How Orange County Data Centers Ensure Compliance with Industry Standards

Compliance with industry standards is, by definition, non-negotiable for any organization that comes under their remit. With that in mind, here is a straightforward guide to how Orange County data centers ensure compliance with industry standards.

What is compliance for data centers?

The term “compliance” refers to the need to obey mandatory data-protection standards. These standards are created and enforced either by industry bodies or by lawmakers.

Industry-specific standards

Industry-specific standards are created by recognized industry bodies and reflect the needs of that industry. For example, PCI DSS was created by the Payment Card Industry Security Standards Council to foster trust in the security of the payment card industry.

As industry-specific standards are laid down by industry bodies rather than lawmakers, they can only be made contractual obligations rather than laws. This limits the extent to which breaches can be penalized. That said, penalties can still be severe.

Legal standards

Legal standards are created by lawmakers and apply to their residents’ data, no matter what industry uses it. Often, the bodies that create these rules mandate that their rules are applied regardless of where in the world the entity using the data is located. There are various mechanisms the lawmakers can use to ensure this happens.

For example, the EU has explicit agreements with certain countries that confirm they will uphold GDPR. They also require any organization that handles EU residents’ data to have a GDPR representative within the territory of the EU. The representative essentially acts as an intermediary between the organization outside the EU and the EU authorities.

As legal standards are set by lawmakers, they can have whatever penalties are set down in the associated law. For example, GDPR allows for prison sentences (although fines are more likely).

Key regulatory standards in Orange County data centers

These are the five key regulatory standards in Orange County data centers.

California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)

The CCPA grants California residents rights over their personal data, such as the ability to access, delete, and opt-out of data sharing. The CPRA, an expansion of CCPA, adds stricter protections, including data minimization and additional security requirements for sensitive personal information.

Health Insurance Portability and Accountability Act (HIPAA)

Data centers hosting protected health information (PHI) must comply with HIPAA’s Security Rule, which mandates administrative, physical, and technical safeguards such as encryption, access controls, and security audits to ensure PHI confidentiality, integrity, and availability.

Payment Card Industry Data Security Standard (PCI DSS)

Data centers that process, store, or transmit credit card information must follow PCI DSS. This includes maintaining a secure network, implementing encryption, and conducting regular security assessments to protect cardholder data from breaches and fraud.

Federal Information Security Modernization Act (FISMA)

If a data center handles federal government data, it must comply with FISMA, which requires strict security measures, risk assessments, and continuous monitoring to protect sensitive government information.

Sarbanes-Oxley Act (SOX)

Public companies storing financial data in data centers must comply with SOX requirements, which enforce strict internal controls, audit trails, and security protocols to prevent data manipulation or fraud.

How DataBank ensures compliance

Here is an overview of the five main ways DataBank ensures compliance.

Comprehensive compliance framework

DataBank has developed a robust compliance framework that encompasses a wide array of standards, including FedRAMP, FISMA, SSAE 18, HIPAA, PCI DSS, GDPR, and the Data Privacy Framework. This extensive coverage ensures that DataBank’s facilities and services meet the stringent requirements of various industries, from federal agencies to healthcare organizations.

Annual independent audits

To maintain transparency and uphold high standards, DataBank commits to performing rigorous annual audits across all its data center facilities. These audits, conducted by independent third parties, assess the effectiveness of their controls and compliance with frameworks like SSAE 18, SOC 1, and SOC 2. Such regular evaluations help identify areas for improvement and ensure continuous adherence to regulatory standards.

Dedicated security and compliance teams

DataBank employs in-house security engineering teams and a Chief Information Security Officer (CISO) dedicated to overseeing infrastructure compliance. This specialized personnel focus on implementing and managing security measures, reducing the burden on clients’ IT staff, and ensuring that up to 80% of mandated compliance controls are effectively addressed.

Certified facilities and services

DataBank’s data centers and services are certified under major compliance frameworks. For instance, DataBank maintains PCI DSS compliance by providing facilities and critical infrastructure that adhere to the standards outlined in DataBank’s annual Report on Compliance (RoC). This certification ensures that DataBank meets or exceeds all audit controls, making DataBank a trusted partner for businesses handling sensitive information.

Client transparency and support

Understanding the complexities of compliance, DataBank offers resources like its “Guide to Data Center Compliance,” which provides overviews of various standards such as FedRAMP, HIPAA, PCI DSS, ISO 27001, SSAE 18, and GDPR. This commitment to client education and support ensures that customers are well-informed and confident in their compliance posture when utilizing DataBank’s services.