Security Shredding & Storage News Jan/Feb2013

Volume 10, Issue 1 January / February 2013

PRSRT STDU.S. Postage

PAIDMentor, OH

PeRMIT No. 2

&Security Shredding Storage News

Serving the Security Shredding & Paper Recovery Markets

PRSRT STDU.S. Postage

PAIDMentor, OH

PeRMIT No. 2

Continued on page 3

New HIPAA Breach Notification Rule May Prove Costly for HIPAA-Covered Entities

Millions Collected for HIPAA Violations

E-Waste Systems Signs $800,000 Investment and Master License Agreement for China

PwC Survey Finds Executives Serious About Security

InsIde ThIs Issue

14

4

12

ATTENTION: READERS !

Are you looking for Products, Equipment or Services for your business? If so, please check out these

leading companies advertised in this issue:

10

ColleCtion & Storage ContainerSBig Dog Shred Bins – 8

Jake, Connor & Crew – pg 12

equipment FinanCingTrans Lease, Inc. – pg 6

loCk & loCking SyStemSLock America Intl. – pg 10

mobile truCk ShredderSAlpine Shredders Ltd – pg 9Shred-Tech Limited – pg 7

ShredFast – pg 16Vecoplan LLC – pg 6

moving Floor SyStemKeith Manufacturing – pg 7

replaCement partSShredSupply – pg 16

Stationary ShredderS & grinderSAllegheny Shredders – pg 12

Cumberland Recycling – pg 13Schutte-Buffalo Hammer Mill, LLC – pg 15

UNTHA America – pg 5

WaSte Commodity purChaSerSCommodity Resource & Environmental – pg 8

Dan-Mar Components – pg 4

Web deSignChachka Group – pg 10

NetGain SEO – pg 8

Visit us online at www.securityshreddingnews.com

By P.J. Heller

ocument destruction companies hoping to acquire new shred trucks — whether they are just starting up or to expand their business —

may find it a bumpy road when it comes to obtaining traditional bank financing, regardless of the nation’s economic health.

Terry Lee, a veteran in the truck leasing industry and truck building industries, says leasing could be the answer.

“I’ve been in the industry for 30 years and have seen a lot of changes,” says Lee, the business development manager for Denver-based Trans Lease. “But the one common element is that people need to finance equipment — trucks and trailers — and leasing has been a popular means of doing that throughout my entire career.”

Shelby Sparlin, general manager at Desert Document Shredders & Records Storage in Yuma, Ariz., agrees that leasing makes financial sense.

“When we first started DDS, we did consider financing the truck through a bank . . . ” he says. “The bank wanted too much money up-front and the payments were ridiculously high.”

Rather than deal with a bank, Desert Document Shredders leased a truck when it first started up in 2007 through Trans Lease. As the business has grown and expanded — it serves a four-county area and shreds about 60,000 pounds of paper each month — it has upgraded the truck twice since, leasing through Trans Lease each time.

Trans Lease serves the transportation industry, providing financing and leasing of trucks, trailers and specialty vehicles, such as shred trucks, to customers throughout the United States and Canada.

Started in the early 1990s, Trans Lease initially focused on supporting its own truck dealerships, including Freightliner, GMC and Western Star. It subsequently diversified into the specialty truck area, establishing ties to manufacturers of those vehicles to assist their customers with leasing or financing.

Trans Lease works with all the manufacturers

of shred trucks to assist document destruction company customers with leasing and financing.

“The benefit to them [manufacturers] is we come in and understand their business,” Lee explains. “We get a good understanding of their business, of the industry, the business model, the product, the truck itself, and then can get comfortable as a lender with writing a lease or a loan to either a new venture or an existing established business,” he says.

“We can come in and partner with them and offer financing to their customers, which they typically may not be able to get through a traditional lender such as a bank,” he adds.

The difficulty of obtaining financing from a bank was especially true during the recession.

“During the economic turndown, banks were more hesitant to make loans and extend credit, even to customers who were well established and had strong banking relationships,” Lee notes. “That was never the case with us. We continued to offer leases and financing to customers. That’s all we do.”

The result was that Trans Lease became a go-to source for businesses that needed to add or replace trucks.

Benefits of Leasing Shred Trucks

D

http://www.securityshreddingnews.com

Security Shredding & Storage News. January / February 20132

www.securityshreddingnews.com



Security Shredding & Storage News

3

Continued from page 1

PUBLICATION STAFFpublisher / editor

Rick Downing

Contributing editors / WritersLisa W. ClarkErin M. Duffy

P. J. HellerSandy Woodthorpe

production / layoutBarb Fontanelle

Christine Pavelka

advertising SalesRick Downing

Subscription / CirculationDonna Downing

editorial, Circulation & advertising office6075 Hopkins RoadMentor, OH 44060Ph: 440-257-6453Fax: 440-257-6459

Email: [email protected]

For subscription information, please call 440-257-6453

Security Shredding & Storage News (ISSN #1549-8654) is published bimonthly by Downing & Associates. Reproductions or transmission of Security Shredding & Storage News, in whole or in part, without written permission of the publisher is prohibited.

Annual subscription rate U.S. is $19.95. Outside of the U.S. add $10.00 ($29.95). Contact our main office, or mail-in the subscription form with payment.

©Copyright 2013 by Downing & Associates.

Printed on 10% Post-Consumer Recycled Paper

“Without question, we saw an upturn on leasing shred trucks to the document destruction industry,” he says. “It’s an alternative to traditional bank financing and it’s easier for the companies to acquire a lease than through a traditional loan through a bank.”

Trans Lease today has grown to be among the top 80 of all independent finance companies in the U.S. and ranks ninth of independent companies in the transportation finance area, according to Monitor magazine. Trans Lease has a fleet of more than 5,000 units.

Lee cites numerous advantages of truck leasing for businesses, including those providing document destruction services. Those advantages include lower entry cost, less initial investment and reduced monthly payments.

“You put all those together and it makes an attractive package for a business owner who needs to replace equipment or add equipment,” he says.

His comments are echoed by Sparlin and others in the leasing industry, both in the U.S. and overseas.

“What prompted us to lease a shred truck was lower payments as compared to doing a traditional loan with a bank,” Sparlin says. “I would agree with what Terry said as there is a lower entry cost, lower initial investment and lower monthly payments.”

The Finance & Leasing Association, a leading UK trade association, provides a similar list of benefits for leasing. Among the benefits it cites:

* To buy a new piece of machinery or equipment can be costly and requires substantial capital. Leasing enables businesses to preserve precious cash reserves.

* The smaller, regular payments required by a lease agreement enable businesses with limited capital to manage their cash flow more effectively and adapt quickly to changing economic conditions.

* Leasing also allows businesses to upgrade assets more frequently ensuring they have the latest equipment without having to make further capital outlays.

* It offers the flexibility of the repayment period being matched to the useful life of the equipment.

Lee agrees that leasing also allows customers to free up funds for other things. Sparlin concurs.

“Leasing has freed up a lot of funds for other needs,” Sparlin notes.

“Leasing doesn’t encumber customers’ existing bank lines . . . so they keep their credit lines freed up for other purchases they might need for their business or to assist them in the growth of their business,” Lee explains. “So there’s a benefit there as well.”

“Leasing complements existing bank lines by keeping them open for short-term needs,” Trans Lease notes on its website. “Often leasing provides lower and more flexible terms than borrowing. Leasing is not meant to replace bank lines of credit, but to add a new dimension to financial planning.

“A lease-versus-purchase cash flow analysis usually shows a lease to have lower cash outlays during the early periods of an asset’s useful life and higher outlays in the later years, while a purchase reflects the reverse,” it explains. “With the capital freed up during those years, leasing can also represent the most economical means of acquiring the use of the asset. Conserve your cash for other needs. There is no need to pay cash to acquire equipment you need and want.”

Trans Lease works with customers to assess their specific needs, then tailors a lease to meet those needs. That was a big reason why Document Destruction Shredders opted to lease through the company.

“We leased with Trans Lease because they were willing to work with us,” Sparlin explains. “They understood our situation with being a start-up business. After explaining our situation, they were able to tailor the lease to our needs which, in turn, made it very affordable to get our business up and going.

“Trans Lease did understand the needs of the document destruction industry, which is why we have stayed with them,” he adds.

A lease can run as long as 72 months, with the most popular term for shredding companies being five years.

The most popular lease offered is the TRAC (terminal residual adjustment clause) lease, which provides a residual value, typically 20 percent to 30 percent, at the end of the lease. At the end of the lease, the lessee has several options, including simply turning in the truck or buying it at the predetermined residual value, which Lee says is typically below market value.

A lessee also has the option to trade in the truck to a willing truck manufacturer or to sell it outright; if the price received is more than the residual, the lessee pockets the amount above that residual. If the truck is sold for less than the residual, the lessee has to make up the difference at the payoff to Trans Lease.

“A truck is going to be worth more than 20 percent or 30 percent if it was properly maintained,” Lee notes. “With the TRAC lease, customers know going in exactly what they can buy it for. They typically have equity at the end of the lease, so most customers are going to buy the truck because there’s value there for them.”

Leased shred trucks are covered by the chassis manufacturer’s factory warranty as well as the warranty from the shred truck manufacturer. All maintenance, tires and repairs, except those covered by any factory warranties, are the responsibility of the lessee.

Some companies may prefer a shorter lease to ensure their vehicles remain under warranty while they operate them. Leasing shred trucks also allows companies to keep up with any changes in technology.

Lease payments can be deducted as a business expense on tax returns.

While Trans Lease also offers loans, the vast majority of its business, roughly 80 percent, involves leasing, according to Lee.

That’s hardly surprising as businesses look for ways to operate more cost-effectively. U.S. Bank in Cincinnati, for example, reports that leasing of big-ticket items, including trucks, manufacturing machinery and medical equipment, has tripled over the past year.

“There’s nothing mysterious about leasing,” Trans Lease notes. “Leasing is merely using property for an agreed-to period of time for an agreed-to schedule of payments.”

Document Destruction Shredders plans to continue expanding it business, adding at least one more shred truck. When that time comes, Sparlin says, “yes, we do plan on leasing them . . .”For more information about Trans Lease, visit its website at http://www.transleaseinc.com.

Benefits of Leasing Shred Trucks

Cover photo courtesy of Trans Lease, Inc.

mailto:[email protected]


http://www.transleaseinc.com



4

Help Your Customers Find a Home for Their Outdated Electronics

Attention: Document Destruction contrActors!

Do what many ‘leading recyclers’ have done ... Partner with Dan-Mar and turn your scrap into cash! Precious metal value is going up and so is the demand for electronic scrap. As a global leader in asset recovery, Dan-Mar is ready to present you with fresh thinking on how you can maximize your profits. Call Dan-Mar today!

ph: 631-242-8877 • fax: 631-242-8995150 West Industry Court, Deer Park, NY 11729

e-mail: [email protected] • www.dan-mar.com

Dan-Mar Buys: • Precious Metal • Military Electronics • Semiconductors • Components • Scrap PC Boards • Telecommunications • Integrated Circuits • Networking & Test Equipment • E-ScrapThe Name to Trust in Surplus™

Info Request #114

I n light of this heightened standard, covered entities, business associates and downstream contractors should consider carefully reviewing their breach notification policies and procedures, training materials and contractual

arrangements in an effort to avoid potential liability under the Breach Notification Rule.

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) announced a final omnibus rule amending the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with the HITECH Act of 2009. The 2013 amendments, which are effective on March 26, 2013, supplement and modify the HIPAA Privacy, Security, Breach Reporting and Enforcement Rules. The regulations modify the interim final rule (the “Breach Notification Rule”) published in August 2009 that required notice to patients and others of a “breach,” or disclosure of unsecured protected health information (PHI), by covered entities and business associates (collectively referred to as “HIPAA-covered entities”). One of the most significant changes to the Breach Notification Rule modifies and clarifies the definition of “breach” and the risk-assessment approach required for breach notification. In light of this heightened standard, covered entities, business associates and downstream contractors should consider carefully reviewing their breach notification policies and procedures, training materials and contractual arrangements in an effort to avoid potential liability under the Breach Notification Rule.

Things Every Covered Entity and Business Associate Should Be Aware of About the Breach Notification Rule

Unless an exception applies, an impermissible use or disclosure of PHI ➤➤ is presumed to be a “breach,” unless the HIPAA-covered entity can demonstrate that there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment.The new risk assessment factors are significant in that they provide a ➤➤specified structure for the risk assessment that if not adequately performed and documented could provide a basis for imposition of costly penalties.The Breach Notification Rule extends to business associates and their ➤➤downstream subcontractors.

Overview

In general, the Breach Notification Rule requires a covered entity to notify an individual when unsecured PHI has been improperly disclosed. The entity must also notify HHS regarding confirmed breaches, either through an annual report

or sooner, depending on the number of individuals affected. In some instances, media must also be notified. Integral components of the Breach Notification Rule are definitions of “unsecured PHI” and “breach.” In particular, HHS clarified that the impermissible use of disclosure of PHI is presumed to be a “breach,” unless the HIPAA-covered entity demonstrates there is a low probability that the PHI has been compromised.

Significant Definitions and Analysis“Unsecured PHI”

“Unsecured PHI” is “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the

Secretary in guidance.” HIPAA-covered entities that implement the specified technologies and methodologies with respect to PHI are not required to provide notifications in the event of a breach of such information—that is, the information is not considered “unsecured” in such cases.

It is important to note that the data-protection standards recognized under the HIPAA Breach Notification Rule (encryption and destruction) are different from the data-protection standards articulated under the HIPAA Security Rule and the HIPAA Privacy Rule. The Security Rule requires covered entities to protect electronic PHI by satisfying a number of general standards. The Privacy Rule requires that covered entities apply reasonable safeguards to all PHI. Thus, even PHI that was protected in accordance with the Privacy and Security Rules, such as by use of firewalls, but was breached under the terms of the new Breach Notification Rule, would have to be reported. In addition, the HIPAA Security Rule requires “security incident reporting.” A “security incident” means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Therefore, even though a “breach” as defined by the Breach Notification Rule has not occurred, security incident reporting may still be required under the HIPAA Security Rule or by contract.

“Breach”

The most significant change to the Breach Notification Rule is the definition of the term “breach.” HHS defines “breach” as the “acquisition, access, use, or disclosure” of PHI in violation of the Privacy Rule that “compromises

New HIPAA Breach Notification Rule May Prove Costly for HIPAA-Covered Entities

By Erin M. Duffy anD Lisa W. CLark

Continued on page 6


http://www.dan-mar.com

Security Shredding & Storage News. January / February 2013 5Info Request #130

UNTHA shredding technology America Inc.5 Merrill Industrial Drive, Hampton, NH 03842

Phone 603 601 2304, Fax 603 601 2423 [email protected], www.untha-america.com

The RS SeRieS: ReVOLUTiONARY ShReDDiNG TeChNOLOGY –

UNCOMPROMiSeD UNThA ReLiABiLiTY

The reliable brand!

• High Capacity

• Tough & Economical

• Continuous Feeding

• Low Noise and Dust

• Simple to Operate

• Low Maintenance





The reliable brand!

• High Capacity





• Low Maintenance





The reliable brand!

• High Capacity





• Low Maintenance


http://www.untha-america.com


http://www.untha-america.com



6Info Request #116

www.vecoplanllc.com

Global SecuritySports

Phone: (336) 252-4421vecoplanllc.com

The“Mighty-Mite”

Download The Free App To View More

Phone: (336) 252-4421

vecoplanllc.com

The“Mighty-Mite”

March Madness Is Here - and

I’d have to be crazy not to

look into this further!

Download The Free App To View More

• VariableandControllable, ScreenedParticleSize• ElectricDrive- UsesLessFuel, ToShredMore, InLessTime.

• LargeInfeedHopper

• Jam-ProofDesign

The heart of the system,the NEW VNZ-80 shredder

UNDEFEATED ON THE ROADVecoplancontinuestoleadthesecuredestructionindustry

NORTHCAROLINA-Vecoplan,thegloballeaderinmobiledocumentdestructionsystems,hasonceagainsetthestandardforquality,versatilityandreliabilitywiththeintroductionoftheVST-32“Shorty”mobiledocumentdestructionsystem.

• 26,000GVW,Non-CDL MobileShreddingSystem• Curb-SideToterLift

• “SureTrac”™GlidingFloor DischargeSystem

• Compact,Powerful,PTODriven 180kVAGeneratorPowers theElectricShreddingSystem

Vecoplan Introducesthe VST-32 “Shorty”Non-CDL mobile shredder

Terry LeeDirect: 303-301-7651 . Cell: 937-620-9400

[email protected] . www.transleaseinc.com

Financing The World Of Transportation

•Low Initial Investment•Lease or Loan Financing•Financing new or pre owned

equipment

Shredder Truck Financing Made Easy• Simple Application Process• Serving the U.S. & Canada•Competitive Rate Structure

Info Request #160

the security or privacy” of the PHI. Under the interim rule, HHS defined the phrase “compromises the security or privacy of the PHI” to mean the inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm. The final rule changes this definition by stating that, unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a “breach,” unless the HIPAA-covered entity can demonstrate there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment. HHS also clarified that uses or disclosures that impermissibly involved more than the minimum necessary information may qualify as breaches. Therefore, such incidents should be evaluated as any other impermissible uses or disclosures to determine whether breach notification is not required.

“Risk of Harm” Analysis Replaced with “Low Probability”

HHS has shifted away from the subjective, non-uniform “risk of harm” analysis toward a system that focuses more objectively on the risk that the PHI has been compromised. The “low probability” risk assessment will

provide HIPAA-covered entities with less latitude in making internal determinations that exclude certain incidents from the definition of “breach” and from the associated notification requirements.

HIPAA-covered entities now have the burden of showing that a breach has not occurred. The risk assessment must be performed following all impermissible uses and disclosures that do not otherwise fall within the other enumerated exceptions to the definition of “breach.” If a risk assessment is not performed and none of the other exceptions apply, the incident is automatically presumed to be a breach.

The final rule requires the risk assessment to consider at least the following four factors:

The nature and extent of the PHI involved, including the types of 1. identifiers and likelihood of re-identification.

To assess this factor, entities should consider the type of PHI involved, such as whether the disclosure involved information of a sensitive nature (e.g., credit cards;

New HIPAA Breach Notification Rule May Prove Costly for HIPAA-Covered EntitiesContinued from page 4

Continued on next page

http://www.vecoplanllc.com


http://www.transleaseinc.com



7

www.shred-tech.com

www.shred-tech.com

Info Request #157

www.keithwalkingfloor.com

Info Request #117

Social Security numbers; information that increases the risk of identity fraud; and clinical information, such as diagnosis, treatment plans, medication, medical history and test results). Considering the type of information disclosed will allow the HIPAA-covered entity to assess the probability that the PHI could be used by an unauthorized user in a manner adverse to the individual. Additionally, if there are few, if any, direct identifiers in the PHI impermissibly disclosed or used, the HIPAA-covered entity may want to determine whether there is a likelihood that the PHI released could be re-identified based on the context and the ability to link the information with other available information.

The unauthorized person who used the PHI or to whom the disclosure 2. of PHI was made.

Entities should consider whether the unauthorized person who received the information has obligations to protect the privacy and security of the information. For example, if PHI is impermissibly disclosed to another entity obligated to abide by the HIPAA Privacy and Security Rules or to a federal agency obligated to comply comparable regulations, then there may be a lower probability that the PHI has been compromised since the recipient of the information is obligated to protect the privacy and security of the information in a similar manner as the disclosing entity. Furthermore, if the information impermissibly used or disclosed is not immediately identifiable, entities may want to determine whether the unauthorized person who received the PHI has the ability to re-identify the information.

Whether the PHI was actually viewed or acquired or, alternatively, if only 3. the opportunity existed for the information to be viewed or acquired.

For example, if a laptop computer was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never accessed, viewed, acquired, transferred or otherwise compromised, the HIPAA-covered entity could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed. In contrast, if a HIPAA-covered entity mailed information to the wrong individual who opened the envelope and called the entity to say that she received the information in error, in this case, the unauthorized recipient viewed and acquired the information because she opened and read the information to the extent that she recognized it was mailed to her in error.

The extent to which the risk to the PHI has been mitigated. 4. HIPAA-covered entities may want to attempt to mitigate the risks to the PHI

following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a written confidentiality agreement or similar means) or will be destroyed. They should consider the extent and efficacy of the mitigation when determining the probability that the PHI has been compromised.

The federal government clarifies that each factor above must be considered in a HIPAA-covered entity’s risk analysis, and other factors may also be considered where necessary. HIPAA-covered entities should then evaluate the overall probability that the PHI has been compromised by considering all the factors in combination. These risk assessments should be thorough and completed in good faith, and the conclusions reached have to be reasonable. If an evaluation of the factors discussed above fails to demonstrate there is a low probability that the PHI has been compromised, breach notification is required. With regards to breach notification, the HIPAA-covered entity bears the burden of proof to demonstrate that all notifications were given or that the impermissible use or disclosure did not constitute a breach and to maintain documentation (e.g., the risk assessment) to meet the burden of proof.

Exceptions to the Definition of “Breach”

T he final rule also eliminated the exception where the PHI used or disclosed constitutes limited data sets that do not contain any dates of birth and ZIP codes. The other exceptions remain.

Specifically, a “breach” does not include: Any “unintentional” acquisition, access or use of PHI by a workforce •➤

member or individual acting under the authority of the covered entity or business associate that is made in good faith, within the course or scope of employment or other professional relationship, and is not further used or disclosed in an unlawful manner under the HIPAA Privacy Rule.

An “inadvertent” disclosure to another authorized person at the same •➤covered entity, business associate or organized healthcare arrangement, and the PHI is not further used or disclosed in an unlawful manner under the HIPAA Privacy Rule.

A disclosure where the covered entity or business associate had a good-faith •➤belief that the unauthorized person to whom the information was disclosed would not reasonably be able to “retain” such information.

Continued on page 8

Continued from previous page

http://www.keithwalkingfloor.com

http://www.shred-tech.com

http://www.shred-tech.com



8

www.NetGainSEO.comwww.creweb.com/secure www.bigdogshredbins.com

Info Request #121

New Policies and Procedures Required

T he Breach Notification Rule requires HIPAA-covered entities to develop and document policies and procedures, train workforce

members on and have sanctions for failure to comply with these policies and procedures, permit individuals to file complaints regarding these policies and procedures or a failure to comply with them, and require HIPAA-covered entities to refrain from intimidating or retaliatory acts. Thus, a HIPAA-covered entity is required to consider and incorporate the new breach notification requirements with respect to its administrative compliance and other obligations.

Conclusion

E very data breach is unique, and any assessment determining the probability that PHI was compromised will be highly fact-dependent

and will incorporate a significant degree of subjectivity. However, the new low-probability standard is likely to be hard to meet and strongly indicates that HHS intends for the vast majority of breaches to be disclosed. Thus,

NAID Announces Seventeen More Professionals Join the Ranks of CSDS

Out of the 19 people who recently took the Certified Secure Destruction Specialist (CSDS) exam, 17 passed, with 11 scoring a 95% or better. The following individuals can now display “CSDS” as a professional title with their names:

Thomas G. Adams, CSDS • Therrysa M. Armstrong, CSDS•➤Claire G. Christison, CSDS • David Culbertson, CSDS•➤Shane DeFendi, CSDS • Daniel Robert Grabowski, CSDS•➤Nicholas Graham, CSDS • Jody MacDonald, CSDS•➤Kristen Marshall, CSDS • Rich Mueller, CSDS•➤Randy Murphy, CSDS • Shafiq Nasser, CSDS•➤Kevin Perry, CSDS • Steve Rando, CSDS•➤Christa Sime, CSDS • Eric Wartel, CSDS•➤David G. Woodsum, CSDS•➤

The CSDS exam consists of 300 questions about data protection legislation, physical security, risk management, operations and records management. It establishes an individual’s competency in seven subject areas. To prepare for the exam, NAID provides a CSDS handbook on the NAID website, a CSDS training webinar series and a sample exam after the webinar series ends.

“These industry professionals should be very proud,” said NAID CEO Bob Johnson. “Passing the exam establishes that individual has a working understanding of a wide range of industry issues that requires a lot of studying.”

These 17 individuals can be added to the 30 that passed the exam in 2012, bringing the total number of CSDS accredited professionals to 149. A complete list of those who currently hold the accreditation can be found at http://www.naidonline.org/forms/csds/416_CSDS-List.pdf.

with this heightened burden on risk-assessment analysis and notification, it is vital that all covered entities and business associates examine and update their current policies and procedures to ensure that they can detect and respond to potential data breaches in an appropriate and compliant manner.

Erin M. Duffy and Lisa W. Clark are associates in Duane Morris’ Health Law Practice Group in the firm’s Philadelphia office. Duane Morris attorneys provide the full range of services to entities that handle healthcare and other personal data, including healthcare providers, data analytic and management companies, software development and storage vendors, health information exchanges, and many others. Attorneys in the Duane Morris Health Law Practice Group have extensive experience with counseling clients on potential data breaches under HIPAA and other privacy and security laws, and in developing and executing a data breach response plan, including reporting to federal, state, local and foreign governmental agencies and responding to formal agency investigations.

New HIPAA Breach Notification Rule May Prove Costly for HIPAA-Covered EntitiesContinued from page 7

http://www.NetGainSEO.com

http://www.creweb.com/secure

http://www.bigdogshredbins.com

http://www.naidonline.org/forms/csds/416_CSDS-List.pdf


In the News

9Info Request #101

Expensive factory parts and service hitting your bottom line?

BrEak frEE to a BEttEr solution.Let ALpine ShredderS Show you the vALue of SimpLicity with:

LocAL repAir // eASy Source pArtS // minimAL mAintenAnce

1-866-246-5634 • www.alpineshredders.com

tired of being held prisoner?

Expensive factory parts and service hitting your bottom line?

BrEak frEE to a BEttEr solution.Let ALpine ShredderS Show you the vALue of SimpLicity with:

LocAL repAir // eASy Source pArtS // minimAL mAintenAnce

1-866-246-5634 • www.alpineshredders.com

tired of being held prisoner?

http://www.alpineshredders.com

http://www.alpineshredders.com


In the News

10

[email protected]

www.ipsbalers.comTel: (951) 277-5180Fax: (951) 277-5170www.laigroup.com

Now Even More Options for CustomersWho Want Their Own Key Codes!

Lock America Adds More Common Key Codes for Padlocks and Console Locks.

• Give your drivers and customers a single key that fits all the locks at a site.• Ask your console or bin supplier for new available

key codes, or contact Lock America directly.

One Key Fits All Your Locks with No Restrictions!

9168 Stellar CourtCorona, CA [email protected]

Info Request #152

Where operation management takes only minutes!

402.202.2518 or visit www.eRouteIt.com

Customer & Prospect Management

Scheduling Services

Optimized TruckRouting

Direct Billing

Info Request #163

[email protected]

Millions Collected for HIPAA Violations

Two websites, CRN.com and GovInfoSecurity.com report that higher fines levied for security breaches are a sign that securing patient information is now front and center of

attention by state and federal authorities.Millions of dollars in fines have been levied on medical

practices and associated businesses for Health Insurance Portability and Accountability Act violations that have occurred over the past several years.

The higher fines and dogged pursuit of alleged HIPAA violators by Health and Human Services investigators are the new normal since oversight shifted from the Medicare Operations Division to the Office of Civil Rights under the HHS. In 2009, OCR began an auditing campaign that has commanded the attention of hospital and health system top brass.

Consultants have a bird’s eye view of the situation. Many say they often observe that healthcare organizations are not spending enough on security. One reason is that patient care takes priority. Secondly, a strong understanding of security is lacking in many organizations. Experts say that training and awareness programs are underfunded and, in many cases, proper staffing and software tools for qualitative and quantitative monitoring are inadequate or missing altogether.

Preparation to meet the latest stringent requirements covering contractors has been lagging, experts think. Formal risk assessment programs must be set up and must extend to all associated businesses that handle patient records. Small provider organizations and even larger research facilities are hard pressed to address and maintain security because they often lack appropriate programs and professionals vested with authority to run them.

Meanwhile, OCR will be collecting millions of dollars in fines from these organizations and imposing specific requirements for alleged HIPPA violations:

☛ Massachusetts Eye and Ear Associates, Inc. –$1.5 million. Theft of an unencrypted laptop containing about 3,600 of its patients and research subjects, including patient prescriptions and clinical information.

☛ Beth Israel Deaconess Medical Center in Boston. Stolen laptop containing unencrypted data for 3,900 patients. The hospital is reportedly encrypting more than 1,000 laptops in response to the breach.

☛ Alaska Department of Health and Social Services- $1.7 million. Theft of a USB hard drive possibly containing the data on 500 individuals. It was taken from a computer technician’s vehicle.

☛ Goldthwaite Associates and four of its clients - Milford Pathology Associates, Milton Pathology Associates Pioneer Valley Pathology Associates, and Kevin Dole, M.D., former president of Chestnut Pathology Services—$140,000. Improper disposal of documents bearing names, Social Security numbers and medical diagnoses of 67,000 patients. The documents were found in a municipal waste transfer station.

“Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors,” Massachusetts Attorney General Martha Coakley said in a press release about the Massachusetts’ HIPAA settlement. The funds will address civil penalties, attorney fees and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in the state, Coakley said.

attention: readers!Would you like more information about products

and equipment advertised in this issue? If so, please complete the Equipment Locator Service form

located between pages 8 & 9 and fax to 440-257-6459.

http://www.eRouteIt.com

http://www.ipsbalers.com

http://www.chachkagroup.com


http://www.laigroup.com


http://www.chachkagroup.com



In the News

11

www.southeastrecycling.com

TM

Downstream Data Coverage® is sold in the United States as a surplus line, claims-made policy through Association Insurance Management. Downstream Data Coverage and the Downstream Data Coverage logo are registered trademarks of the National Association for Information Destruction, Inc.

It’s not just a policy, it’s a conceptDownstream Data Coverage is professional liability indemnification offered to NAID certified members that better protects data-related service providers and their customers.

While competitors may copy the policy, they can’t copy the concept.

• By linking coverage to NAID Certification, policyholders are grouped with other safe insurance risks. Over time, this translates to substantially lower premiums.

• With the support of NAID, Downstream Data is an effective marketing differentiator.

• Eventually Downstream Data will be member-owned, captive insurance, giving policyholders more control.

• The policy can be modified individually or across the board to improve coverage.

Learn how Downstream Data can give you more control of your business.

Visit www.downstreamdata.com or call 877-710-2498.

NAID Experiences Steady Membership Growth in 2012

The National Association for Information Destruction (NAID) added 159 new member locations in 2012. Also, 177 member locations became NAID AAA Certified last year, marking the first time new certifications have exceeded

new memberships.“I consider NAID’s continued growth to reflect its growing relevance,” said

NAID CEO Bob Johnson. “It’s a matter of suiting up every day and focusing on how we can improve our members’ businesses.”

According to NAID, while growth remained strongest in the U.S., international growth contributed significantly to the association’s continued expansion. Also, of the 159 new member locations, approximately 40% of these businesses operate in the electronics space, which means they offer sanitization, degaussing, or electronic media destruction services. This is a growing segment of the secure destruction market that will continue to strengthen as more and more data is stored on various devices.

Idaho Hospice Fined $50k in HIPAA Settlement

HAYDEN, ID—According to an article on the Beckers Hospital Review website, Hospice of North Idaho will pay a $50,000 settlement for potential HIPPA violations that may have compromised 441 patients’ electronic

protected health information resulting from a 2010 security breach. This represents the first Health and Human Services Office for Civil Rights

reported breach involving less than 500 patients. Under previous rules, data security breaches involving 500 individuals or more must be reported to HHS and the media within 60 days of discovering the breach. A tightening of oversight has resulted in the requirement that breaches compromising fewer than 500 individuals’ data must be reported annually to HHS.

The North Idaho Hospice breach occurred when a laptop containing unencrypted electronic Protected Health Information (ePHI) was stolen in June 2010. HHS said in a news release that the hospice has made significant improvements since the theft.

For more information: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf.

• 67+ EXHIBITORS

• 500 - 600 INDUSTRY LEADERS

• EDUCATIONAL SESSIONS

• EXCELLENT NETWORKING OPPORTUNITIES

• SPONSORSHIP & EXHIBITOR SPACE AVAILABLE

If you are interested in Sponsoring or Exhibiting, please contact Nicki May�eld at 850-558-0609 or by email at [email protected]. Visit our website for a current list of our Sponsors and Exhibitors.

Conference: March 10 - 13, 2013Trade Show: March 10 - 12, 2013

W W W . S O U T H E A S T R E C Y C L I N G . c o m

Southeast Recycling Conference & Trade ShowT H E P R E M I E R R E C Y C L I N G E V E N T I N T H E S O U T H E A S T

ww

w.so

utheastrecycling.com

SERC2013

Hilton Sandestin Beach Golf Resort & Spa in Destin, FL

The Southeast Recycling Conference & Trade Show (SERC)is a four day event linking industry leaders and recycling experts. SERC provides the premier forum for informing the public and private sectors of the economic and environmental importance of recycling and waste reduction in the Southeast.

Who Should Attend? Dealer Processors, Brokers & End Users

Municipal, County and Private Sector Recycling Coordinators and ManagersLocal and State Government O�cials

Waste Generators and HaulersMilitary, Business and Government Procurement O�cials

Others Committed to Recycling

http://www.southeastrecycling.com




http://www.downstreamdata.com

http://www.hhs.gov/ocr/privacy/hipaa/administrative/



In the News

12

For the right solution, contact:www.jakeconnorandcrew.com or call 1-877-565-JAKE (5253)Jake, Connor & Crew’s containers are recyclable, comply with LEED® and CARB II regulations and are JCAHO compliant.

[ Document protection? ]

Document protection is never in question with Jake, Connor & Crew consoles and bins.

We don’t just protect documents, we protect your reputation.

JCAC_SSSN_QuarterPgLockItAds.indd 2 12-08-30 1:59 PM

Info Request #105

[email protected]

www.alleghenyshredders.com

Info Request #106

Built with impact-resistant tool steel cutters and an extremely powerful drive train, these babies are the most rugged in the industry!

Make the smart choice–and spare yourself any collateral damage!

800-245-2497■ Complete destruction with no

retrieval possible■ Destroys 25–45 hard drives per min.■ Ideal for contract shredding services,

e-scrap recyclers

“Our Allegheny Hard Drive Shredder can shred 1500 hard drives in half a day – it’s already paid for itself tenfold.”

TIM EARLEY - Advantage E-cycling

Opt instead for the most e�ective solution for TOTAL DESTRUCTION of electronic storage devices – the Allegheny Hard Drive Shredder!

■ Complete destruction with noretrieval possible

■ Destroys 25–45 hard drives per min. Ideal for contract shredding services,

Opt instead for the most e�ective solution for TOTAL DESTRUCTION of electronic storage devices – the Allegheny Hard Drive Shredder!

Need to DestroyHardDrives?

Need to DestroyHardDrives?

THE SHREDDING INDUSTRY ICON SINCE 1967

E-Waste Systems Signs $800,000 Investment and Master License Agreement for China The first e-Waste public pure play brand to enter China

E-Waste Systems, Inc. (OTCQB: EWSI), (the “Company”), an electronic waste management and reverse logistics company, recently announced the signing of a definitive Master License agreement for the People’s Republic of

China, which includes an agreement for an investment into the Company. The initial value of the deal is worth $800,000, plus royalties and a minimum $5,000,000 sales commitment. In addition to the license agreement, the deal includes an investment of $650,000 in EWSI, via a new common share issuance at $0.08/share.

“We are thrilled to enter the market in China with this deal. This is the fastest growing market in the fastest growing sector of all waste streams. The prospects for recycling in China are massive. After all, China is the world’s second largest producer of e-waste, next to the US,” said Martin Nielson, CEO of EWSI.

By 2020, eWaste in China is expected to jump by 400% from 2007 levels while discarded mobile phones will be 7 times higher (UNEP). Profits for the emerging eWaste industry in China are forecast to rise over 300% to 10 Billion by 2017 (ReportsnReports).

“This master license advances our global footprint as the leading eWaste pure play public company and is extremely important to secure our eWaste brand globally,” stated Mr. Nielson.

“To enter China, we needed a well connected and experienced partner who shares our passion for doing things right, and now we have that. We have great confidence that subsequent expansion deals will follow very shortly,” added Mr. Nielson.

In 2011, some 162 million tons of e-waste, including nonferrous metals and electronics, was recycled in China, double the amount in 2005. The total value of these recycled products was 571.5 billion Yuan ($91.8 billion), up by 12.7 percent compared with 2010, according to Gao Yanli, secretary-general of the CRRA, the People’s Daily reported.

The emerging industry of e-waste has become a $100 Billion business according to Blumberg Associates. Many of the primitive electronic waste operations in China are toxic and antiquated.

Coastal areas in East China have become the world’s main center for treatment of e-waste. By 2020, 70 percent of the 500 million tons of e-waste processed globally every year will be processed in China, according to Communications Information News.

This agreement calls for an initial payment of $150,000 for an initial two-year license fee and two further licenses plus 2% royalty of annual revenues for each year with a minimum commitment of $5,000,000 in revenues during the initial term. The transaction agreement has been executed, a copy of which will be filed with the SEC on Form 8-K. In coordination with this announcement, EWSI will be opening offices in Shanghai.

In addition to the license fees, the deal also includes an investment of $650,000 in EWSI, via a new common share issuance at $0.08/share.

Alabama Clean-Up Group Hits Recycling Record with Bright Idea

PRATTVILLE, PA—According to an article posted on Montgomeryadvertiser.com, an anti-litter group in this Alabama community has come up with a nifty way to increase public participation in electronics recycling.

By combining free onsite document shredding and electronics collection, People Against a Littered State (PALS) attracted a record number of residents at their monthly electronics recycling drop-off in January. On a busy Saturday, they took in 6,508 pounds of electronics—everything from old, broken or obsolete televisions to cell phones, radios, stereos, computers, laptops, cameras, toaster ovens, microwaves, VCRs, remotes, printers, scanners, pagers, tape recorders, vacuums, irons, hair dryers, keyboards, monitors, projectors, video games, speakers, server hubs, turntables and CD/DVD players.

PALS is a local environmental clean-up group that engages a cross-section of community members, but focuses on youth and includes educational elements in many of its activities. For the first electronics drop-off of 2013, the organizers enlisted the support of area youth, as well as local companies.

Playing key roles in the effort were Prattville-based CE&E Solutions, an ADEM-certified electronics recycler, and Montgomery-based Recycle Services Corporation, which did the paper shredding.

http://www.jakeconnorandcrew.com


http://www.alleghenyshredders.com

Security Shredding & Storage News. January / February 2013 13

www.cumberland-plastics.com

Info Request #162

http://www.cumberland-plastics.com


In the News

14

PwC Survey Finds Executives Serious About Security

According to an article on NationalMultiMedia.com, a global survey by Price Waterhouse Coopers finds a large number of corporate executives to be aware of increasing information security threats, yet overconfident in

their companies’ security frameworks. That, and the downward trends in security spending, is barely short of alarming, experts say.

Vilaiporn Taweelappontong, Consulting Partner at PwC Thailand, said that the rise in global security incidents, diminished budgets and degrading security programs are key challenges faced by today’s businesses.

“The reality is that many top executives are overconfident about the strength of their information security effectiveness,” Vilaiporn said. “That leaves businesses open to fraud and reduces their attractiveness to potential clients as the number of IT security incidents increases.”

The Global State of Information Security 2013 survey was conducted through interviews of 9,300 top-ranking executives from 128 countries. The annual survey draws many of its conclusions by asking about companies’ security structures and executive perceptions of security threat and readiness.

The majority of the executives interviewed (68 percent) said they feel confident about their companies’ information security precautions, while 42 percent were highly optimistic, viewing their companies as a ‘front-runners’ with effective strategies in place—strategies they believe represent the leading edge of information security. According to industry standards, though, only 8 percent of the respondents actually qualified as true information security leaders.

Regional differences were notable, too. Although troubled economies worldwide have forced downward pressure on budgets of all types, Asian businesses expect to spend 60 percent more on security than what they have been, putting them ahead of US and European companies. Further, the PwC survey showed that Asia’s years of security investments are paying off. The region is a world leader in security practices and performance, as well as keeping up with technology, and it reflects in customer satisfaction.

The survey also indicated that spending on basic information security and anti-piracy tools, such as malicious code detection tools for spyware and adware has dropped precipitously. Just over half the respondents reported using intrusion detection tools, once in use by nearly two-thirds of respondents.

“Of course, people feel the pinch in tough economic times, but crooks don’t take holidays. Tying budgets too closely to the economy is a risky way to set security priorities,” Vilaiporn said.

The issue of “big data,” or widely complex and far-flung databases, is much discussed these days, as is the growth of social media networks and mobile computing technology. For two regions, North America and Asia, however, mobile security initiatives and cloud security strategy take top priority. Both regions lead in cloud security strategy, mobile and social media security, steadily keeping up with technological advancement.

The survey also dealt with the value of security, that is, how the executives view it as part of core business objectives and operations, corporate branding and customer satisfaction parameters.

“What most businesses don’t realize is that they must embrace a new way of thinking in which information security is no longer just a means to protect data but an opportunity to create value for the organization. Crucial things like security strategies and spending really have to be well-aligned with business goals,” Vilaiporn added.

For more information: http://www.pwc.com/gx/en/ceo-survey/index.jhtml.

TITAN Receives 2012 Philadelphia 100 Business Ranking

T ITAN Mobile Shredding, LLC recently announced its selection as a 2012 Philadelphia 100 Business - a ranking of the 100 fastest growing privately-held companies in the Greater Philadelphia area! This is TITAN’s second

consecutive year!The Philadelphia 100 evaluation process is conducted by the Wharton Small

Business Development Center, the Entrepreneurs’ Forum of Greater Philadelphia and the Philadelphia Business Journal. The ranking is highly competitive and highly prized. The 100 rankings are based on verified revenue growth.

PA Ban Diverts Tons e-Waste from Landfills

PITTSBURGH, PA—Pennsylvania’s Covered Device Recycling Act, signed into law by former Gov. Ed Rendell in 2010, took effect in January, according to reports posted on BizJournals.com and MontgomeryNews.com.

The law, known as CDRA, requires recycling of “e-waste”—desktop computers, laptop computers, computer monitors, computer peripherals such as printers, keyboards, and mouses, tablets like iPads and Kindles and televisions with viewable screens larger than four inches. Cell phones and PDAs are exempt from the law.

For residents, curbside pickup of such items is history. Though no fines will be levied, haulers will not take the items away. Residents now must take them to municipal drop-off locations, or to collection events held by stores or electronics recycling companies. Another part of the law requires manufacturers to take cradle-to-grave responsibility for their products in a way that keeps the e-waste out of landfills where it has been a source of toxic pollution.

In 2010, Pennsylvania started requiring any manufacturers that sell their products in the state to register with the Department of Environmental Protection and set up recycling programs for a portion of their sales. The law used 2010 sales figures, to calculate the portion and gave the companies two years to comply.

The manufacturers must register their covered device brands with the DEP each year and pay an annual registration fee of $5,000. They also must establish and manage a plan to collect, transport, and recycle e-waste. They are required to report the methods and locations of collection, the names of the recyclers and recycling methods used. Recyclers must be properly certified or accredited and manufacturers must provide an estimate of the weight to be collected based on their first calendar year in the program.

In 2012, 86 manufacturers registered with DEP. Of that group, 29 were exempt because they make only “computer peripherals,” not the main computer parts or TV screens. Six manufacturers were exempt because they had no PA qualifying sales in 2010. The remaining 51 manufacturers reported that they sold 81,519,569 pounds of covered electronics in Pennsylvania in 2010, bringing last year’s total to 28.5 million pounds.

In 2013, the recycling requirement goes up. Manufacturers must recycle 50 percent of the weight of Pennsylvania sales.

Under the CDRA, electronics manufacturers bear the biggest responsibility for e-waste recycling — and face the biggest penalties for noncompliance. The ones who do not register properly or fail to follow any of the CDRA guidelines can be hit with up to a $10,000 fine for the first violation and $25,000 for subsequent violations.

Meanwhile, Pennsylvania retailers are prohibited from selling new covered devices unless that brand is registered with the DEP and included on the list of registered manufacturers that’s publicly accessible on the DEP’s website (www.depweb.state.pa.us). The website has information on CDRA and e-waste recycling locations.

CDRA prohibits both electronics manufacturers and retailers from charging consumers a fee for the collection, transportation or recycling of their covered devices. Some collection locations are allowed to charge fees if they’re not a retailer or affiliated with a manufacturer’s recycling program. Municipality collection points are typically free.

“This law is really for the manufacturers,” said Kasianowitz. “The DEP has a lot of people overseeing this, compiling all the data and ensuring manufacturers are fully compliant with the law.”

Proponents see the law as incentive for manufacturers to facilitate the creation of electronics recycling businesses and green jobs and also minimize government oversight by using market-based solutions.

“The issue is the heavy metals like lead, cadmium and mercury that seep out of computers and TVs and into the ground,” said Lisa Kasianowitz, representative for the Pennsylvania Department of Environmental Protection, which has been tasked to oversee and enforce the CDRA. “Those toxins do not decompose ever, so we just want to protect the environment as much as possible.”

According to the DEP, a typical cathode ray tube computer monitor, for example, contains four to seven pounds of lead; large CRT televisions can contain even more lead.

“E-waste is only about two percent of the total waste stream, but it counts for about 70 percent of toxic materials in landfills,” said George Jugovic, president and CEO of the Pennsylvania environmental advocacy organization PennFuture.

Those caught dumping e-waste could be fined up to $1,000 for the first offense and up to $2,000 for subsequent violations.

For more information: http://www.mrmrecycling.com/locator_pa.htm

http://www.pwc.com/gx/en/ceo-survey/index.jhtml

http://www.depweb.state.pa.us

http://www.mrmrecycling.com/locator_pa.htm

Security Shredding & Storage News. January / February 2013 15

[email protected] www.hammermills.com

E-CYCLERunlike a shredder, the

doesn’t just cut it...

America’s fastest growing hammermill company

1-800-447-4634

it E-nihiLatEs.

6 1 D e p o t S t r e e t , B u f f a l o , N Y 1 4 2 0 6 • 7 1 6 . 8 5 5 . 1 5 5 5 • f a x : 7 1 6 . 8 5 5 . 3 4 1 7 • e - m a i l : i N f o @ h a m m e r m i l l S . c o m • w w w . h a m m e r m i l l S . c o m

Schutte-Buffalo hammermill’s e-cycler is the alternative to a shredder. unlike the cutting action of a shredder, the

e-cycler hammer mill pulverizes e-scrap, scouring confidential data and liberating recyclable components in one pass.• ½ the cost of a shredder with lower maintenance costs and a higher production capacity • completely scours information to illegibility • renders electronic

components unusable and unrecognizable • four-way reversible steel hammers crush and shatter the material • interchangeable screens guarantee a properly-sized end product

• liberates components for easy separation and recycling • pulverizes hard drives, printed circuit boards, cDs & DVDs, cellular phones and more

590-14_Security_Shrednews_mag_FT_M.indd 1 11/3/11 10:34 AMInfo Request #132


http://www.hammermills.com

http://www.hamme

www.shredsupply.com [email protected]

www.shredfast.com

WEBUILDINNOVATION

PRODUCT LINE• Small Particle Shredder - Highest throughput, non-screened, small particle shredder on the market. Screens available for additional particle reduction.

• Collection Trucks - Largest supplier of specialized collection trucks in North America. Three models to suit your needs.

• Pierce and Tear - High throughput pierce and tear shredder with patented auto feed system for increased productivity.

• Hard Drive Destruction - Hard drive shear that destroys 300-400 hard drives per hour. Available for mounting in existing trucks, as add on to new trucks or with separate power pack for box truck or skid operation.

Trade-in’s always welcome!!

www.shredsupply.comwww shredsupply comCheck out our online parts

Superior new and reconditionedSuperior new and reconditioned

TRUCKSfrom industry EXPERTSrom industry EXPERTrom industry EXPERT

that you can trust

RECONDITIONED TRUCKS...CALL NOW

Info Request #158

Info Request #129

http://www.shredsupply.com


http://www.shredfast.com

http://www.shredsupply.com

Security Shredding & Storage News Jan/Feb2013

Documents

Transcript of Security Shredding & Storage News Jan/Feb2013