When organizations make the decision to migrate their assets and data into a new environment, one of the first questions they must answer is how their new solution will meet the regulatory compliance standards relevant to their business. Considering that even relatively small organizations can frequently handle confidential customer data, ignoring issues related to compliance can result in severe penalties. In 2018, for instance, the health insurance giant Anthem Inc. was fined a record $16 million by the US government for failing to comply fully with HIPAA standards in the wake of the data breach that occurred in December 2014-January 2015.
Even though paying out the largest HIPAA fine in history was hardly a financial burden for a company that collected nearly $4 billion in revenue the previous year, Anthem suffered severe reputational damage and ultimately paid out an additional $115 million to settle multiple class action lawsuits, to say nothing of the amount spent on legal fees and public relations. For an organization with less market penetration and resources, compliance violations could prove catastrophic.
For organizations that have long relied upon an aging but compliant on-premises infrastructure, moving into a new IT environment can be a frightening prospect. There are legitimate concerns about losing control or visibility over assets, especially when customer data is involved. Finding a colocation data center with a strong commitment to compliance and security can provide the peace of mind organizations need to confidently migrate their tech stack into an environment that will allow them to scale and deliver services more efficiently.
What Industries Have Compliance Regulations?
To put it simply, all of them. That’s because every industry is responsible on some level for handling sensitive data, whether they’re a multi-billion dollar company managing massive troves of personally identifiable information or a freelance artist selling crafts over an ecommerce platform.
Financial institutions, healthcare organizations, and technology companies typically face the stiffest compliance standards due to the sheer volume and diversity of data that passes through their networks. They not only need to make sure that their internal data security controls meet regulatory requirements, but also that their vendors have the right processes and protections in place. If one of those vendors suffers a breach, the company that contracted them will be held responsible for not properly vetting their security controls and ensuring their compliance status.
What is Data Center Compliance?
Fortunately, data centers are well-positioned to ensure their customers are compliant with the regulatory requirements common to their industries. Understanding what it means for a facility to be compliant is a bit complicated, however, and is often a source of immense confusion.
Understanding Data Center Certificates and Attestations
To demonstrate compliance, data centers must go through a formal procedure by which an accredited or authorized agency assesses and verifies that the facility’s practices are in accordance with the established requirements or standards for the regulation in question. Once this assessment is completed, a data center receives a certificate or attestation that proves its compliance with legal requirements.
Although the terms “certification” and “certificate” are often used interchangeably, they have different meanings in a regulatory context. A data center is generally not “certified” to assess compliance standards. Instead, they must have their operations reviewed by an external agency that is “certified” to perform audits to assess whether or not a data center’s practices meet compliance standards. These agencies receive their “certification” to perform audits from independent accreditation boards or bodies. When a data center is judged to meet regulatory standards, the “certified” agency issues a “certificate” of registration or “attestation” of compliance that allows the facility to prove it is in compliance with legal standards.
Data Centers Provide Compliance Peace of Mind
Reputable colocation data centers make their compliance reports available to customers to enhance transparency and prove their commitment to data security. By providing this reassurance, they can better help colocation customers manage operational risks and improve reporting. The highest quality providers build their services and infrastructure around leading compliance standards to ensure that they’re taking proactive steps to protect sensitive data.
When organizations can prove that their data center provider is compliant with the regulatory regimes impacting their business, they can pass those same reassurances along to their partners and customers. They can also rest easy knowing that they’re building networks and hosting applications within a highly secure environment. While they still need to take data privacy seriously and frequently must ensure that their own systems are secure, they don’t have to worry about the integrity of the infrastructure supporting their tech stack.
Data Center Compliances You Need to Know
SSAE 18 (Statement on Standards for Attestation Engagements)
A standard governing internal controls over financial reporting, SSAE 18 provides assurances that companies are being forthright with regards to their business and compliance interactions. This standard is especially important for service organizations and is typically reviewed as part of a SOC 1 report.
SOC 2 Reports (System and Organization Controls)
One of the more important attestations, a SOC 2 report focuses on information security, evaluating a facility’s policies and procedures with regards to security, data availability, processing integrity, confidentiality, and privacy. These requirements, which are covered by the SSAE 18 standard, are essential for evaluating a data center’s security controls.
A SOC 2 report comes in two forms:
- Type I: Audits the effectiveness of security controls in place at a specific point in time.
- Type II: Audits the effectiveness of security controls in place over a designated period of time (usually six to twelve months).
ISO/IEC 27001: 2013 (International Organization for Standardization/International Electrotechnical Commission)
ISO/IEC 27001 is an integral component of risk management processes involving private and sensitive data. The international standard assesses how well an organization identifies risks, addresses access and authentication vulnerabilities, and conducts ongoing training to keep customer information secure.
HIPAA/HITECH (Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act)
One of the more well-known compliance standards, HIPAA/HITECH was designed to protect personal health data. As the healthcare industry has become increasingly digitized, safeguarding private data has been a major concern for health providers and insurers.
(Note: With the European Union’s GDPR putting a newfound emphasis on data privacy in all its forms, HIPAA also applies to PII [Personally Identifiable Information] and ePHI [Electronic Protected Health Information]. The specific attestation covering this compliance standard is AT-C 105 & 205.
PCI DSS 4.0 (Payment Card Industry Data Security Standard)
PCI DSS 4.0 creates strict controls regarding the handling of personal financial data involved with electronically processed credit card payments. Any company that processes credit card payments or stores financial data electronically is required to comply with PCI DSS 4.0 standards, making it one of the most important attestations for a data center to possess.
GDPR (General Data Protection Regulation)
Perhaps the most sweeping data privacy and security law in the world, GDPR went into effect in 2018 and impacts any organization that does business with citizens of the European Union and the UK. The law clarified that EU citizens have a right to determine how their data is handled by organizations, which includes a right to be notified when data is being collected and a “right to be forgotten,” by which they can request to have their data deleted from a company’s records. To help their customers comply with GDPR, data centers must be able to provide systems and protocols that allow EU citizens to access data being held by colocation customers. The law also imposes a number of data security requirements companies must adhere to, regardless of where the relevant data was collected or stored.
CCPA (California Consumer Privacy Act) & CPRA (California Privacy Rights Act)
The strongest consumer data privacy law in the United States, the CCPA went into effect in 2020. Often referred to as the California GDPR, the CCPA clarifies the rights of California residents regarding data collection and usage by most businesses. Since California is home to just over 10 percent of the US population, the law has been treated as a de facto national standard by many organizations and is already being used as a basis for proposed privacy laws in other states. In 2023, the CCPA will be bolstered by the CPRA, which enhances and replaces parts of the original regulation pertaining to the collection and handling of personal information.
Get Compliance Peace of Mind with Evoque
Data center compliance is a major concern for potential colocation customers. Meeting regulatory standards requires a close working relationship between colocation facilities and their customers, so it’s essential that companies know what they can expect from a provider when they migrate their assets into a third-party data center.
Evoque data centers undergo frequent, rigorous audits to ensure that our colocation services and infrastructure meet the leading compliance standards to provide the most secure foundation possible for our customers. We understand the specific data security requirements of multiple industries and closely monitor the latest regulatory developments to help organizations stay a step ahead of changing compliance standards. To learn more about Evoque’s ongoing commitment to compliance, talk to one of our colocation experts today.