Regulatory Climate

One of the most frequently asked questions is “what types of industry standards have been created.” NAID is not a standards-making body. As a result, no defacto standards can be attributed directly to NAID, and the term “industry standard” does not really apply in the legal sense of the word. However, a great many standards, rules, regulations, and client initiatives do impact the industry. Some of these are briefly outlined here.


Most countries have adopted fire and building codes of one kind or another. There are numerous fire and building codes promulgating organizations throughout the world (there are competing codes organizations within some countries like the United States) so the whole process of discovering which fire and building codes apply can be confusing. Operators are required to comply with all fire and building codes in force at the location where their facility is constructed. Other codes do not apply; however, for market differentiation reasons or in order to comply with the requirements of some vertical markets, some operators may choose to construct or protect a facility to a higher level than the local codes require.

In addition, the National Fire Protection Association (NFPA) of the United States has created NFPA 232, the Standard for the Protection of Records. This standard may not be adopted as a part of the code but it does provide helpful references for both commercial records centers and data protection vault facilities. The standard can be purchased from NFPA


Countries vary widely when it comes to the requirements for storing government records information. Some, such as Canada and Denmark, are very progressive with outsourcing to the private sector in order to save money, improve efficiency, etc. Other countries may not permit any outsourcing at all. Most countries fall somewhere in between. In the United States, outsourcing of federal records to private sector storage facilities is permitted, provided the facility meets the requirements established by the National Archives and Records Administration. These standards can be found at 36 CFR 1228(k) and related appendices.


The passage of Sarbanes Oxley in the United States (revising corporate governance principles in public companies) impacted the type of recordkeeping requirements for public companies and impacted private sector storage companies as well. In order to provide data protection services for public companies, information system verification may be required–a SAS 70 Audit is the recommended verification method.


Companies that maintain consumer information (individually identifiable financial information) must take responsibility for properly disposing of this information through shredding or other means. NAID offers its members a FACTA Addendum to help inform clients of their obligations and to incorporate the necessary language into a storage agreement.


Health information must be carefully handled. Changes in HIPAA made in 2009 extend criminal and civil penalties to business associates and require more extensive policies and procedures than was previously the case. NAID members may make use of a standard business associate agreement, which incorporates the language recommended by the United States Health and Human Services.


Financial service companies also require contractual safeguards that information will be securely maintained, kept confidential, and in the case of any accidental breach that the client will be notified immediately. NAID offers its members a special addendum for this as well.


Credit card processors are now required to comply with the Payment Card Industry Data Security Standard (PCI DSS). As a part of their overall information system, data protection facilities may hold truncated or encrypted data from a merchant processor.