For many businesses, regulatory compliance is a topic that simply cannot be ignored. Handling confidential customer data in all its varied forms has become a routine, even essential, task in almost every industry, and companies that ignore the legal obligations they have to keep that data secure do so at significant peril. In 2018, for instance, the health insurance giant Anthem Inc. was fined a record $16 million by the US government for failing to comply fully with HIPAA standards in the wake of the data breach that occurred in December 2014-January 2015.
While paying out the largest HIPAA fine in history was pocket change for a company that netted almost $4 billion in income the previous year, failing to meet regulatory compliance standards could very easily destroy a smaller company. Failure to comply with PCI DSS standards, for instance, could cost a company between $5,000 and $100,000 every month until the problem is addressed. In addition to the fines themselves, there’s the potential for subsequent lawsuits filed by customers and clients as well as the likelihood of long-term brand damage in the public eye.
Fortunately, data centers are well-positioned to ensure their customers are compliant with the regulatory requirements common to their industries. Understanding what it means for a facility to be compliant is a bit complicated, however, and is often a source of immense confusion.
To demonstrate compliance, data centers must go through a formal procedure by which an accredited or authorized agency assesses and verifies that the facility’s practices are in accordance with the established requirements or standards for the regulation in question. Once this assessment is completed, a data center receives a certificate or attestation that proves its compliance with legal requirements.
Although the terms “certification” and “certificate” are often used interchangeably, they have different meanings in a regulatory context. A data center is generally not “certified” to assess compliance standards. Instead, they must have their operations reviewed by an external agency that is “certified” to perform audits to assess whether or not a data center’s practices meet compliance standards. These agencies receive their “certification” to perform audits from independent accreditation boards or bodies. When a data center is judged to meet regulatory standards, the “certified” agency issues a “certificate” of registration or “attestation” of compliance that allows the facility to prove it is in compliance with legal standards.
For a data center, providing compliance assurances is a matter of transparency and security. By providing infrastructure that meets compliance standards for data security, a facility can help their customers to better mitigate business risks and enhance reporting procedures. The best facilities build their infrastructure from the ground up with compliance in mind rather than viewing it as a “bolt-on” service to be incorporated after the fact.
Here are some of the key certifications/attestations a data center should possess:
A standard governing internal controls over financial reporting, SSAE 18 provides assurances that companies are being forthright with regards to their business and compliance interactions. This standard is especially important for service organizations.
(Note: The SSAE 18 recently changed names and is now referred to within the industry as ISAE 3402 [International Standard on Assurance Engagements]. While it has yet to fully catch on in common business usage, current data center attestations reflect the ISAE 3402.)
SOC 2 audits focus on information security, evaluating a facility’s policies and procedures with regards to security, data availability, processing integrity, confidentiality, and privacy. This standard is essential for evaluating a data center’s security controls.
ISO/IEC 27001 is integral risk management processes involving private and sensitive data. The international standard assesses how well an organization identifies risks, addresses vulnerabilities, and conducts ongoing training to keep customer information secure.
One of the more well-known compliance standards, HIPAA/HITECH was designed to protect personal health data. As the healthcare industry has become increasingly digitized, safeguarding private data has been a major concern for health providers and insurers.
(Note: With the European Union’s GDPR [General Data Protection Regulation] putting a newfound emphasis on data privacy in all its forms, HIPPA also applies to PII [Personally Identifiable Information] and ePHI [Electronic Protected Health Information]. The specific attestation covering this compliance standard is AT-C 105 & 205.)
PCI DSS 3.2 creates strict controls regarding the handling of personal financial data involved with electronically processed credit card payments. Any company that processes credit card payments or stores financial data electronically is required to comply with PCI DSS 3.2 standards, making it one of the most important attestations for a data center to possess.
Due to the broad scope of regulatory compliance, data centers are quite transparent about what certificates/attestations they have acquired. If a facility is hesitant to provide proof of compliance, they not only might be misleading their customers, but they could very well be breaking the law. By requesting proof of compliance, companies can protect themselves from hefty fines and potential legal action while also gaining the peace of mind that comes from knowing a data center is doing everything in its power to protect their valuable data.