Compliance Check-in: Are you protecting your information?

ComplianceCheckin-01

For anyone managing personal data or records, compliance is a key component in the success of your information management systems. But, while there are some widely accepted rules, compliance looks different in every industry and at every phase of the information management process, from intake to final destruction.

As we move further into the  “information age” compliance rules will continue to adapt to the way that we live, work, and exchange information in our day-to-day lives. That means a key part of information management success is knowing and understanding privacy and information laws and compliance requirements in your industry segment. 

We’ve rounded up a few notes and resources to help you stay up to date. As always, these are not intended as legal advice and we recommend that you consult with an industry professional or compliance expert as you are making updates to your policies and procedures. 

What are Compliance Regulations? 

The primary goal of compliance regulations is to ensure that businesses and organizations are putting mechanisms in place to safeguard information and data that they collect as a part of their regular operations. 

These regulations place a responsibility on companies to protect themselves and their information assets from breaches, attacks, and misuse of information. 

Risks of Non-Compliance

As with any set of rules and regulations, there are risks associated with non-compliance when it comes to managing data and information. While the legal and regulatory penalties may vary by industry, jurisdiction, and severity of the offense, the risks of non-compliance are far-reaching. 

Longterm impacts of non-compliance include fines, financial losses, security breaches, license revocations, erosion of trust, damaged reputations, and more.  As customers, consumers, and patients are asked to hand over more and more data to render services, they want to know that their privacy is safeguarded and their providers are trustworthy and compliant. 

Compliance Regulations to Know

Depending on your industry and the types of information you collect, there are a variety of standard compliance regulations that you should be aware of. 

Gramm-Leach-Bliley Act (GLBA)

This piece of U.S. legislation, also known as the Financial Modernization Act, requires financial institutions to ensure the confidentiality of consumer data they collect and manage. As a part of the implementation of GLBA, the FTC issued the Safeguards Rule outlining compliance requirements for institutions under the jurisdiction of the FTC. 

Additionally, the FTC enforced the Privacy of Consumer Information Rule further detailing the specific information that financial institutions were required to disclose to consumers whose data they collect and manage. 

Health Insurance Portability and Accountability Act (HIPAA)

Comprised of the HIPAA Privacy Rule and HIPAA Security Rule, these standards, developed by the U.S. Department of Health and Human Services in 1996, are in place to protect the privacy of individually identifiable healthcare information in both hardcopy and electronic formats. 

Family Educational Rights and Privacy Act

This federal law was established to protect the privacy of student education records and applies to all schools that receive funding from an applicable program of the U.S. Department of Education. 

Payment Card Industry Data Security Standards (PCI DSS)

For those businesses collecting payment information, PCI DSS compliance is key. These specific compliance standards apply to merchant processing as well as online transactions and set out guidelines for protecting payment data and information collected by retailers, businesses and organizations.

Protecting Personally Identifiable Information

Outside of these industry-specific compliance regulations, businesses collecting and managing any personally identifiable information (PII) should maintain general security and compliance standards. This includes internal employee records, client information and records, banking and payment data, and more. 

As a business collecting this information, security and compliance are dependent upon your internal policies and procedures and should be mapped at each stage of the information management process from data intake to final destruction. 

How Augusta Data Storage Can Help

Secure Off-Site Records Storage
Whether you’re in need of storage for hard-copy records or a safe place to keep your digital backups and archives, we can help. Our restricted access facilities are complete with NARA compliant storage, as well as climate-controlled vault storage, capable of meeting a myriad of information security standards. 

Secure Destruction Services
Once you’re ready to remove information from your records or remove outdated data from your systems, our secure destruction solutions are here to help. Our processes are NAID AAA Certified for records destruction and hard drive destruction, ensuring that no matter how you manage your data, we’re keeping it secure through the end of its useful life. 

Scanning and Imaging
If you’re making the shift to digital, our scanning and imaging services offer the perfect all-in-one solution to ensure you have all your bases covered in the process. We can securely transport the records to our facility for conversion, archive them in our secure warehouse, and securely purge the records that are no longer needed. 

Steps to Increase Organizational Compliance

If your business handles proprietary information on a regular basis, you know that the threat of information theft continues to rise. There are a variety of efforts you can take to help increase compliance in your day-to-day-operations. Here are a few simple changes you can make today. 

  1. Implement a Clean Desk Policy: A Clean desk policy might seem tedious at first, but there are many benefits, the primary one being information security. A “clean desk policy” would mean keeping paper clutter filed away which prevents wandering eyes and lost papers from turning into a security breach.
  2. Invest in Secure Shred Bins for Your Office: Simply having recycling and waste bins does not provide a secure disposal for your office waste. Secure shred bins are locked containers where employees can deposit information for secure shredding, to ensure that it is not lost or stolen out of an open container by any of the number of people who may pass through your office in a given day.
  3. Develop a well-thought-out information retention policy: If you don’t already have one, an information retention policy should be on the top of your to-do list for the new year, and if you do have one, make sure you are reviewing and updating it regularly to maintain the highest levels of protection for your information. A good retention policy will outline what happens to your records (both paper and digital) during every phase of the document life cycle. It also identifies who is responsible for managing each step, what should happen during each step, what happens if the procedures aren’t followed, and what your organization’s protocol is, in the event of a security breach.
  4. Stay Educated: As information security risks grow and threat of hacks increase, the laws and regulations regarding the safety of personal information will evolve to address these risks. Staying up to date on the rules and suggestions for compliance will go a long way in ensuring that you stay ahead of potential problems and are able to create effective plans to help secure the information you manage
  5. Create security barriers for your digital assets: When it comes to digital assets, there are so many ways that information hackers can intercept your information. Some simple steps you can take to protect your organization include unique user IDs and passwords for any accounts that may manage information, no sharing of userIDs, ensuring that you log off of all programs and computers when they are not in use and ensuring that you are creating strong passwords for all accounts and using encrypted communications, when necessary.