The importance of “Vendor Due Diligence” | Data Destruction
Most Data Privacy laws require that if you use a 3rd party service provider
you must perform “Vendor Due Diligence”.
A great example of specific regulatory due diligence requirements is the Office of the Controller of the Currency’s (OCC) Guidance letter to all banks concerning the risk management of third party relationships
Requirement1: Vendor Selection: Relying solely on experience with or prior knowledge of the third party is not adequate You must perform an in-depth assessment of the third party’s ability to perform the activity in compliance with all applicable laws and regulations and in a safe and sound manner.
BTTF Response: We are NAID AAA secure data destruction certified: NAID certification is a recognized industry standard for the secure handling and destruction of sensitive information. This certification is an important “due diligence” document. The certification must be renewed annually and requires successfully passing an independent third party audit.
Requirement 2: Legal and Regulatory Compliance: Evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes, and controls to enable the bank to remain compliant with domestic and international laws and regulations. Check compliance status with regulators and self-regulatory organizations as appropriate.
BTTF Response: We are a NJ State and Federal EPA permitted universal waste consumer electronics processing destination facility. 25 State environmental laws requires that the recycling of all to be disposed of electronics be performed by an authorized recycler. NJ and CT environmental regulations require a state issued Universal Waste processing permit to recycle electronics. Hard drive shredding, crushing or any other form of processing requires the DEP issued permit. We provide certification of NIST “Guidelines for Media Sanitization” compliance: Federal data privacy laws such as GLB, Facta and HIPAA require the destruction of sensitive data prior to the disposal of the data media. Destruction must meet NIST “Guidelines for Media Sanitization
Requirement 3: Business Experience and Reputation: Evaluate the third party’s depth of resources and previous experience providing the specific activity. Assess the third party’s reputation, including history of customer complaints or litigation. Determine how long the third party has been in business, its market share for the activities, and whether there have been significant changes in the activities offered or in its business model. Conduct reference checks with external organizations and agencies such as the industry associations,
BTTF Response: BTTF was one of the original founders of the Secure Data Destruction industry. We were the first licensed electronic recycling business in the US to receive NAID AAA secure data destruction certification. Today we support over 1000 clients in the Northeast US and have a 70% market share of all NJ community banks and hospitals. We can provide extensive industry reference lists upon request.
Requirement 4: Insurance Coverage: Verify that the third party has fidelity bond coverage to insure against losses attributable to dishonest acts, liability coverage for losses attributable to negligent acts, and hazard insurance covering fire, loss of data, and protection of documents
BTTF Response: We provide Certificate of Insurances. In addition to standard insurances we maintain $5M Insurance coverage for: Employee Dishonesty, Professional Liability and Pollution insurances
100% of our client quality control surveys rate both our pre-project and
post-project communications as “Excellent”
92% of our new client quality control surveys have been returned marked “exceeded expectations”.
Why not get a project price quote and find out how inexpensive great service can be?