Data is a double-edged sword.
On the one hand, collecting and analyzing large amounts of employee and consumer data can help companies streamline operations and forecast future trends. But on the other, it leaves them vulnerable to potentially devastating breaches.
After Quest Diagnostics recently disclosed that the credit card and bank account information of 11.9 million patients had been compromised, the company and its partners became the target of multiple, quickly mobilized class-action suits. More recently, Equifax is expected to pay a staggering $650 million in fines and settlements related to its own recent breach, which exposed the personal information of 450 million people.
To avoid costly lawsuits and remain in compliance with complex state and federal regulations, companies must diligently protect their employee records and customer data.
There are a number of vendors that specialize in helping businesses secure their records. However, not all vendors are created equal—while some are invaluable partners, others are simply not up to the task.
Fortunately, there is now an organization responsible for setting industry standards. The International Secure Information Governance & Management Association (i-SIGMA) is a recently formed nonprofit resulting from the merger of two leaders in data security: NAID and Prism International.
NAID & PRISM Merger: Key Takeaways
The merger of NAID and PRISM allows for a unified effort in protecting records across all stages of the data life cycle.
While both companies will retain their individual certification programs, the new umbrella organization offers a wider range of information management and protection offerings.
We’ve previously discussed the benefits of working with a NAID AAA Certified Vendor to ensure that your data is properly destroyed. Now, let’s take a look at how PRISM safeguards the storage of paper and electronic records.
What is PRISM International?
The Professional Records and Information Services Management (PRISM) is similar to how NAID sets standards for how data is destroyed. PRISM provides guidance for how hard-copy records and off-line removable computer media, such as hard drives or storage disks, should be stored.
As many companies understand, archiving records on-site is risky. In addition to wasting valuable office space, the practice compromises security and risks running afoul of regulations set by legislation including HIPAA, the Computer Fraud and Abuse Act, and The Fair and Accurate Credit Transactions Act (FACTA).
Instead, records should be stored in a specialized, climate-controlled, off-site facility, where they’re protected against fraud, theft, fires, floods and natural disasters. However, it’s important that this off-site facility is prepared to properly protect these records and maintain critical compliance.
That’s where the PRISM International Privacy+ Certification comes in.
How Companies Become PRISM Certified
PRISM offers member companies a number of benefits, including educational opportunities in the quickly changing, ever evolving world of data security.
Members who want to demonstrate their commitment to offsite records security are invited to pursue Privacy+ certification, a prestigious international certification program.
The Privacy+ program has a threefold mission:
- To identify leaders in the information security industry
- To share resources and best practices, better enabling facilities to reduce risks
- To reduce the number of breaches at off-site data storage facilities
Similar to NAID certification requirements, PRISM certification is a rigorous process. To become PRISM certified, companies must have a number of security checks and balances in place. PRISM certification requirements include the following:
- Written security and privacy policies addressing all facets of handling physical records within the facility
- Risk-assessment measures to identify new threats, and mitigation plans
- Background checks on all potential employees, including criminal, credit, pre-employment, and reference checks
- Signed confidentially agreements with all third-party vendors
- 24/7 monitoring of secure areas and alarms
- Fire detection and suppression systems
- Secure internal networks protected by firewalls, antivirus and anti-malware programs, and external vulnerability scans
Why PRISM Certification is Important
To remain in compliance with state and federal laws, some documents—such as hiring and employee payroll records—must be kept for a number of years. When records are stored securely off-site, companies can reclaim valuable office space and rest assured that they’re protected against both fraud and disasters such as fires and floods.
However, if you choose the wrong facility, you put your employees and customers at risk—as well as jeopardize the financial wellbeing and future of your business. Data breaches involving both employee and consumer records can result in devastating fines and lawsuits.
Breaches are increasing—and in turn, lawyers and courts have taken notice. According to a recent study by IBM and the Ponemon Institute, the average cost of a data breach is $3.86 million.
When records and documents aren’t stored securely, they can be a liability for years. Partnering with a PRISM-certified facility helps to ensure that your employees, customers and business are protected.
The Future of Data Security
In a short amount of time, new technologies have allowed companies to collect, store and analyze large amounts of information—and more is on the way. According to research by the International Data Corporation (IDC), the amount of data we generate is growing at 40% a year. While this information presents many opportunities, it also requires diligent security.
Enlisting the help of certified information security partners is one piece of the puzzle. Companies who pursue NAID and PRISM certifications are prepared to help companies remain compliant in a quickly evolving landscape.
About the author
Jordan Peace serves as the Vice President of Corporate Development for Access. As Vice President of Corporate Development, Mr. Peace leads all mergers and acquisition activity, assisting with the on-boarding of new acquisition partners and clients.
Mr. Peace has also been an active board member for PRISM International, now I-Sigma, promoting Privacy+ and NAID standards to members, companies and colleagues in the RIM space since 2017.
Mr. Peace has worked in the records and information management industry for 8 years, where prior to joining Access, he worked as an advisor in the investment banking industry to shredding and records management companies.