Comments are In: New Certification Specifications Ready for Rollout

August 12, 2020

For the past month, i-SIGMA has sought industry feedback on several proposed modifications to NAID AAA and PRISM Privacy+ Certification requirements.

“It was reassuring to learn members understood why the proposed modifications were necessary,” said i-SIGMA CEO Bob Johnson. “I think the team did a great job of making the case. There was no push back.”

On the need for the changes, Johnson said, “Our commitment to clients and service providers is that our certifications verify regulatory compliance as well as security. Going even one year without responding to regulatory modifications is not an option.”

Breach Response Time Reduced: The timeframe which service providers must notify clients of any potential data breach has been reduced from 60-days to immediately upon discovery. Again, this is not arbitrary but in keeping with global regulatory requirements. This change only affects NAID AAA Certification since it was already approved for PRISM Privacy+ Certification.

Data Subject Response Policy Required: Service providers must also add a policy and procedure for responding to Data Subject requests. As described in the comment form, Data Subjects now have the authority to request information from a Data Processor, such requests cannot be ignored. NAID AAA and PRISM Privacy+ Certified firms will be given advice on a range of possible responses. The important thing for service providers to note is that failure to respond to such requests in some way is not an option under emerging regulations.

Two other proposed modifications require service providers to have a policy and procedure for controlling photographic capabilities in and around client media and a method to verify service vehicle locations when in possession of client media. Again, i-SIGMA members will be informed of a wide range of practical implementation models.

None of the proposed requirements impose an additional economic burden on service providers.

Effective and Enforcement Dates

In the coming weeks, NAID AAA and PRISM Privacy+ Certified firms will receive detailed guidance regarding compliance, including detail options. Certified locations will be expected to implement the prescribed changes by October 1, however, until the end of the year, non-compliance will be remedied by further guidance.

At this point in time, i-SIGMA conducts both scheduled and unannounced onsite certification audits, requiring mutual consent for scheduled audits. During the outbreak, unannounced surveillance of both facility operations and service vehicles has been increased.