May 9, 2008
Securities and Exchange Commission
Nancy M. Morris, Secretary
100 F Street, N.E.
Washington, DC 20549
Re: Comments of Proposed Amendments to Regulation S-P
File Number S7-06-08
To the Commission:
I'm board certified in security management and have been a Certified Protection Professional (CPP) since 1987. I've been a security professional for 34 years and have owned and operated a mobile shredding service for 20 years.
I'm writing to submit comments to the Commission regarding the expanded disposal rule, specifically where it pertains to shredding of paper documents, especially where covered entities contract the services of a third party shredder.
Every organization or agency cites shredding as a way to protect sensative information from disclosure, but no one ever looks at the shredding processes. The shredding industry isn't regulated. Anything goes. Convicted felons can buy shredders and start providing service.
It's not logical that someone would pay $250,000 for a mobile shredding truck that doesn't shred paper unreadable, but most do. This trust in logic keeps companies from looking in the back of these trucks.
The most important issues when exercising due diligence when selecting the services of a third party is shred size and disposal.
The FTC's FCRA disposal rule failed to recognize the problems and deception in the shredding industry. A third party shredding company being a member of an organization or being certified does not protect information if very basic security principles are neglected.
1. If you start a shredding service, you can pay your dues and be a member. Does this make a company credible?
2. Someone with no background in security matters can become certified in a very short time if they pay the fees and pass a very basic audit. Does this make a company credible?
3. Convicted felons and all lesser degree criminals can become members and certified as long as their conviction isn't for burglary or felony theft. Is this reasonable?
4. Shred size isn't an issue to becoming certified. Any shred size can be certified as long as it does what the OEM specs say. Isn't the reason for shredding to make paper unreadable? If the OEM states the shredder will miss checks and large pieces of paper, it can still become certified. Is this reasonable?
5. Certified companies have agreements with the recyclers that the shredded paper isn't to be released back into the public. Why is this necessary if the paper is shredded unreadable? Privacy professionals will tell you that recycling isn't acceptable as secure destruction. Why then, would partially shredded material going to recycling be acceptable?
6. Security Professionals (CPP's) participate in the certification process for the association but the Certification Board for the Secuirty Professionals state that their CPP's make no recommendations and certify no process. What's the purpose of having these secuirty professionals except to give an illusion of security? Does this make any sense? Where does the basis for the certification come from?
If very basic security principles are ignored, then The Commission should not mislead covered entities by placing a statement that requires disposal companies be certified or even a member of an organization. Some of the most secure companies won't belong to an organization like this or participate in their certification program.
In fact, The Commission should make a statement to the effect that "a disposal company's affiliation with an association or certification doesn't protect a covered entity from their due diligence responsibility".
Legal action should be allowed against a third party shredding provider if it can be proven they knowingly deceived or attempted to deceive a covered entity. This should fall under "deceptive business practices". The third party provider should also be held accountable for costs associated with breach notification.
The only way covered entities can ensure the security and confidentiality of personal information and protect against any anticipated threats is by being sure of the final shred size before the shred truck pulls from their facility. This leaves nothing for covered entities to anticipate.
Don't give any organization credibility by the inclusion of a statement. Such a statement can mislead. If a third party shredder is the best choice, then they should stand on their own merits, not questionable certifications.
Due diligence is the responsibility of the covered entity. Don't give them an easy out by being able to state the company they selected is "certified".
I appreciate the opportunity to comment on this proposal.
Douglas Knisely, CPP
Knisely Security, LLC