"As one who accepts the adage “I don’t know what I don’t know”, networking with fellow PRISM members has allowed me to simply know more about how to succeed in our industry."
ABOUT THE PRIVACY PLUS PROGRAM
The Privacy+ standards are to be met in connection with the safeguarding of client information contained in paper and electronic records. This self-certification program is offered on a voluntary basis to all PRISM International companies. The objectives are to ensure the privacy of information in a manner consistent with industry standards as well as protect against unauthorized access or use that may result in harm to any consumer.
Purpose
The purpose of the Privacy+ program is to:
Provide PRISM members a simple means to stay updated and in compliance with evolving laws and regulations that may impact them
- Share resources and best practices in order to help PRISM members reduce privacy breach risks
- Reduce the number of privacy breach incidents caused by members of our industry, thereby:
- Preserving the reputation and trusted status of our industry
- Reducing the likelihood and/or severity of government-imposed legislation on our industry
- Improve the value-proposition of becoming and remaining a member of PRISM International
- Enable PRISM members to better compete against non-certified competitors who may not live up to the same standards regarding information privacy
Program Requirements
To become certified, a company must meet the following criteria:
Create a written information privacy policy.
- Designate a privacy officer.
- Implement administrative, physical and technical safeguards that reasonably protect the confidentiality, integrity and availability of client information
- As required by law, report to its clients any unauthorized use, disclosure or breach of client information of which it becomes aware.
- Ensure that if agents, including subcontractors, are provided access to client information, they are contractually bound to appropriately protect the information.
- Ensure information is protected against unauthorized access
Legislation and Regulation Informing Requirements
The laws, regulations and standards listed below act as privacy guidelines:
- Health Insurance Portability and Accountability Act (HIPAA)
- HIPAA Privacy RulePayment Card Industry Data Security Standard (PCI DSS)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- Gramm-Leach-Bliley Act (GLBA)
- Sarbanes-Oxley Act (SOX)
- Federal Trade Commission (FTC) "Red Flags Rules"
- American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization
- Family Educational Rights and Privacy Act (FERPA)
- Fair and Accurate Credit Transaction Act (FACTA)
- State information security laws including 201 CMR 17.00
- European Data Protection Directive
What Our Members Say
Dave Heric, Principal, DataSite Northwest