There is a lot more to protecting customer privacy than locking down facilities and enforcing strong passwords. It’s about getting the entire organization aligned around information privacy policies and procedures at every level. Iron Mountain recently earned a Privacy+ certification to ensure we are doing all we can as an organization to safeguard customer information.
The term “regulation” has so much negative connotation these days that you would think it’s a bad word. But regulation is only a problem when it is imposed on you, usually as a result of the actions of a few bad choices. Responsible industries regulate themselves. The American Bar Association and the American Medical Association are just two examples of regulatory bodies that are managed by the members. By setting their own high standards and maintaining discipline, they avoid intrusion by government regulators.
Back in 2011, we could clearly see that information privacy was becoming a mounting issue. Cyber security breaches were disclosing the personal records of millions of people, and there was growing popular unease about the privacy implications of social networks. Identity theft was becoming an even bigger challenge.
It was not hard to see that records management firms could be at risk if we didn’t take proactive steps to create a set of industry best practices around information privacy. So we initiated a discussion about the need for certification with PRISM International, the global trade association for information management companies. The hope was that their organization would develop an industry-wide gold standard certification for information privacy.
Regulations can be either a carrot or stick, and we chose the carrot approach. The Privacy+ certification was launched as a voluntary, self-scoring program. It outlines a comprehensive set of practices and controls that records management firms can adopt to demonstrate world-class privacy protection practices. Here’s the list of certification requirements.
Privacy+ encompasses documented plans, policies, training, physical security, disaster prevention and recovery, hiring practices, access controls and much more. It lays out goals for ongoing training and background checks. It even proscribes some job descriptions.
For the first three years, Privacy+ was a voluntary, self-scoring certification. That was a good start, but the program really got teeth last year when PRISM International added a third-party audit requirement. Now it isn’t enough anymore to say you take privacy controls to heart; you have to prove it. Our certification was audited by the respected professional services firm of Ernst & Young.
Privacy+ certification is not inexpensive and is in addition to the cost of the internal control changes we made and the accounting and audit specialists we hired. But I believe the investment was well worth it. Certification gives our customers and prospects the peace of mind of knowing that we comply with best practices as defined by the community of industry records and information management experts.
Certification also has significant business value. Iron Mountain is one of only 30 companies that have earned Privacy+ certification since the audit requirement was enacted. We take pride in this achievement, and that our investment in certification shows that we take privacy seriously.
By the way, Privacy+ is only valid for two years. This sets the bar high for certified companies to keep investing in best practices. I can guarantee you that we will.
Ensure your vendors are prioritizing information privacy. Learn more.