One of the most frequently asked questions is “what types of industry standards have been created.” PRISM International is not a standards-making body. As a result, no de facto standards can be attributed directly to PRISM International, and the term “industry standard” does not really apply in the legal sense of the word. However, a great many standards, rules, regulations, and client initiatives do impact the industry. Some of these are briefly outlined here.
FIRE AND BUILDING CODES
Most countries have adopted fire and building codes of one kind or another. There are numerous fire and building codes promulgating organizations throughout the world (there are competing codes organizations within some countries like the United States) so the whole process of discovering which fire and building codes apply can be confusing. Operators are required to comply with all fire and building codes in force at the location where their facility is constructed. Other codes do not apply; however, for market differentiation reasons or in order to comply with the requirements of some vertical markets, some operators may choose to construct or protect a facility to a higher level than the local codes require. Members of PRISM International can reference a number of guidelines publications to review the general requirements of fire codes for commercial records centers and data protection facilities.
In addition, the National Fire Protection Association (NFPA) of the United States has created NFPA 232, the Standard for the Protection of Records. This standard may not be adopted as a part of the code but it does provide helpful references for both commercial records centers and data protection vault facilities. The standard can be purchased from NFPA at www.nfpa.org.
SPECIAL GOVERNMENT RECORDS STORAGE REQUIREMENTS
Countries vary widely when it comes to the requirements for storing government records information. Some, such as Canada and Denmark, are very progressive with outsourcing to the private sector in order to save money, improve efficiency, etc. Other countries may not permit any outsourcing at all. Most countries fall somewhere in between. In the United States, outsourcing of federal records to private sector storage facilities is permitted, provided the facility meets the requirements established by the National Archives and Records Administration. These standards can be found at 36 CFR 1228(k) and related appendices.
The passage of Sarbanes Oxley in the United States (revising corporate governance principles in public companies) impacted the type of recordkeeping requirements for public companies and impacted private sector storage companies as well. In order to provide data protection services for public companies information system verification may be required–a SAS 70 Audit is the recommended verification method.
Companies that maintain consumer information (individually identifiable financial information) must take responsibility for properly disposing of this information through shredding or other means. PRISM International offers its members a FACT Act Addendum to help inform clients of their obligations and to incorporate the necessary language into a storage agreement.
Health information must be carefully handled. Changes in HIPAA made in 2009 extend criminal and civil penalties to business associates and require more extensive policies and procedures than was previously the case. PRISM International members may make use of a standard business associate agreement, which incorporates the language recommended by the United States Health and Human Services. In 2010 PRISM International was engaged in a significant campaign to provide clarification for the industry on unnecessary extension of indemnification provisions to business associates and whether minimal service providers may be entitled to the same exemption from business associate status that courier companies enjoy.
GRAMM LEACH BLILEY
Financial service companies also require contractual safeguards that information will be securely maintained, kept confidential, and in the case of any accidental breach that the client will be notified immediately. PRISM International offers its members a special addendum for this as well.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
Credit card processors are now required to comply with the Payment Card Industry Data Security Standard (PCI DSS). As a part of their overall information system, data protection facilities may hold truncated or encrypted data from a merchant processor. PRISM International received clarification directly from the Payment Card Industry Council as to the applicability of the PCI DSS to data protection companies, the conditions under which some conditions apply and audit requirements. PRISM International offers a letter to its members drafted by the PCI Council that can be offered as evidence to clients.
STANDARD STORAGE AND SERVICE AGREEMENT
PRISM International members can take advantage of a standard storage agreement that has been drafted for the benefit of members of the organization. Each member is responsible for reviewing the agreement with their own attorney in order to ensure the agreement meets the requirements of contract law where they are located. Members of PRISM International are sent a disclaimer form prior to receiving a digital copy of the agreement.