When it comes to information security, destroying outdated records is only half the equation. Before documents reach their end-of-life, they often spend years in storage—years during which they must remain secure, private, and compliant with strict data protection laws.
Think of it like this: you wouldn’t buy a house without researching the neighborhood, checking what school zone it’s in, and confirming it’s a good fit for your lifestyle. You’d tour it, ask tough questions, and compare it to other options. Shouldn’t you apply the same level of scrutiny to where your records “live”? While NAID AAA Certification provides peace of mind regarding the destruction of records, PRISM Privacy+ Certification helps ensure they’re stored with just as much care. It’s the gold standard for offsite storage vendors, verifying that your records are housed in secure, compliant, and professionally managed facilities.
You don’t want to learn your storage partner isn’t up to the task after something goes wrong. Vetting their security standards before entrusting them with sensitive records is essential (and where the PRISM Privacy+ Certification comes in).
The International Secure Information Governance & Management Association (i-SIGMA) sets and enforces standards for data destruction and records management service providers. Recognized internationally by both the private sector and government organizations, i-SIGMA maintains the most stringent and widely recognized certifications for data security and vendor compliance, including PRISM Privacy+ Certification®.
The PRISM Privacy+ Certification® verifies an offsite storage vendor’s compliance with the complex web of government regulations surrounding information security. Additionally, it ensures that hard-copy records and off-line removable computer media, such as hard drives or storage disks, are handled by the vendor with the utmost care.
Amanda Cavanah, Senior Director of Compliance & Risk Management at Access, explains that the certification serves “to reassure businesses that the service provider operates under strict controls designed to reduce the chances for mishandling of information, which could lead to data breaches. By volunteering to participate in these certification programs, the service provider proves their dedication to holding themselves to the highest standard of data protection and privacy.”
Similar to the requirements for NAID AAA certification, PRISM Privacy+ certification requires companies to have several security checks and balances in place. Offsite storage vendors are required to have:
It isn’t simply a matter of paying a membership fee and attending a seminar. The process to earn this certification is involved, and unannounced audits are expected to ensure ongoing compliance. If a company is discovered to be non-compliant, the Certification Review Board institutes remedial training. However, repeat violations and serious infractions can result in dismissal.
Data privacy was once a concern for either Legal or IT, but this is no longer the case. It’s now a core responsibility for every department in your organization, woven into every process, decision, and system. And in today’s privacy…
As many records management professionals understand, archiving records onsite is risky business. The practice often fails to meet the security standards required to comply with legislation such as HIPAA, the Computer Fraud and Abuse Act, and the Fair and Accurate Credit Transactions Act (FACTA).
Instead, records should be kept in a climate-controlled, offsite storage facility, where they’re protected against fraud, theft, fires, floods, and natural disasters. However, it’s important that this offsite facility is prepared to properly protect these records. If you fail to thoroughly screen potential partners, you may put your information at risk of a data breach.
If a vendor handling your company’s information experiences a data breach, don’t expect to dodge the consequences. For example, Arietis Health paid a $2.8 million settlement after the protected health information of 1,975,066 individuals was exposed during the 2023 MOVEit Transfer data breach. Although Arietis Health wasn’t hacked, they still failed “to implement reasonable and appropriate data security practices.”
Even when lax information security practices do not result in a data breach, non-compliance fines are a major threat. For example, an Indiana-based healthcare system was fined $800,000 for violating the HIPAA Privacy Rule after a serious mishandling of patient records. In the incident, 71 boxes of medical files were delivered to a doctor’s home and left unattended in a public-facing location for an extended timeframe.
When records and documents aren’t handled properly and stored securely, they can be a liability for years. Partnering with a PRISM Privacy+ certified vendor helps to ensure that your employee, customer, and business data is protected. To ensure it remains protected, Amanda Cavanah recommends using the i-SIGMA Compliance Tracker to monitor the certification status of your selected offsite storage facility.
Inadequate storage practices can expose your organization to compliance risks, data breaches, and legal liability. That’s why it’s critical to partner with an offsite storage provider you can trust.
In addition to maintaining a PRISM Privacy+ certification, Access has earned a variety of industry certifications, including NAID AAA, SOC 2 Type II, SOC 3, NARA, and more.
To learn more about our secure offsite storage and records management solutions, click below to get started.
Share