Exclusive Industry Roundtable: An Opportune Time

The Annual Conference of the National Association of Information Destruction (NAID) provided an ideal setting for several of the industry’s leaders to get together for a one-hour discussion of critical issues facing the industry.

A roundtable discussion organized by SDB magazine featured current NAID President Chris Ockenfels, who was installed at the conference, and outgoing President John Bauknight IV.

Also participating were representatives from two of the industry’s largest companies: Vlad Vasak representing Iron Mountain Inc. and Nate Campbell representing Recall. And Tom Thompson of Information Protection Solutions of America (IPSA), a co-operative organization that has been banding smaller regional firms together for joint marketing purposes, also took part.

Participants gathered on the opening day of the conference, which took place in San Antonio April 6-8.

Following is the first of two excerpted portions of the Roundtable, featuring remarks from these industry leaders on the near-term future of the information destruction industry.

CO: I think the opportunities and challenges coincide, in terms of electronic media storage and destruction and what we’re going to do with it. The opportunities are there because it’s a whole new industry. The challenges are making sure that we get it done right.

JB: I think the opportunities remain strong. The industry growth numbers I continue to hear are 20 [percent] to 25 percent per year growth. Our business has been very fortunate to have 200 percent-plus growth for the last five years rolling. I think it’s great.

The weakness side of it is, I guess, that with a growing industry there is a lot of competition and we need to make sure that people are getting into the business and doing things the right way. I think that’s probably the greatest challenge.

TT: I think the growth is phenomenal, I think it’s going to increase so much over the next five years. But I think that the biggest problem is we need to make sure there is standardization. Because if we can’t keep up with quality service and run into problems, we’re going to get government intervention [and] it’s going to be a whole new can of worms opening up.

VV: I think there are a number of things. Serious players, whether they are large or small, are going to do just fine. I think people who understand the business model the way it’s supposed to operate, are going to do fine. People who are looking for get-rich-quick on the back of high paper prices, who maybe are taking short-cuts, I think are playing a dangerous game. There will be a time when they are probably going to suffer for it.

I think I can see ongoing segmentation of the industry sort of along two levels. One is the national service providers who are serving across multiple markets. On the other hand are people who are focusing on single markets and probably offering a different level of service to some extent—the personalized service. I think you’ll see more of that. I don’t think it’s likely you’ll see people being able to do both well.

Legislation is going to definitely be more important. It can be a good thing, but on the other hand, it can also bring a lot more obligation for us and I think it means we’ll have to stand behind what we do and be able to prove and document.

Standards and specs are going to get more important, I think, and regulation is going to be there one way or another, whether it’s mandatory or it’s self-mandated. NAID has been trying to get ANSI (American National Standards Institute)-standardized [and] I think that’s one way to kind of get self-regulated before someone does it for us. Shred size I think is going to be more and more important, and certainly consistency. We’re seeing a lot of inconsistent product, from output of machinery. What’s outside the standard deviation? I think it’s going to be important to us as an industry because it’s going to be what the customer is asking for. Even if people find one check that is unshredded in a ton of paper, it might pass statistical specifications, but to the customer that’s a check that has gone unshredded. So, the consistency more so than people preferring to have a larger shred size is critical.

Vlad Fasak

One of the other things I have seen is the rise of not-for-profits entering this market. I don’t konow where they got the idea, but somehow it’s become a big thing for them. I think on the one hand, they may do okay in certain markets.

The legislative pressure and the liability issues are going to keep rising, and you have to become a lot more responsible as an organization and have liability issues and everything else. They may find that difficult to deal with.

I think watching these industry cowboys operating, I don’t think we’ll ever get rid of industry cowboys, but I think they can be closer to the fringes as opposed to the mainstream of where the industry is going.

Tom Thompson

NC: I think it was always the goal to take this industry from a pool and turn it into an ocean of opportunity. I think from our projections, we see the market potential being well over $2 billion, of which 50 percent is un-vended. That being the case, then obviously there is a ton of opportunity for all of us and there is plenty of space for a lot of different people to be in it.

Legislation has helped grow that, and we see that continuing. But the key to legislation is really going to be the enforcement of it. Until we see somebody brought up on charges, legislation doesn’t mean much yet.

Chris Ockenfels

FACTA starts in June, I think the thing that is important to our industry, I think it is something you should be looking for, unlike HIPAA where you’re just now starting to see people prosecuted for HIPAA violations, it’ll be interesting to see the delay factor before people are brought up on [FACTA] charges.

I think it is a crime. You look at the statistics: $48 billion is where they put the potential identity theft price tag. It’s a crime, and if they can use FACTA to process and enforce that, then we see that as being good.

CO: It’s more the chiropractors and the two-or-three doctor clinics that aren’t following yet. They may do the paperwork, but they don’t do the shredding. They still have all the records stored from the past 30 years. They are the ones that are just doing what they have been told they basically have to. There is still a lot of potential in all those.

But all the cream is gone—all the cherries have been picked. I can say that pretty comfortably, but all the little accounts out there—and there are tremendous amounts of them—are still available with HIPAA.

Nathan Campbell

And going back to what Nate said about legislation, with Gramm-Leach-Bliley Act, they just started prosecuting those violators last year, I believe. There is a two-year curve [with] the Bush Administration, they always give two years for the businesses to comply before they start prosecuting. But once they start to prosecute, you start to get case law, and that’s when the real law comes out. Until there is actual case law, you don’t know what the gray areas are and on which side of the fence the gray areas fall on.

JB: I hear and understand that the HIPAA auditor crew is starting to hit the trail. The issue I think, with part of that side of HIPAA is what is it going to fall back on from a regulation standpoint?

It may be a good thing, because what I understand is that they are going to point towards FACTA, which is the one law that is really on the books now. So, when they look at the enforcement side of it, what is the tool of use? Hopefully, that’s going to be FACTA.

I think Tom mentioned it earlier, if we don’t set the regulations and rules, then the government’s going to come in and do that. Fortunately, with FACTA, we helped craft that.

The other side of it, one of the means we use to measure what people are doing, is that I still get [HIPAA] business associate agreements coming across my desk for a signature from customers who we have been doing business with us for several years. They are just now getting on the bandwagon and doing the right thing getting the agreements out. It’s two years old for large industry, it’s been a year for small business, and we’re still getting a lot of HIPAA agreements coming across. But the enforcement is there.

And the last thing I’ll say, having attended the NAID Canada conference, they are seeing the curve Chris mentioned. We had a couple of folks regarding PIPEDA who came out, law enforcement agents, who had just gone after their first big-time company in Canada. No enforcement penalties, but just two years after the fact now they have gone out and made an example of somebody.

Now they have to get on the bandwagon and, as Nate had mentioned earlier, really bust somebody’s chops.

NC: I think one thing about identity theft that is different than HIPAA is that identity theft is in the news every day.

John Bauknight

Citibank has certainly done an exceptional job bringing identity theft to the front with their commercials with the dubbed voices. They’ve done an exceptional job of bringing it to the forefront of every consumer’s mind.

If consumers are impacted, then obviously it’s going to have a reverberation on business to support that. And in my opinion, one of the biggest differences that I see from HIPAA is that, along with most of the legislation that is done at the state level, is that really there is no enforcement agent going after it. FACTA has the government to do that. It could be sort of like the IRS—they don’t go after everybody, but they pick their points. I think they’ll do that here, that’s Recall’s opinion.

TT: I agree with Chris and saw briefly this morning that there was a box of medical records that fell off a truck in Cleveland. The legislation is going to affect what we’re going to do. But I think the next big impact in our industry is when a private attorney can prove that a corporation let that information get out, and they go back for punitive damages against them. That’s what’s really going to kick it in.

Our industry can be regulated—HIPAA, FACTA, all of this stuff—but when it starts to cost corporations money for other reasons, it’s going to really take off. Plus, it’s just good business to protect your customer’s information.

CO: It is a double-edged sword, though, you realize. Because when certain attorneys out there start filing frivolous lawsuits, its going to help, but, at the same time, the government will also then back up some and protect the corporations a little bit.

VV: To me one of the big differences between HIPAA and FACTA is the fact that FACTA actually is the first one that tells you more than just, "You shall destroy." It’s actually saying you must show due diligence and you have to do XYZ to follow up, which means it’s going a lot further than HIPAA.

When HIPAA was first coming on, there was this mad rush to get a shredding provider. "I don’t care who it is, get the cheapest one, as long as it is a shredding provider. Now I’m HIPAA-compliant," as people used to say. There’s really no such thing as HIPAA-compliant, but that was the catchword.

I think what you’re going to find over the years is that there will be some breaches through, probably, the early service providers. It’s only when there is litigation that comes out of that is HIPAA going to have a second stage where it’s going to be a lot more like FACTA. People are going to be forced to say, "Okay, it doesn’t tell me I have to do due diligence, but I had better do due diligence. "If I contracted with Joe Blow the shredding service and he had a spill and suddenly I went after him, and the guy vanished because the finances of the company were such that the assets are in his in his wife’s name, and there was just no substance behind it, it wasn’t a company of substance. Then I, the hospital, would probably end up getting sued. Therefore, I had better do better due diligence next time around.

I think that’s going to be an evolutionary step.

NC: I would probably concur. I think I would add is that it’s a political item as well. Politicians are jumping on this bandwagon. We saw that in Georgia with SB 475. We saw politicians get on it.

When you see George Bush talk about identity theft, then it’s out there as an issue.

As an industry now, it’s our job to make sure that we support and comply with these actions—that we’re prepared for it. The last thing we need is to have a NAID-certified facility or company be caught in a breach. If that occurs, then that really does degrade what we’re trying to stand for, as we’re making a stand for security. I think that’s important.

JB: It’s specific to information contained on consumer credit reports, and they’d like to broaden that. The FACTA rules authors had to do what Congress gave them the authority to do, but they wanted to broaden that to all personal information. But it is specific to consumer information derived therein. I think it will expand though.

You mentioned the politicians earlier, and now there is the Bank of America deal that hit the news in the last 60 days where the statement tapes were taken. Several congressmen and senators actually had their personal information taken through that whole deal. So, I think it has gotten the attention of the folks it needs to get to, and they’re going to move it up the totem pole quickly. It will be interesting to see what happens here in Texas as well. Texas has a bill pending.

CO: FACTA also reaches out further than people might think, like HIPAA did. Any business that has any kind of medical benefits, any kind of medical reimbursement plan, falls under the HIPAA regulations, and all those records have to be destroyed. So, almost any business that offers benefits to their employees in the form of medical reimbursement accounts has to be HIPAA-compliant as well; they’re a covered entity.

NC: I still see it as a very fragmented business, very low barriers to entry. There are a lot of companies starting off with one truck and a man. As long as you have that barrier to entry being at such a low tipping point, I think you’re going to continue to see consolidation, you’re going to see improvements, but [start-ups] are outpacing any consolidation that is going on right now.

So, I still think that there are more small-to-medium sized businesses than if you aggregated all the Iron Mountains and Recalls and put them together.

VV: Absolutely. If you look at five years ago, we had 200 people at the conference. Now we’re going to have more than 800? It’s interesting, I’ve thought about this and my point was going to be that on a percentage basis, the consolidators own no greater share of the market than they did five years ago; it might actually be less on a percentage basis. The industry is growing much faster than the pace of consolidation.

CO: If I had to hazard a guess, probably for every company consolidated there are probably 10, 12 or 15 starting.

JB: If you look at the numbers for NAID we have had maybe 75 to 100 deals in the past three years, [so] I think the big roll-up’s been done, but look at our membership growth. When that was happening, we had 200-and-some-odd members of NAID, now we’ve got about 550.