Standard-Setting Practices In Secure Data Destruction with Bob Johnson

June 24, 2020

Bob Johnson founded NAID in 1994 to serve as a non-profit watchdog organization for the secure information destruction industry. As a result of its success, he more recently presided over NAID’s merger with PRISM International–a 40-year-old information management association-to form what is now i-SIGMA.

John Shegerian: Welcome to another edition of the impact podcast. I am John Shegerian. I am so honored and thrilled to have my good friend. Bob Johnson with us today. Bob is the CEO of the International Secure Information Governance and Management Association. Welcome to impact podcast, Bob.

Bob Johnson: Thank you, John. It is great to be here. You know Bob before we get into your history in the information management sector, can you share a little bit of your biography and journey leading up to the founding of NAID and the information business that you are in?

Bob: Well, sure, John. It is like public ghost stories. It is kind of happened by accident or serendipity. My family had been in the recycling business as far back as I can remember and it is a complicated story of how they ended up there and it was for the manufacture of products but leaving that aside for the moment. In high school, I used to work there. So, I worked there and I was exposed to the recycling world there but it was never going to be my career. Along the way, believe it or not, I took a job as a security guard on a break from the University, on that as a security guard working at this, I would not mention the name of the factory. It was a high-security factory my job on a third shift was reading paper. I am a 19-year-old kid and I realized at the time that they were doing it very inefficiently. Of course, we know we are now going back 40 years, right? So that is how old I am. The paper was the media and that is what stuff was recorded on, now, it is electronic and we will talk about that.

John: Right.

Bob: I saw right away how inefficient it was to do with the way they were doing it and I went back to my uncle who was still with the recycling company and said I would like to start a division of the company that is high security and he let me run with it in 1980. I never went back to university and I ran with it for 14 years. In about in those 14 years, we were over five states and it was the most profitable thing we were doing. That is how I got into it. Now, when I was doing and kind of lead to where nade came from. NAID was this trade Association that led to the formation of about i-SIGMA. Where that came from was while those 14 years, while I was grinding out this business and talking to people about information security, when information security really was not what it is today. I mean that we are again talking about the 1980s and early 90s and I got a lot of odd looks from people when I would talk about the need to protect this discarded information. Through those years I wished we had a trade Association that would: 1. Help educate customers that this was an issue they needed to pay attention to. 2. Help customers differentiate between what I was doing and what I consider the course the unscrupulous vendors that were out there that were saying things to the client but were not really walking the walk. That is where the association came in. Back in 1994, I and a handful of other guys in the business got together and formed NAID which was the National Association for Information Destruction. Itself grew to be two thousand member locations around the world all of which were companies that had the same goal as I did. Now, of course at that time and you have seen this, in your career. In that time, Information security went from being this kind of curiosity in the 80s to being like, the thing that all businesses need to and have to be careful with and take care of. That is kind of the whole arc of the story and how I ended up doing what I do now, here what 35 years later.

John: That is wonderful. I did not know that part of your background. I did not know you had run recycling. No wonder we get along so well. You already have done what I have tried to do right now that makes so much sense now. It makes even more sense than ever before. So can you go over a little bit about why need AAA certification has become the Platinum standard in the United States around the world and how and why it became so important to all the customers out there and potential customers when looking at a brand and how they handle the first what was paper destruction information on paper? Can you explain a little bit about that?

Bob: Sure. Well, maybe just the touch on that transition from the paper-based to the
electronic base first,…

John: Sure.

Bob: … because that is significant. All of those same issues and you know these. This is for your audience, you know this very well. Those same issues that we confronted in the world of paper media destruction. This course is this paper that contains very confidential and private information. Those same things with educating customers and getting customers able to differentiate between the reputable operator and the disreputable operator and the operator that was going to put them at risk that was really important. Well, that matched up perfectly with electronics. I mean at the end of the day we are talking about media that has confidential information, and you guys on the electronic side of it had the very same issues that we had on the paper side of it. Now, of course, as everything becomes electronic, it is even more so. That transition, well, it might seem a little awkward between some paper to electronics was very natural. We are really just focusing on the media and the disposal. So in that vein of giving customers a little bit more to go on, we did start now 20-plus years ago a certification program where vendors our members could go through this process to show customers they were doing the right thing in, they were for real and the customer could take reassurance in the fact they were dealing with a reputable service provider. We took a serious look at it. We develop these standards and we have a network of 20 Auditors around the world that look at that. But back then John, it was there was a still went a lot of regulation around it that was not a lot of laws and penalties that went with it. Within its infancy and what at the time we started it, it gave operators a way of differentiating themselves from their competition and it gave the customer a comfortable feeling they were dealing with a reputable vendor. So that was kind of in the beginning and that Arc has changed too because of what happened. Again, I keep saying this but as you well know what happened was the regulations did come along and first, you have the state regulations and you had HIPAA and then GLBA and in fact, they just kept building and I said all along it is kind of like a conveyor belt of these laws. However, one of the interesting things about it is in every one of these regulations.

I mean from the beginning of them as they have escalated over time is baked in that the customer in the regulation that is called the data controller, but it is really for you and me. It is the customer. They are required by law to make sure their service provider is doing certain things within their organization has certain policies or procedures. The reality is, however, customers usually do not know they have that requirement, and even if they knew they had the requirement to do the due diligence. They would not know what due diligence to do. So this role that of made certification has transitioned from being, where it gives the customer maybe a little bit of comfort. Now, it actually fulfills their due diligence because we do know what to look at. We are looking at all of it and we change it right along with the regulations. So when the California consumer Privacy Act comes along and introduces regulations that give the data subject, the right to know more details about the vendor, we have to modify certification because our commitment to the customer is that we are looking at everything they are supposed to be looking at. So they know if you are NAID certified. You guys are the poster child for NAID certification. You have every one of our certifications across all of your operations. When you look at a vendor like that, you know that they are doing everything they need to do under the law so that the customers compliant with their due diligence requirements.

John: So basically mean information security business, it is the Good Housekeeping seal of approval?

Bob: Yeah now see leave it to you to put it in such a succinct way after I give that long explanation. But you know what? I have always admired about your organization, John is that you guys, you saw early on that the only route to sustainability was dealing with the data security problem of it. That is why you guys were so quick to embrace it. Anyway, I am not here to yank your chain or anything, but I really do that. That is very insightful.

John: But I am going to give a personal story. A friend of ours co-friend of ours matched us up and said you guys have to meet, I forgot how many years ago now could have been six maybe seven. We had a lovely lunch in New Orleans.

Bob: [inaudible] remember.

John: I came away from that lunch. I know he told you that we were going to go all-in with you or what you were doing in your certifications. But I told my partner Kevin the same thing and he saw me after lunch that how was it, I said, Bob is amazing. He is so visionary and to all these issues. The sooner we get involved the better we will be as a company. Literally, it is been one of the biggest hour wise we have ever had getting involved with NAID which is now called i-SIGMA. For our listeners out there to find all of the important work that you are doing, it is important that they go to www.isigmaonline.org, i-s-i-g-m-a online. org to find your great organization and to get involved and to get certified. I just want to say, yes we went along with it, but you were the one who laid out the vision as to why it was critical to do so. Literally, one of the best decisions we ever made at this company and why one of the reasons we are one of the leading brands now in the United States in the world. Thanks to you. So that is a true story and I just needed to get that out because I want my listeners to hear that you are not only a creator and a maker but you are a visionary and that is rare. That is rare.

Bob: Well, thank you for your kind words and I appreciate it.

John: Yeah, but as I was sharing with you off here before we started this podcast. I was even in, you have been visionary many times when I have been in the room with you. One of them was when you invited me to your conference in Europe, which I believe is in Luxembourg, and it was a whole GDPR conference. GDPR, I thought I was literally a martian. I did not understand what was going on. In that room, what I came away with this, you said not only is GDPR is going to impact those who work in the EU but soon thereafter. If not immediately, thereafter of May of 2018, GDPR was going to come to America. Boy, I talk about prescient and again, right, you have been so right because not only is GDPR come to America, but there are numerous forms back to your conveyor belt metaphor. Numerous forms of national legislation in for approval in the United States right now have gotten put off because of all the other crises we are going through. But as you said, the California Privacy Act and now states are creating their own versions of privacy backslash, security backslash Destruction Data handling laws themselves, their version of GDPR and twenty-two states have their own form of legislation in, for Verde past it. When you listen to people like you, eventually in the next couple of years, every state will have its own version of this as well. The news is only tightening comparatively speaking on privacy and data protection. So getting involved with your organization and becoming a not only a member but also participating in getting certified is probably more critical than any time in its history. Is that how you see it as well?

Bob: Oh very much so. I mean, I am not going to comment on whether I am a visionary or not. I think that it is so on that part of it. I am not going to necessarily agree but with everything else that you said I will. I think where I get that credit comes from the fact that with the certification program, the Challenge is making sure that we are looking at all the things on regulations tell us we should be looking at. Right? The regulations change we have to change and look at it. That is where I spend a lot of my time is and of course, you spend thirty, forty years doing that. You get used to it. I mean I can see in the GDPR with the general European data protection regulation, I can see that it goes all the way back to its origins in 1995 with the first European data protection directive. I see the Arc of all of these things, but I want to touch on something that you mentioned because the GDPR actually has two interesting things so that the general data protection regulation that is now the law has been in effect in Europe for two years. As you mentioned, you know, we saw it was going to have this Global thing, but it was really for two. One way I predicted, one way I underestimated. So the way I predicted was and this is kind of interesting to on how all the regulations have changed because within the GDPR we could spend, two hours talking about what was new to it? Because they learn all these lessons from the US and around the world. We could spend a lot of time on that but, one of the interesting thing was it was borderless. It applied to the citizens of Europe not to what was going on within the borders of the European Union or within any specific country. If that person came to California and did business with any business in California, that law in California at least hypothetically was bound by the GDPR to do. Well, and of course if you are Hilton or if you are United Airlines, you have got to do that. You got to handle these European citizen’s information this way and what do they do? Well, they are not going to handle their information differently from US citizens. The U.S. Citizen’s information got had to be treated in the same way because big corporations going to have one standard for how they have got to do it and it rises to the highest level. In that regard being borderless, it naturally took it outside of the bounds of Europe and applied everywhere.

Well, so when California models the California consumer privacy act after the GDPR and which it really did it was borderless also. Now if you are in Georgia and you have somebody from California in Georgia, they have to comply with the California consumer protection act. You got both things. You got this span of borderless regulations that apply to everything and you have these corporations that now no longer are looking at what is the regulation in my state but there looking at is what is the toughest regulation in the world? I better meet that standard because that is the common denominator from now on. If New Zealand passes a regulation that is stronger than the GDPR the pretty much globally. They are going to say, all right. Well, we have got a rise to this standard and of course, that is the same standard we put on our certification programs. We have to accommodate that new highest denominator if you will. It is really been interesting how this has all changed from just in the last 10 years to be like one world that is hyper-focused on data security notwithstanding of course, as you say the pandemic we are going through. We all know we are going to come out of this. John, I do not know if you have seen this and I know you watch regulations, maybe not as close as I have. Everything went quiet, for the last two or three months. Now, we are starting to see more laws about facial recognition. More laws about data security. It is coming back like it never left and when we get clear of all of that what we are going through right now. As we all know, we will, whether it is for three months or six months. It is going to be back in spades and probably, with as much momentum as it ever had.

John: For our listeners who just joined us, we have got Bob Johnson, he is a CEO of i- SIGMA and also the co-founder and CEO of NAID National Association of Information Destruction. To find Bob and his great organization you can go to www.isigmaonline.org. I also want to mention, your great book. I have given out about 40 copies over the last years. It is called information disposition a practical guide to the secure and compliant disposal of records, media, and IT assets. It literally becomes the Bible of our industry. I highly recommend all our listeners buying it and reading it or at least using it as a resource tool. You can buy it on Amazon and it can come right to your house or your business. I highly recommend it. Bob, I want to ask you since I have met you and this whole issue of cybersecurity has become part of our lexicon, has become part of our regular vernacular. It concurrent with the rise of a borderless world. Like you said when it comes to information destruction, talk a little bit about your thoughts as I have heard you use these words before on what it means taking information disposal from the basement to the boardroom.

Bob: You have got a great question. It is nice to know you have been listening, John because that started, and for anyone who just joined us might know my history does go back so long. Some listeners may not remember the kind of gnashing that came with the Enron Anderson Scandal of the early 2000s. I remember it was January of 2001 and when it all broke before I should not say that it might be in 2002. When N1 Anderson broke the regulatory outcome of that, it was Sarbanes-Oxley. Sarbanes-Oxley was interesting because it was the first time the board of directors the top CEOs of the C Suite of a corporation was linked to the record-keeping of the organization. We saw right then that corporations were now keying in on how do we as an organization manage the information we have because Sarbanes-Oxley makes us personally liable for our business records keeping, records management practices, the Integrity of the accounting and all of those things are tied in. Now, if you remember John, I think you are probably old enough to remember that, but at the same time, part of that scandal was Arthur Andersen, may they rest in peace because they met their demise, they were accused and found to be insulted and Ron, I am sure, to be improperly destroying information to circumvent investigations, right? Here you have got an example of information destruction being used for the wrong purpose. They were getting in a lot of trouble. At the same time, we saw the board this board start paying attention to what was going on in corporations in their corporation. How are we handling information since now we are personally liable? They saw their corporate brethren getting in trouble for improper information disposal. Inside Council around the world went out to all their board and say, “The only way we have to destroy the stuff. We Can not destroy information legally, were bound to destroy the stuff. We have to destroy it in a uniform way. We have to document it, we have to do what we are going to do.” Suddenly information destruction was in the boardroom. Now, that was just the beginning because what then happened this, as you and I have spoken on the call here, these regulations started to come and play. It is a funny thing when you hire a company, a third party, to manage data that you are responsible for protecting. You as the organization hiring that company are still liable for the protection of that data. Now, unfortunately, maybe boards were slow to learn this but their liability does not go away when they hire this third party company. The only thing that mitigates that liability is if they are putting the due diligence into the selection of that third party vendor. Of course, the worst thing they can do is say that they were not paying, that they farmed it out to the lowest bidder or something like that because they need to be, they were liable for the actions of those third parties they were hiring. As they realize this, of course now, it is even higher up there, then, of course, adding maybe just the third leg of the stool. When it hits the headlines that there has been a cyberattack or someone has hacked into our computers and they have gotten all this personal information, the stock price drops by thirty or forty percent and there is no better way to get the board’s attention too, then the stock price goes down thirty or forty percent. All of those three things kind of happen over about a fifteen-year period and suddenly, information disposition is in the boardroom and I would add rightly so. If it is not in the boardroom, then that board needs to start thinking about it and at least be aware because ultimately they are liable for the protection of that information even when they are discarding it.

John: That is so important. The fiduciary responsibility they information destruction runs right up to the boardroom now and even, as you and I have seen, third-party vendors that are brought in to consult to large corporations who then have a big information breach. I have seen the splashback on even those very, very large, and iconic brands get sued as well. The liability goes far and wide now with regards to information destruction.

Bob: John, you probably know enough to ask this question of the clients you and your company calls on but the question that needs to be asked is to anybody making those decisions is: What is the value of your brand? I think we all know in our business if we could talk to the CEO. They would really get it why it is so important, the
services that our members offer, and why the decision of who is going to do that is so important. I mean it literally is the value of the brand that comes toward you.

John: That is really important. What is the value of your brand? Because to have a data breach and to have a reputational diminishment have litigation costs and maybe even operational disruption can literally be the difference between being in business and going out of business. All three of those things.

Bob: John, think about this one too, when your firm retires its electronic assets, I am not going to put you on the spot, I know that many of those corporations do not know where all those ITS sets are or they maybe do not know the exact vendors that they are using and how those vendors are processing it. Every laptop, every phone, everything that leads that organization, that pass through that organization, that could have collected, is a time but there is no statute of limitations on that. If they do not know where a laptop is and that laptop could have personal information on it and it comes up on CNN or sold on eBay or whatever it might be. There is no statute of limitations on the damage that can do. Those are all-time bombs out there floating around the community that could come back and like to meditate time. They need to take the it. That is why I say I think if we were talking to the CEO or even the vice president of risk management for our organization and you explain that these are all time bombs that are floating around the community, then you have no idea what is happening to in the world are going to them, they would take it much more seriously.

John: Agreed, agreed. Bob, I know you have a webinar series coming up. The world, because of COVID, has gone a little bit frozen when it comes to in-person events, and your in-person events and conferences have been so worthwhile to attend. They have the leaders of all sectors and it is just a great networking tool besides a great tool to learn. But I know you have pivoted this year and created this wonderful webinar series. Can you share with our listeners more about your webinar series and how people can get involved and participate?

Bob: Well, they really are aimed at our members. One of the things we recognize when we had to cancel our conference, and of course, our conference has always been to help our members. Really, if I had to say one reason it is to help our members, better educate their clients on the things that you and I have been talking about so their clients are making good decisions. We had to pivot from that to more of, well, how do we help our members navigate what they are going through now and navigate it in a way that not only addresses their challenges in this environment but their customer’s challenges in this environment? Knowing you and knowing your company as I do, we have not even talked about it but the challenges that come from remote working for corporations are pretty dramatic, right? We consider ourselves and our members to be information protection professionals. I know you embrace that. You are the epitome of it. In that regard, we have a responsibility to be reaching out to our customers and our clients that we are already working for, telling them that we can help you with these work challenges you have. A lot of what we are doing is in that regard. The interim full and complete information on how to register for our webinars online because we are a nonprofit organization and we pretty much do this because we believe in it. The webinar series is free. We are just offering out there because we are in this all together, it is to same as if we all say and we are just trying to get it out there. If anyone goes to the website that you mentioned, which is isigmaonline.com, they can find more information and they can register and we are happy to have you.

John: It is dot-org, right? I just want to say [crosstalk], dot org, right?

Bob: Yeah, thank you, dot org.

John: I just want to make sure.

Bob: Good call.

John: We are starting to get to the other side God willing Bob of this COVID tragic crisis. Tell our listeners, share with our listeners, please, your vision, and I know you always have a great one, on the future of NAID and i-Sigma, and what are some of the major initiatives you have both for the rest of this year and in the years to come?

Bob: Well, I mentioned this idea that we need to be responsive to what will be a growing trend in the remote work and how our members can help their customers deal with those issues that come from that. But of course, I think that while the trend for remote working has been accelerated, I still think we will largely be returning to our offices even if the trend has proceeded. That will kind of be back to normal. A couple of things we are doing on the certification side, I mentioned already that the role of NAID certification has now evolved to be that thing, which for the customer, demonstrates that the vendor is doing the right things under the regulations, something the customer is supposed to be doing. Well, by rights the customers should be able to have an evidence of that due diligence in a file that they are keeping on their vendor. Starting in, I think, probably October of this year, we will be launching the which is it is the service provider compliance report. For any company that is NAID-certified, a client of that company can go online, sign up and reserve an initial and automatic annual report demonstrating the compliant, what that company has met as far as its compliance. It goes in the file and it is the hard copy, they can get an electronic version of it as well. But it is their evidence of due diligence that was provided, that was performed on that service provider because that is their cover. I talked about some of the changes in GDPR. One of the most interesting changes in GDPR that is new, it is now in this whole new generation of regulations for seeing. It is now required in the law that you would be able to demonstrate your compliance. Now, that might seem counterintuitive people, or to people or whatever. But the law says, “If we come just to evaluate your compliance and you cannot demonstrate your compliance to us, you are not compliant.”

That is a pretty radical concept when you throw it into a regulation. Now, there is this burden on you as the data controller, our customers, right? That they have got to be able to demonstrate they are being compliant. It is not just enough to be compliant. You have to be able to demonstrate. That is where this report comes in and that is why we are doing it and go back to what I said about we try to change our program to be responsive. Similarly, though in a kind of a different vein, we are taking our certification into areas like… You and I, I think have talked about this in the past, automobiles are collecting a ton of information about us now. You suddenly have and by the way, these car dealers do not even know it yet, a car dealer that trades in a three-year-old car for another car is now a data controller under the regulations because they have taken in a big computer that has got a lot of personal information about the last guy that drove the car. They are now a data controller under the California consumer privacy act, under the GDPR, under any number of laws that will be coming down the pike on this. You have got a whole generation, a whole new category of data services that need to be done, and data protection. Of course, there are that you have the same issues in the cloud with information uploaded and I do not even know that we figure out a way to address data protection and data disposal in the GDPR in California because of the Privacy Act and the proposed in Jersey Law and all these laws, there is the right to be forgotten. As a data subject, you can demand that anything about you be eliminated. Well, if you are storing that person’s personal information in the cloud, when you erase, when you go to get rid of that information, the information does not necessarily go away. You have simply disconnected yourself from it. I am probably getting a little bit too in the weeds. I do not want to lose your audience on this but there is a whole bevy of kind of insinuations that come from how does this law interface with the fact that so much information is being uploaded to the cloud now and we do not really have direct control of that information. Yet the data subject, the individual has the right to say that it would be completely erased under the regulation.

John: Needless to say, given everything you just said, getting involved with your great organization i-Sigma is more important than ever just to navigate all the subtleties and all the layers of regulation that exist now that never even was existing when I first met you down in New Orleans and we were so compelled to get involved based on your vision with GDPR National Legislation coming to America, the existing legislation that was already there historically HIPAA Saw Box, Gramm Leach, and everything else and now all the states as you well-laid-out starting with California and three other states have already passed it. Other states are already in line to come after that. It is more critical than ever to get involved. I mean, roll up your sleeves and get really involved, get certified to the i-Sigma certifications because we need you, Bob. We need your great organization to help us navigate these very difficult complicated new waters that we are all floating on and if we mess up, the consequences to ourselves as companies and our clients could be disastrous. Could be disastrous. Then you have job security like nothing else. I know how well you keep yourself physically fit so I know that for the next forty or fifty years, you have plenty to do here to keep us all on the right side of these very, very complicated nuances and laws. Thank gosh, I know how healthy you are because there is so much to do. So much to do. I really want to share it with our listeners again. Bob’s great book, Information Disposition: A Practical Guide To The Secure and Compliant Disposal of Records, Media, and ITS, it is on Amazon. I recommend not only getting it as a resource for yourself but also sharing it with leaderships of your company and with some of your key clients, they will be very grateful for that. For our listeners out there also, to find Bob and i-Sigma, please go to www.isimaonline.org. He is Bob Johnson. He is a good friend. He is literally the godfather of the information security industry. Bob, you are making an important impact on the world and making the world a better and safer place. I am very grateful for you coming on the Impact podcast today.

Bob: Well, thank you for having me John, it was an honor.