Our compliance practices are certified by the experts
Safeguarding our customers’ information is our top priority. We not only abide by the strictest of industry standards, we help set them.
Leadership in the Industry
Our commitment to the protection of our customers’ information has been recognized by our peers in the industry.
- PCI Security Standards Council – We serve on the council and help shape the future development of PCI standards for safeguarding credit card data for thousands of customers across a variety of industries – insight that is critical to the adoption of the PCI standard by other service provider companies.
- National Association for Information Destruction (NAID) – We have taken a leadership role with NAID, helping in the development of standards that focus on operational workflows and security.
- PRISM International (Professional Records & Information Services Management) – We are also founding members of PRISM International, a non-profit organization comprised of service providers like Iron Mountain who supply their customers with physical and digital information protection, access, retention, storage and disposal.
Compliance with Industry Standards
Some of the compliance requirements and industry standards we adhere to are:
- HIPAA Compliance – Iron Mountain has long provided our customers with Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule compliant services in our capacity as a valued Business Associate to numerous HIPAA Covered Entities.
- Sarbanes-Oxley – As a public company Iron Mountain is required by law to be in compliance with Sarbanes-Oxley, and all of our systems, security procedures and operations are compliant.
- NAID AAA Certification – Iron Mountain’s Secure Shredding service is AAA certified by the National Association for Information Destruction (NAID). Iron Mountain is the largest secure shredding vendor to achieve NAID certification.
- Payment Card Industry (PCI) Data Security Standard Compliance – Our records management, data protection and shredding businesses are all PCI compliant for 2011. Iron Mountain is proud to be recognized on the list of "compliant service providers" published by Visa and is defined as a Level 1 service provider.
- SysTrust Certification – Rigorous audits of our policies, systems and technologies are undertaken by Ernst & Young to earn Iron Mountain’s SysTrust certification.
- Massachusetts Privacy Law (201 CMR 1700) – Iron Mountain has developed, implemented, and maintains a comprehensive information security program that is reasonably designed to be in compliance with the provisions of Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth.
- The European Union Data Protection Act – As of August, 2011, Iron Mountain re-certified its compliance with the European Union/USA Safe Harbor Framework, and with the Swiss/USA Safe Harbor Framework.
- Canada – Personal Information Protection and Electronic Documents Act (PIPEDA) – Iron Mountain Canada Corporation has implemented practices designed to comply with the requirements of PIPEDA.
- U.S. Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule – Iron Mountain has implemented and maintains a program to assist customers that are required to comply with the FACTA Disposal Rule. Except for those records that a customer specifically identifies in writing as not containing consumer information (as defined in 16 CFR Section 682.1 or personal data, reasonable measures are used to protect against unauthorized access to or use of consumer information. Iron Mountain has implemented and monitors compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed. Additionally, Iron Mountain has implemented and monitors compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
- U.S. State Privacy Legislation – Legislation has been enacted in at least 46 states as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands requiring or further refining the requirement that companies and/or state agencies disclose to consumers a security breach involving their personal information. In order to assist customers with complying with these state laws, Iron Mountain maintains a list of current state legislation regarding breaches of data security and reporting requirements, and has established a process to report personal data privacy and security breaches.