We’ve likely all been there, right? You’ve just bought a new computer or phone, made certain it was installed correctly, following every bit of instruction down to the letter. And then, you let it be, hoping this new bit of technology is just as easy as it advertises on the box.

And yet, there it is–the telltale ERROR message that has you spending hours online, trying to figure out what exactly went wrong and what you need to do to fix it.

The fact is that technology isn’t foolproof, regardless of how seamless it claims to be, and even if it’s installed correctly, there is always a chance that it may fail at some point or another.

So, what do you do when this technology happens to be the Closed-Circuit Television (CCTV) that is required by your NAID AAA Certification? What should be your next step when there is a loss of data or outage outside of your control?

Well, thankfully, the i-SIGMA Certification team has a contingency for this exact situation so that you and your facility can avoid any issues with regards to maintaining your certification should this untimely event happen in the future.

But first, let’s start by both defining what is expected of a NAID AAA Certification with regards to CCTV monitoring and what an outage would look like.

CCTV Coverage and Outages

To be found in compliance with NAID AAA standards, all Facility-based operations are required to have a CCTV system that monitors all access points into the secure building/area in which confidential material is received, staged, processed and/or destroyed. Additionally, there should be enough clarity and lighting to identify both the people within frame as well as their activities, and recordings of these activities must be retained for 90 consecutive days.

Conversely, an outage of CCTV coverage is considered by NAID AAA Certification standards to be any issue that would result in a loss of data within this timeframe. As in, anything that causes the CCTV to lose footage or become corrupted? That would be an outage!

So, I Have Experienced an Outage. What Next?

If you happen to notice an outage of your CCTV coverage, the solution is simple; although, you must act fast! To still be considered NAID AAA compliant, you must provide notice of the outage to i-SIGMA’s Certification staff within 48 hours of its discovery.

You can do this either by calling any of our Certification staff (602-788-6243) or emailing the Certification inbox. Then, a Certification staff member will note this in our system so that any auditors are aware of the outage, and it will not be counted against you in a future audit.

Additionally, this outage procedure must be outlined in your policies and procedures to be considered in full compliance.

It’s that simple, really! By following these procedures, your business can proudly maintain its certification status without being at the mercy of technology’s failures and avoid any fines that may come alongside it.

Written by: Victoria Vale, i-SIGMA Certification Associate

The post CCTV Outages and How to Report Them appeared first on i-SIGMA.

Dear i-SIGMA Members,

I’m writing to inform you about a significant update from the Securities and Exchange Commission (SEC) regarding cybersecurity disclosures for public companies. The new rules will require registrants to disclose material cybersecurity incidents and provide annual disclosures on their cybersecurity risk management, strategy, and governance. As a non-profit supporting information governance professionals, we understand the importance of proper policies and procedures that protect sensitive information. This new requirement has been introduced, aiming to enhance transparency and accountability in the face of cybersecurity incidents. As part of the regulatory changes, registrants will now be required to disclose any material cybersecurity incidents on the recently introduced Item 1.05 of Form 8-K. Under these rules, registrants must promptly report the nature, scope, timing, and material impact of such incidents. In most cases, the disclosure on Form 8-K will be due within four business days of identifying the incident’s materiality. Moreover, these new regulations also introduce Regulation S-K Item 106, which mandates registrants to provide detailed insights into their processes for assessing, identifying, and managing material risks arising from cybersecurity threats. This includes disclosures of the board of directors’ oversight and management’s role and expertise in handling cybersecurity risks.

i-SIGMA members prioritize safeguarding sensitive data, these disclosures will become a mandatory part of an organization’s annual reports. With these changes, the government is striving to strengthen cybersecurity practices and ensure that organizations are prepared to tackle potential threats effectively. Together, let’s uphold a secure and resilient business environment for all the clients we serve.

Thanks, Nate

You can read the full press release from the SEC here >>

The post SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies appeared first on i-SIGMA.

Running a business can be a daunting task, especially when it comes to ensuring compliance with various regulations and laws. Compliance is important not only for legal and ethical reasons but also for the efficiency of your business. By partnering with an i-SIGMA Certified Company who has obtained either their NAID AAA or PRISM Privacy+ Certification, your company is already leagues ahead in terms of compliance. The list below highlights ten things you can do to help run your business more efficiently, all of which are required of i-SIGMA Certified Providers. Find an i-SIGMA Certified Service Provider Here >>

Identify and prioritize compliance requirements

The first step towards efficient compliance is to identify and prioritize the requirements that apply to your business. Depending on your industry and location, you may need to comply with various regulations, such as data privacy laws, labor laws, and tax regulations. Make a list of these requirements and prioritize them based on their importance and impact on your business.

Create a compliance program

Once you have identified the compliance requirements, create a compliance program that outlines the policies and procedures for meeting these requirements. This program should be tailored to your business and should cover all relevant compliance areas. Ensure that all employees are trained on the compliance program, and make sure that it is regularly updated to reflect changes in regulations.

Hire a compliance officer

If your business is large enough, consider hiring a dedicated compliance officer who will oversee the compliance program and ensure that all employees are following the policies and procedures. The compliance officer should have a thorough understanding of the regulations that apply to your business and should be able to keep up with any changes in these regulations.

Use technology to automate compliance tasks

Technology can help you automate many compliance tasks, such as tracking employee hours, filing tax returns, and monitoring data privacy compliance. By automating these tasks, you can reduce the risk of human error and save time and resources. Consider investing in compliance software that can help you manage compliance more efficiently.

Conduct regular compliance audits

Regular compliance audits can help you identify areas where your business may not be meeting regulatory requirements. These audits should be conducted by an independent third party who has expertise in the relevant compliance areas. The findings of the audit should be used to improve the compliance program and make any necessary changes to policies and procedures.

Monitor regulatory changes

Regulatory requirements are constantly changing, and it’s important to stay up-to-date on these changes. Subscribe to regulatory newsletters and attend relevant conferences and events to stay informed about any changes that may impact your business. Update your compliance program and policies as needed to ensure that you are meeting the latest regulatory requirements.

Train employees on compliance

All employees should be trained on the compliance program and the policies and procedures for meeting regulatory requirements. This training should be provided on a regular basis and should cover all relevant compliance areas. Ensure that employees understand the importance of compliance and the consequences of non-compliance.

Implement a whistleblower policy

A whistleblower policy can help you identify and address compliance issues before they become serious problems. This policy should provide employees with a way to report any suspected violations of regulations or company policies without fear of retaliation. Ensure that all employees are aware of the whistleblower policy and understand how to use it.

Maintain accurate records

Accurate record-keeping is essential for compliance. Keep all relevant records, such as financial statements, tax returns, and employee records, organized and up-to-date. Use a secure storage system to protect sensitive information and ensure that only authorized personnel have access to these records.

Seek professional help

If you’re unsure about how to meet regulatory requirements or if you’re facing a compliance issue, seek professional help. Consult with a lawyer or compliance expert who can provide you with guidance and advice on how to meet regulatory requirements and avoid compliance issues.

Compliance is a critical aspect of running a business, and it’s important to ensure that your business is meeting all regulatory requirements. By following the ten steps outlined in this article, with the help of an i-SIGMA Certified Service Provider, you can help run your business more efficiently with compliance and reduce risk.

The post Efficiently Keeping Your Business in Compliance appeared first on i-SIGMA.

• Maximizing the Cares Act Incentives – Webinar
• Maximizing the Cares Act Incentives – Article

Following the webinar, i-SIGMA received a few member inquiries under our Ask the Professionals program and are sharing the responses.

Please Note: i-SIGMA is not a Certified Public Account and is not providing specific legal or accounting advice. We recommend that you reach out to your local tax professional to determine what specifically applies to your business in your local jurisdiction.

Question

Dear Ask the Professionals,

We are excited about adding ERC funds to the PPP money we already qualified for but I’m confused if these funds will be consider taxible income later on. Please advise.

Sincerely,

Tax Ignorant

Answer

Dear Tax Ignorant,

We reached out to CPA Kristina Morgan of Sechler Morgan CPAs PLLC, who advised us of the following:

Nonprofit entities will NOT have to file an amended tax return (other than the required payroll tax return).

For-profit entities WILL have to file an amended tax return for the years they claim the credit. Those amounts will increase the companies’ profits (or reduce losses or carryover losses) and will therefore be taxable.

i-SIGMA also discovered that if a business claims the credit and is not eligible but certifies that they are, this is considered tax fraud. As such, we advise our members to work with a professional to understand the many requirements and calculations that are involved, especially if they also received a PPP Loan(s).

Sincerely,

i-SIGMA & Professionals

Question

Dear Ask the Professionals,

I attended the webinar that i-SIGMA held regarding the Employee Retention Credit (ERC). We have a very small team with only a handful of employees. It seems that most firms want to work with large businesses and are focused only on revenue loss as a basis for applying for the credit. Do you have any information on the other ways of qualifying?

Sincerely

Small But Mighty

Answer

Dear Small But Mighty,

We followed up with Daniel Risen who did the presentation as well as spoke to other members applying for the credit. You are correct that initially, firms assess revenue. However, less than 5% of businesses that have received ERC have qualified under this criteria. (What qualifies? In 2020, if you saw a 50% drop in revenue, compared to the same quarter in 2019, you would be eligible for all of 2020. In 2021, if you saw a 20% reduction in revenue, compared to the same quarter in 2019, you would be eligible for that entire quarter in 2021.

More businesses qualify for ERC via the “Governmental Orders” criteria. If in your state or federally you were affected in your ability to conduct COMMERCE, TRAVEL, or GROUP MEETINGS by the pandemic under certain criteria, you could qualify. A few examples of qualifiers Daniel has seen within our industry in some states include:

1. Supply Chain Disruption
2. Requirement of the company to spend time and money on PPE to clean and sanitize equipment
3. Furloughed Employees
4. Sales were forced to go virtual (if you were unable to attend tradeshows or sales conferences)
5. Employees may not be “active” all day or were forced to perform work outside of their normal job duties

One member did share with us that while his CPA was reluctant to work with him, after approaching another CPA, their business is getting back $250K. His advice was to keep looking for firms who are willing to sit and take the time to work with you!

Sincerely,

i-SIGMA & Professionals

Important: Some experts contend that since our industry was mostly exempted from the shutdown, due to our industry being deemed essential, some businesses may not qualify. We advise our members to work with a professional to understand the many requirements and calculations that are involved with your specific business and local jurisdiction.

The post Ask the Professionals About the Employee Retention Credit (ERC) (US companies) appeared first on i-SIGMA.

What happened that fines are still being assessed and we are still talking about this mayhem?

Morgan Stanley originally hired the moving company, Triple Crown, in 2016 to decommission IT assets from two data centers. It was known that Triple Crown was strictly a moving company and not experienced with electronic data destruction. The contract identified an unnamed e-scrap management company that would sanitise the devices and resell them for a commission, with Morgan Stanley obtaining a cut. It’s become known that early on, Triple Crown stopped working with the unidentified company and began working with AnythingIT without Morgan Stanley’s knowledge. AnythingIT was sold the eletronics with data still on them, having been told by Triple Crown that they had already been wiped. They in turn resold these devises downstream to KruseCom, who either destroyed or sold them on an auction site.

Truly a story in passing the buck and a loss in accountability. Where is the certificate of destruction? Where is the vendor due diligence? There was none, which is why Morgan Stanley is paying dearly.

If you look-up AnythingIT today, you’ll note that they are NAID AAA Certified. There has been some confusion on if this third-party vendor who worked in the Morgan Stanley debactle was certified, how could all of this have happened? As you can see, 1) they were given misinformation and not contracted to do the actual data wiping, AND 2) at the time of them being contracted they were not yet NAID AAA Certified. Since this incident, AnythingIT has become NAID AAA Certified and shown that they in fact DO robust quality best practices, even submitting to unannounced audits.

There are many lessons learned through this incident for everyone, clients and service providers alike.

Morgan Stanley did not take the correct precautions to ensure they hired a reputable service provider, such as a NAID AAA Certified company who would have had rigorous guidelines in place for wiping the hard drives. And it seems that service provider to service provider contracts may have been lacking as well regrading the goods being transferred (do you have language in place when you take acquisition of assets without destroying it?).

Why You Should Earn Your NAID AAA Certification >>

Why You Should Use a NAID AAA Certified Company >>

The post Updates on the Morgan Stanley Data Breach appeared first on i-SIGMA.

As readers already know, the premise of Data Processor certifications has changed. Where once they simply provided a general reassurance that a reputable third party had signed off on the vendor’s practices, now, if properly constructed and managed, those certifications fulfill a client’s regulatory due diligence requirements. Certification has gone from providing a warm and fuzzy intangible, to a very real, tangible benefit.

Another way to look at it is that clients have two options to meet their vendor selection due diligence requirements. 1.) They can review their prospective Data Processors themselves – both initially and ongoing after hiring – against the relevant regulatory and security requirements, or 2.) They can rely on a reputable, bonafide certification program to do it for them.

So, what is this about looking beyond certification?

The fact is, there are two things a certification cannot do… and should not do… which are equally important to a client compliance and/or risk, namely, the quality of their data processor contracts and insurance.

All data protection regulations necessitate a contract between the Data Controller (the client) and the Data Processor (service provider)

I specifically use the word “necessitates” because some U.S. regulations are silent on such contractual engagements, but, in all practicality, the absence of such a contract would almost certainly be deemed negligent. In court the question would be, “Do you mean to justify to the court that you were entrusting this vendor with personal information your firm was required to protect and you had no contract with to hold them accountable?”

Again, for the most part, regulations, even in U.S. do require a Data Controller-Data Processor contract. Furthermore, with data protection regulations now applying to citizens versus territories, the only prudent course is to default to the most rigorous.

Contracts are by nature not something a certification can have much overlap, besides, that is, the obvious overlap of a contract requiring a vendor maintain a certified status. Beyond that, however, a certification cannot (and should not) be expected to stipulate all the various particular issues and clauses that a Data Controller-Data Processor contract would. There are simply too many variables and subtleties.

The same can be said about insurance, and, more specifically, Professional Liability Insurance (PLI). PLI would be the insurance a service provider would rely on to cover the expense on any accident or negligence in the performance of their professional duties. From the Data Controller’s perspective, the availability and quality of PLI are critical, since the insurance is what allows the Data Processor to be held financially responsible.

As a side note, I cannot tell you how many times I have seen Data Controllers passing on financial liability to a Data Processor with no reciprocal requirement for that Data Processor to have PLI. Of course, this stipulation would be useless unless it was accompanied by the Data Controller’s evaluation of the PLI, since there is the strong possibility that the policy has problematic exclusions.

Back to the topic at hand, though, this is exactly the reason a certification cannot simply mandate Data Processor maintain PLI, since the certification cannot evaluate the insurance anymore than it can mandate necessarily specialized, custom contracts.

So what?

Well, for the client requiring certification it means there is more to do, and that there is no shortcut. Contracts and the professional liability of the service provider are always going to be something requiring they get into the weeds.

For the service provider, it means opportunity. Being able to help clients understand and navigate their contract and insurance requirements and risks will both set them apart from their competition as a true professional and earn them the margins they deserve as such a professional.  Looking at it from another angle, it is only a matter of time before clients become aware of these issues. It will certainly reflect more positively if the service provider that has already made it known that they are aware of these issues, or at least is able to respond intelligently, versus simply looking back at the client, shrugging and clueless.

End note for clarity: Contracts fall under both compliance and risk management. Insurance, on the other hand, is not a compliance issue but definitely falls very high on the risk management continuum.

The post Beyond Certification appeared first on i-SIGMA.

In its role as a member-owned organization, i-SIGMA provides a robust repertoire of member benefits, including state-of-the-art contracts and agreements, marketing materials, regulatory intervention, and educational events. Find the full list and details of all i-SIGMA benefits on the association website, and all members are encouraged to review and make use of them.

Certifications: Included among the benefits of i-SIGMA membership benefits is access to information protection’s two leading service provider certifications, NAID AAA and PRISM Privacy+. With the overwhelming majority of its more than 1,200 member-locations holding one or both of those certifications, they are the most success programs i-SIGMA has offered to date.

By now, it is well known that i-SIGMA membership replaces NAID and PRISM International membership at the end of this month, and that going forward the use of NAID and PRISM will be limited to their respective certifications.

A Personal/Business Decision: Over the years, our surveys have consistently shown that the vast majority of non-certified members fully intend to become certified as soon as they can find the time. And whether now is the right time or not, it is critical for those members to know they are still benefiting from the association’s efforts and their contribution to the association continues to promote client education and adoption of their services.

It is also important, however, for non-certified members to take stock. In a matter of weeks, NAID and PRISM will only be associated with each respective certification program. If past surveys are correct, and certification is a future goal, there is no better time to do it than now; thereby maintaining your link to the two most recognized information protection brands in the world.

How to Become Certified: Becoming Certified is not as complicated as some may think.

1. Meet all required specifications as outlined in the i-SIGMA Certification Specifications Reference Manual
2. Submit a completed certification application
3. Successfully complete an initial scheduled audit verifying all aspects of compliance

Contact the i-SIGMA Certification Department for more information.

Written by Bob Johnson | 30 November 2021

The post If Certification is in Your Plans, Now is the Time! appeared first on i-SIGMA.

Titled, “An Act to modernize legislative provisions as regards the protection of personal information”, the regulation was adopted unanimously, on the 21 September, 2021, and applies to all public and private organizations covered by Canada’s primary data protection law the Personal Information Protection and Electronic Document Act (PIPIEDA). The effective date is on the same date in 2022.

Among the Data Subject (individual) provisions included are:

• Enhanced consent and transparency obligations, requiring that individuals request a copy of any information in an organizations possession and that they be made aware of and be provided the right to opt-in to all uses of their information at their sole discretion.
• Introducing the “right to be forgotten,” which means individuals have the right to request their information be permanently deleted by an organization if there is no legal reason to retain it.

The new regulation also has teeth, moving away from an Ombudsman model where the regulator makes recommendations to organizations, it calls for the imposition of fines that include CA$50,000 for individuals and the greater of CA$10 million or 2% of the global turnover from the previous year for organizations. Where a violation constitutes an offence under the Act, fines may be imposed of up to CA$100,000 for an individual and $25 million or 4% for an organization global turnover of the previous year.

The post Data Subject Protections Continue to Drive New Privacy Laws appeared first on i-SIGMA.

Why Did i-SIGMA Create This Service?

All data protection regulations require clients to demonstrate initial and ongoing due diligence when selecting third-party service providers to process personal information. The key word there is “demonstrate.” In fact, when a large investment firm was recently fined after its discarded electronics exposed personal information about its clients, the judgment was based on the fact that they failed to employ “adequate due diligence in selecting a vendor and monitoring its performance.”  This new, free service from i-SIGMA helps organizations fulfill that regulatory obligation by sending out comprehensive compliance reports detailing the qualifications of vendors offering records storage, imaging, scanning, secure shredding, and electronic media recycling.

Of course, the challenge to clients (such as the investment firm) of complying with such regulations is that, 1) they rarely have the bandwidth to perform such due diligence and, 2) even if they did have the bandwidth, they can hardly be expected to know what to look at. Enter i-SIGMA certification programs, which are not only designed to review the relevant regulatory and security overlap, but to do so on an ongoing basis. 

By obtaining the automatic reports issued by the i-SIGMA Compliance Monitoring Service, the client has evidence by which they can demonstrate both initial and ongoing compliance of their service provider. In short, the client themselves gets the tangible benefit of being able to demonstrate their own vendor-selection compliance requirements. 

“We began the service when customers requested that we email them alerts when their service provider renewed or lapsed,” says i-SIGMA CEO Bob Johnson.

“Now, we’ve taken that concept a step further. The service is based on the fact that many data controllers are required to demonstrate initial and ongoing due diligence when they use data-related service providers,” Johnson continues. “And, because NAID AAA and PRISM Privacy+ Certifications address the relevant security vulnerabilities and regulatory overlap, the information verified during audits mirrors what that due diligence should look like.” 

“Essentially,” Johnson added, “they’re supposed to do it, but often don’t what to look at or don’t take the time, so we can do it for them even better than they can.” 

Clearly, any client will see the value of obtaining this free report, and once they are aware it is available will come to insist on it. 

Users of the service will first be brought to a welcome screen, and next will be able to choose their provider that they wish to monitor (as shown below). If the user does not have a provider in mind, they can also find a local service provider.

Once the user has selected their service provider, all they have to do is enter their email address (stored anonymously). The report will show up in the user’s inbox within minutes. Future reports will be sent annually as each company renews its certification and whenever they make changes in their serviceswhich may impact the details of their certification on file.

i-SIGMA is very excited to announce and roll out this eagerly awaited program. For information on certification programs, contact: certification@isigmaonline.org. For technical assistance regarding this tool, please contact: webhelp@isigmaonline.org.

Use the Compliance Monitoring Service Now >>

The post The i-SIGMA Compliance Monitoring Service Has Arrived appeared first on i-SIGMA.

(This blog is provided for perspective only and not to be taken as legal advice)

As I often remind service providers, though i-SIGMA certifications (NAID AAA/PRISM Privacy+) require drug screening prior to hiring, and either ongoing drug screening or training to recognize substance abuse, the certifications themselves do not prescribe how service providers respond to the results of those screens.

The point of the screening is so that service providers are aware, and can, as a result, make their own determination on what their own substance abuse policy mandates. Clearly there is a difference between a positive test at hiring and a positive test by a long-standing, contributing employee. Clearly there is a difference as to whether the employee was under the influence at work, or it just showed up on a screen. What the service provider does is up to their policy, and advice from their legal counsel (ideally an employment lawyer.)

Enter the fact that marijuana is now legal in a growing number of states.

Presently, in the states of Montana, Maine, Nevada, New York, and New Jersey, not hiring an individual on the basis of recreational marijuana use is considered discriminatory. The same thing goes for cities such as Atlanta, New York City, Philadelphia, Washington DC, Rochester, NY, and Richmond, VA. Then there are another twenty states that have enacted laws protecting employment rights of medical marijuana users.

So what?

One: You need to comply with the anti-discrimination laws. If your state or city is or becomes a place where marijuana use is legal, you could risk a discrimination suit if you’re not prepared.

Two: It is no secret that we are entering a tight employment market. I get a call a week from someone asking if others are having the same trouble as they are attracting and keeping good help. Legal use of marijuana is growing, and like it or not, there is an increasing chance that prospective hires using it recreationally will turn up at your door. I’m not telling anyone what to do, but you need a plan that is non-discriminatory and that does not deny you a potentially good employee at a time when finding them is tough.

Note: Most states do shield such employers from marijuana-use discrimination where those employers are required to follow federal drug-testing mandates.

Written by Bob Johnson | 9 June 2021

The post Legal Marijuana Raises Drug Screening Questions and Risks appeared first on i-SIGMA.