2020

Shred Biz Employers, Employees Study New Coronavirus Response Act PAGE 1 COVID-19 Essential Services Include Information Management, Data Destruction & ITAD PAGE 4 HHS Urged to Update HIPAA to Protect Patient Medical Records PAGE 6 Court Decision Limits Patient Access and Control of Their Medical Records PAGE 9 Private Right to Action Option – Why You Should Know About It PAGE 10

We’re in Your Corner There’s more to NAID than its widelyrecognized data destruction operational certification. Revenue from annual dues, its successful conference, and global certification program are used to:

We are Member-Owned & Member-Accountable. Association Dollars are Controlled and Spent to Benefit Members & the Industry.

• Engage in Regulatory Advocacy for Laws that Promote and Protect Secure Data Destruction Services

• Conduct Research to Help Members and

Join NAID today! Let us fight for you too!

• Educate Organizations on the

www.naidonline.org

Customers Make Better Decisions

Importance of Using a Service Provider