Thought Leadership

Data Security: How DATAMARK Protects its Clients

Cyber-attacks and data fraud were included as two of the top five risks CEOs felt they were likely to face when polled at a recent World Economic Forum. As organizations embrace technology at breakneck speeds and increasingly move to cloud-based programs, their developments often outpace their ability to safeguard data, and that comes at a price. Research from IBM shows that the average security breach is $3.86 million globally, with the United States leading the pack at $8.64 million per breach.

Working with government agencies, financial institutions, insurance companies, and large healthcare organizations, DATAMARK knows that the difference isn’t only avoiding catastrophic consequences. Even those with robust data security protocols must sometimes demonstrate their aptitude and controls to win contracts, maintain client relationships, or remain compliant with government regulations. Moreover, when data security expectations exist, they typically impact vendors and contractors every bit as much as they do the company directly responsible for ensuring safeguards are in place.

As a leading business process outsourcing (BPO) company, DATAMARK takes concerns like cyber attacks, data fraud, natural disasters, and even simple human error very seriously and has the expertise to protect a wide variety of organizations across some of the most sensitive industries. But what exactly does that mean? Below, we’ll explore the DATAMARK approach to data security, various frameworks, and compliance guidelines we work with, so it’s easier to see how we keep the data our clients entrust us with safe.

DATAMARK Creates Customized Data Security Plans

With facilities across the globe, including the U.S., Mexico, and India, DATAMARK has developed robust security protocols of our own that typically exceed the needs of incoming clients. However, if your organization needs something more, we’re happy to create a custom solution.

See Our Data Security Measures in Action

As you explore the video of our facility in Juarez, just across the border from our headquarters in El Paso, Texas, you’ll be able to see a number of data security measures already in place. Similar features are integrated into each of our locations, though they’re tailored to the types of data involved and client needs.

Access Controls

Note the badges on each of the employees shown in the video. This layer of protection ensures only those with the right credentials can be in the proximity of data. Employees only get their badges after they’ve passed a background check and completed training.

You’ll also see fingerprint scanners used—a high-tech method of access control that goes well beyond the standard. Rooms and workstations where data is held are only accessible to those who need access to perform their jobs as well. For example, those responsible for sorting mail work in different areas from those performing other back-office tasks.


Data backups are handled according to your needs, be it daily, weekly, monthly, or on any other schedule. We can also hold your data for years if needed for regulatory compliance and/or destroy it on your preferred timeline. This is an essential part of business continuity planning and goes a long way to recover after an unexpected event.

Fire Protection

You may have missed the fire extinguisher on the wall—it was only visible for a moment—but fire protection is yet another way DATAMARK protects your data. We not only install fire extinguishers but train staff on how to use them. Facilities have sprinklers as well. Additionally, some areas are equipped with thermal sensors that identify when a room is warmer than it should be and alert the right team members, so any issues are addressed right away.


“Teachability is one of the core values of DATAMARK,” explains Chris Abilez, a DATAMARK Information Security Specialist. “When it comes to data security, we’re always learning new ways to protect our data and customer data,” he says. This approach helps ensure the team is prepared as new threats emerge.

Documentation and Audits

DATAMARK’s internal team performs regular audits to ensure data security is being addressed to established protocols, but companies often conduct their own audits as well. In these cases, DATAMARK can provide the documentation necessary to prove compliance with specific frameworks and routinely meets with information security and IT professionals from client companies to ensure all needs are being met.

No Matter Your Framework or Requirements, We Can Help

DATAMARK is SOC 2 compliant and abides by all client requirements for compliance and/or certification of 3rd-party regulations including, but not limited to, PCI and HIPAA. Because of this, we’re able to meet the guidelines of virtually any commonly used data security framework.


Otherwise known as Service Organization Control 2, SOC 2 was developed by the American Institute of CPAs (AICPA). Designed to address the data security needs of service providers, especially those which store customer data in the cloud, SOC 2 compliance is built around five trust principles:

  1. Privacy- Aspects such as encryption, two-factor authentication, and access controls that ensure sensitive personal identifiable information (PII) are being managed according to a company’s privacy policy. It locks data down, so only people who need to see it can.
  2. Security- Attributes such as firewalls, intrusion detection, and two-factor authentication prevent unauthorized users from accessing data.
  3. Availability- Considerations such as performance monitoring, security incident handling, and disaster recovery help ensure systems remain online based on service level agreements (SLAs).
  4. Processing Integrity- Aspects such as processing monitoring and quality assurance (QA) processes are designed to ensure the right data is being delivered at the right time.
  5. Confidentiality- Integrations such as firewalls, access controls, and encryption that safeguards sensitive data.


Founded by American Express, Discover, JCB International, MasterCard, and Visa Inc., the Payment Card Industry Security Standards Council (PCI SSC) created the Payment Card Industry Data Security Standard (PCI DSS). Naturally, it addresses organizations’ data security needs that accept their credit cards focuses on six primary goals.

  1. Build and Maintain a Secure Network- Creating custom passwords and security parameters and installing and maintaining firewalls prevents hacker access.
  2. Protect Cardholder Data- Encrypting data on transmission and safeguarding stored data to keep information more secure.
  3. Maintain a Vulnerability Management Program- Developing and maintaining secure systems and applications and leveraging anti-virus software and updating it regularly to address new threats as they arise.
  4. Implement Strong Access Control Measures- Only allowing people who genuinely need access to data to see it through measures like assigning unique logins to staff members and limiting access to systems.
  5. Regularly Monitor and Test Networks- Ensuring cardholder data remains secure by monitoring access and regularly testing systems and processes.
  6. Maintain an Information Security Policy- Creating policies for employees and contractors and ensuring information is shared to keep people aware of threats and work proactively to reduce risk.


The Federal Information Security Management Act of 2002 (FISMA) was the United States government’s first attempt at creating data security protocols for all its agencies. Although each agency is permitted to develop its own processes and procedures, FISMA lays out what they must accomplish with them. Organizations that want to be FISMA-compliant will need to look to the National Institute of Standards and Technology (NIST) framework for security.

  1. Identify- Pinpoint all systems that store or transmit sensitive data.
  2. Protect- Develop and implement safeguards to ensure data remains secure.
  3. Detect- Leverage monitoring programs that will identify threats and incidents.
  4. Respond- Create a comprehensive plan that outlines what your organization will do in the event of a data security incident.
  5. Recover- Establish a plan that outlines how you’ll bring services back online or restore processes in the event of a data security incident.


Healthcare organizations that handle protected health information (PHI) or electronically protected health information (ePHI) are subject to Health Insurance Portability and Accountability Act (HIPAA) regulations. PHI examples include patient names, addresses, account numbers, treatment dates, and patient photos. Even though organizations have some leeway in how they address compliance to the HIPAA Privacy Rule and HIPAA Security Rule, as organizations from the smallest solo practitioner through multinational insurance companies and government agencies will have varying abilities to safeguard ePHI, the U.S. Department of Health and Human Services (HHS) is quite clear on areas that must be addressed.

  1. Risk Analysis and Management- Establishing an ongoing process of continuous checks for potential risks and policies’ evaluations to address them.
  2. Administrative Safeguards- Having a dedicated security official, limiting disclosures to only those who need access, training the workforce on security concerns, and addressing other areas that impact data security from an internal standpoint.
  3. Physical Safeguards- Limiting access to facilities that contain ePHI and having policies and procedures in place related to the secure management of ePHI on workstations and devices.
  4. Technical Safeguards– Establishing access, audit, integrity, and audit controls across a wide variety of mediums.


Those in the healthcare industry may also be concerned about HITRUST certification. Whereas the aforementioned certifications and frameworks were created by insiders within each sector to address their own data security concerns, HITRUST is more of a fusion of multiple data security frameworks. To that end, the group refers to its accreditation as a Common Security Framework (CSF) certification.

The goal of HITRUST is not to be HIPAA-compliant, per se, but rather to have robust data security protocols in place. As organizations earn HITRUST CSF certifications, they also institute all the measures necessary to be compliant with HIPPA guidelines and a host of others, such as FTC, HITECH, PCI, COBIT, and NIST.

Begin Your BPO Journey

Data security is one of the many things DATAMARK naturally integrates into our assessment and planning process, whether a company needs help with a contact center, data capture, digital mailroom, or any number of outsourced back-office solutions. If your organization wants to learn more about how DATAMARK can help you become more profitable and efficient while keeping your data secure, contact us for a complimentary consultation.

Celebrating 30 Years of Exceptional Service