Frequently Asked Questions

The following are questions we've been asked many times, and our standard informational answers. If you have specific questions, please feel free to contact us!

What is SOX?

Sarbanes-Oxley Act, which went into effect in 2004, requires all public companies to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission (SEC). Additionally, each company’s external auditors are required to audit and report on the internal control reports of management, in addition to the company’s financial statements.

What does Sarbanes-Oxley compliance require?

All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

What is the FACTA Information Disposal Rule?

The Rule, which went into effect on June 1, 2005, requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to: burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed; destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include: reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company’s information security policies or procedures.

Include the following link for additional information:
http://www.ftc.gov/opa/2005/06/disposal.htm

What is NAID Certification?

NAID Certification is a method whereby customers can verify that an information disposal company is indeed a legitimate company that complies with all recommended industry quality standards. NAID inspects a company’s legitimacy so you don’t have to.


Allshred Services’ “AAA” Certification was awarded on June 7, 2003. To verify our NAID certification, click on the NAID AAA logo, right.


The NAID “AAA” Certification standards are as follows:

Employee Hiring and Screening

  • Employees must produce a law enforcement clearance, which is kept on file. There is also a seven-year employment history on file.
  • All employees must sign a confidentiality agreement before employment begins.
  • All drivers must meet all state licensing requirements.
  • Employees are drug screened at the time of hire and randomly screened throughout the year.
  • Comprehensive third party (private investigative firm) background checks and credit reports are performed on each employee.

Facility Security

  • All non-employees entering the facility must sign a log with their name, time-in, affiliation, and time-out (records are kept for 12 months).
  • There is a secure area within the operation that is devoted only to the process of destroying material (Allshred Services’ entire facility is treated as a secure area).
  • Unauthorized access to the destruction facility is prevented (No access to Allshred’s facility is allowed unless escorted by an Allshred employee (no non-employee is left unattended).
  • Materials are always attended by a company employee or physically secured from unauthorized access before destruction.
  • All materials are contained during removal from customer to transportation vehicle to prevent loss from wind and inclement weather and from prying eyes.
  • Written policies for drivers and processing employees must be in place.
  • Drivers, helpers and processing employees wear company uniforms and photo ID badges to aid in their identity.
  • There is an audible, monitored alarm system in place and utilized when the building is unoccupied.
  • Closed circuit video monitors the ingress and egress from the building, monitors activity in the building at all times, and all monitoring data is maintained for 90 days.

The Destruction Process

  • All vehicles have applicable government inspections, registration and insurance.
  • All vehicles have lockable/securable cabs and lockable/securable enclosed boxes.
  • Paper is destroyed by equipment that reduces the paper to a particle size that is no wider than 5/8” shred width (industry standard).
  • Standard operating practice dictates that all media is destroyed within two weeks of acceptance (Allshred destroys the same day of acceptance).

Insurance & Company Profile

  • General Liability Insurance of $500,000 or more is maintained (Allshred carries $1,000,000 General Liability as well as $3,000,000 umbrella policy).
  • Company in business for at least five years (Allshred has been in business since 1989).
  • (Allshred also has a $1,000,000 Employee Dishonesty policy and $1,000,000 of Professional Liability Insurance).

In addition

  • All marketing materials are inspected to check for misleading advertising.
  • An independent physical inspection is performed by Certified Protection Professionals (CPP’s), certified by the American Society for Industrial Security (ASIS) to ensure compliance with all criteria.


Allshred Services’ “AAA” Certification was awarded on June 6, 2003. To verify our NAID certification, click on the NAID AAA logo, right.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (and revised by Congress in 2000) is a federal law that governs the handling of confidential medical and personal information and records. Civil and Criminal penalties, as well as fines, may result from the inadvertent disclosure of personal information. All company’s that handle medical and personal information must be in compliance with the federal standards by April of 2003.

What does HIPAA say about shredding?

Shredding is a relatively small part of the HIPAA law, and although HIPAA doesn’t specifically list the requirements for shredding, the American Health Information Management Association (AHIMA) suggests that you:

Destroy the records so there is no possibility of reconstruction of information.

  • Appropriate methods for destroying paper records include burning, shredding, pulping, and pulverizing.
  • Methods for destroying microfilm or microfiche include recycling and pulverizing.
  • The laser disks used in write once-read many (WORM) document imaging applications cannot be altered or reused, making pulverization an appropriate means of destruction.
  • The preferred method for destroying computerized data is magnetic degaussing. (Data are stored in magnetic media by making very small areas called magnetic domains change their magnetic alignment to be in the direction of an applied magnetic field. Degaussing leaves the domains in random patterns with no preference to orientation, rendering previous data unrecoverable.) Proper degaussing ensures that there is insufficient magnetic remanence to reconstruct the data. Overwriting can also be used to destroy computerized data. (To overwrite, cover the data with a pattern, its complement, and then another pattern, e.g. 00110101, followed by 11001010, and then 10010111.) In theory, however, files that have been overwritten as many as six times can be recovered. Total data destruction does not occur until the original data and all backup information have been destroyed.
  • Although magnetic tapes can be overwritten, it is a time-consuming process and there can be areas on a tape that are unresponsive to overwriting. Degaussing is considered preferable.Document the destruction, including: 
    • date of destruction
    • method of destruction
    • description of the disposed records
    • inclusive dates covered
    • a statement that the records were destroyed in the normal course of business
    • the signatures of the individuals supervising and witnessing the destruction

    Maintain destruction documents permanently. (Such certificates may be required as evidence to show records were destroyed in the regular course of business. If facilities fail to apply destruction policies uniformly or where destruction is contrary to policy, courts may allow a jury to infer in a negligence suit that if records were available, they would show the facility acted improperly in treating the patient. See “Sample Certificate of Destruction,” below.)

    • If destruction services are contracted, the contract must meet the requirements of the HIPAA privacy rule.

    In addition, the contract should:

    • indemnify the healthcare facility from loss due to unauthorized disclosure
    • require the business associate maintain liability insurance in specified amounts at all times the contract is in effect
    • provide proof of destruction

    It should also specify the:

    • method of destruction
    • time that will elapse between acquisition and destruction of data

What is Gramm-Leach-Bliley?

The Gramm-Leach-Bliley Act of 1999, which went into effect in July of 2002, governs the handling of all personal information. The law mandates that all financial institutions establish procedures for protecting personal information, including the protection of discarded information. Financial penalties and civil suits may result from the inadvertent disclosure of personal information.

What does Gramm-Leach-Bliley say about shredding?

The Gramm-Leach-Bliley Act doesn’t specifically list the requirements for shredding. However, Section 501 of Title V of the GLB Act says the following:

SEC. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION

(a) PRIVACY OBLIGATION POLICY.— It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.

(b) FINANCIAL INSTITUTIONS SAFEGUARDS.— In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards

(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

It is implied that any material that contains “personal identifiers” should be discarded with the utmost care to preserve its confidentiality. Using a NAID Certified shredding service is one of the best ways to do that.

Am I subject to HIPAA regulations?

HIPAA is somewhat vague on the definition of covered entities and is subject to some interpretation, the general rule of thumb is that if you handle patient or medical information, you should consider instituting a document destruction program. Ultimately, if personal medical information is disclosed, you may be liable.

For specific information about whether or not you are governed by HIPAA, please visit the following website for more details: http://www.hhs.gov/ocr/hipaa/

Why do I even need to shred?

All businesses discard confidential data. Customer lists, pricing lists, sales statistics, drafts of bids and correspondence, even memos, contain information about business activity that would interest a competitor. Every business is also entrusted with information that must be kept private. Employees and customers have the legal right to have this data protected. Without the proper safeguards, information is merely discarded in the garbage (often in an unlocked dumpster located outside of your facility) where it is readily, and legally, available to anybody. The trash is considered by industrial espionage professionals as the single most available (need a different word – accessible?) source of competitive and private information from the average business. Any establishment that discards private and proprietary data without destroying it first, exposes itself to the risk of criminal and civil prosecution, as well as the costly loss of business.

We store our records, so we don’t need a shredding service, right?

The period of time that business records are stored should be determined by a retention schedule that takes into consideration their useful value to the business and the governing legal requirements. No record should be kept longer than this retention period.

By not adhering to a program of routinely destroying stored records, a company exhibits suspicious disposal practices that could be negatively construed in the event of litigation or audit. Also, the new Federal Rule 26 requires that, in the event of a law suit, each party provide all relevant records to the opposing counsel within 85 days of the defendants initial response. If either of the litigants does not fulfill this obligation, it will result in a summary finding against them. By destroying records according to a set schedule, a company appropriately limits the amount of materials it must search through to comply with this law.

From a risk management prospective, the only acceptable method of discarding stored records is to destroy them using a method that ensures complete obliteration. Documenting the exact date that a record is destroyed is a prudent and recommended legal precaution.

Our everyday trash isn’t top-secret. Why should we shred that too?

Without a program to control it, the daily trash of every business contains information that could be harmful. This information is especially useful to competitors because it contains details of current activities. Discarded daily records include phone messages, memos, misprinted forms, drafts of bids, and drafts of correspondence. All businesses suffer potential exposure when you merely discard these incidental business records. The only means of minimizing this exposure is to make sure such information is securely collected and destroyed.

Isn’t my recycling program good enough?

Recycling companies do not perform background checks on their minimum-wage workers, nor do they bother to bond them. Your paper is then sorted in unsecured conditions. The sorted paper is stored for indefinite periods of time until there is enough of a particular grade to sell. The sorted paper, still intact, is then baled and sold to the highest bidder, often overseas, where it may be stored again for weeks or even months until it is finally used to make new products.

There is no fiduciary responsibility inherent in the recycling scenario. Paper is given away or sold and, by doing so, a company gives up the right to say how it is handled. There is no practical means of establishing the exact date that a record is destroyed. In the event of an audit or litigation, this could be a legal necessity. Further, if something of a private nature does surface, a company selection of this unsecured process could be interpreted as negligent. From a risk management perspective, the choice of recycling as a means of information destruction is undesirable. Any recycling company that minimizes the need for security has its own interests in mind and should be avoided.

If environmental responsibility is a concern for you, be assured that, whenever possible, Allshred Services recycles your documents after they are destroyed. We ship bales of decimated paper to paper mills to be pulped and made into new paper products.

But my recycler gives me a certificate of destruction!

A certificate of destruction does not relieve a company from its obligation to keep information confidential.

Any company contracting a destruction service should require a signed testimonial, documenting the date that the materials were destroyed. The “certificate of destruction,” as it is commonly referred to, is an important legal record of a company’s compliance with a retention schedule. However, it does not transfer to the contractor the responsibility to maintain confidentiality of the information. 

If security is breached and information leaves the recycler’s facility, a court is bound to question the process by which the particular contractor was selected. Any company not showing due diligence in their selection of a contractor, one that is capable of providing requisite security, could be found negligent. But from a practical standpoint, if proprietary or private information is lost or leaked due to the fraud or negligence of a vendor, the obligations of that vendor are irrelevant. The firm whose information falls into the wrong hands stands to lose the most, either from loss of business, prosecution, or unfavorable publicity. 

Since a business cannot transfer its responsibility to maintain confidentiality, it must be certain that it is dealing with a reputable company with superior security procedures. Unfortunately, there are those information destruction services that provide certificates of destruction while having no semblance of security and, in some cases, no destruction process available to them. Anyone interested in contracting a data destruction service is advised to thoroughly review that service provider’s policies and procedures, conduct an initial site audit, and then conduct subsequent unannounced audits.

My records storage company has offered to shred the records for me!

Most records storage companies do not have the equipment to provide shredding services.

Many commercial records storage facilities offer destruction as a service to their customers. However, in a survey conducted by the National Association for Information Destruction, a majority of the commercial storage firms were found lacking the equipment necessary to provide the service. Commonly, that industry subcontracts the destruction of the records they store. In some cases, disreputable storage firms were found to be misleading their customers by charging for secure records destruction when, in actuality, the materials were being sold to a recycling company for scrap.

Any business using a commercial records storage firm should inquire as to the nature of the destruction services that are available. It is an unacceptable risk to permit a storage firm to select a subcontractor to provide the records destruction service. The owner of the records is ultimately responsible for their security and, therefore, should be selecting the vendor directly.

We’ve always had our own personnel destroy our material.

Common sense dictates that payroll information and materials that involve labor relations or legal affairs, should not be entrusted to lower level employees for destruction. Beyond that, it has been established, time and again, that employees are the most likely to share information with competitors. Lower wage employees often have an economic incentive to capitalize on their access to your business’s proprietary information. Thus, you only have two acceptable alternatives: have the material destroyed by your own personnel but under the direct supervision of upper management, or have it destroyed by a carefully selected, highly secure destruction service.

I’m not sure that senior management will consider shredding a priority.

In a survey conducted by The Conference Board, top executives from 300 companies ranked the security of company records as one of the top five critical issues facing business. When asked which issues required immediate attention and policy development, the security of company records ranked second only to employee health screening.

Theft and Industrial Espionage – industrial espionage costs businesses over $7 billion annually. A regular records retention and shredding program can prevent litigation, embarrassing publicity, and possible closure of your business.

Why shouldn’t I buy my own shredder?

You will spend company time, pay high wages, and use inadequate equipment to shred potentially large volumes of material. Most desk-side shredders jam often (too much paper, didn’t remove paper clips and binder clips) and tend to break down easily.

Do I need to sort the different types of paper?

No. Our bonded employees are trained to quickly and accurately process and shred the material. We ask only that you do not mix trash (restroom and lunchroom items such as non-recyclable cups, plastic wrap, pens, etc.) with your material scheduled for destruction.

Do I need to remove paperclips, staples, binder clips?

Our shredders will not jam when they encounter any of those items. We prefer that papers be removed from 3-ring binders, since shredding them with paper renders the paper unusable by a paper mill.

What if my material is in a 3-ring notebook?

Our shredders will not jam when they encounter any of those items. We prefer that papers be removed from 3-ring binders, since shredding them with paper renders the paper unusable by a paper mill.