Cybersecurity and Data Privacy

Our customers are some of the largest companies in the world. Their trust, in the physical and data security environment for the equipment they deploy in our data centers, is very important to us. We are committed to improving our resilience, building our capabilities, and cultivating a culture of agility, speed and focus on the customer and end user experience.

Equinix’s Global Chief Information Security Officer, in partnership with our Chief Privacy Officer, leads our on-going efforts to apply policies and procedures that enable us to maintain the highest levels of data security across our global platform of systems and applications, and, as part of that, ensure we comply with all applicable and evolving data privacy laws in the countries in which we operate. As far as data privacy is concerned, the personal data that Equinix is responsible for is not unlike the standard set of personal data that most companies maintain. We have implemented a comprehensive data privacy compliance program for that personal data, with the aim to inspire confidence in our employees and customers and help manage any reputational risk. Though Equinix does not own or manage our customers’ data on the servers and being transmitted within our IBXs, but we actively work to support them in their own data management and security practices, to facilitate their own compliance in these areas.

In 2021, our Privacy Office continued to make progress on its data privacy compliance program, with the goal to fully embed the concepts of privacy by design into new system deployments and business process improvements across the business.

Regulations and Standards

Equinix has implemented and maintains a data privacy compliance program that is designed to meet the requirements of the European Union (EU) General Data Protection Regulation (GDPR). In anticipation of evolving global data privacy regulations, we have continued to enhance data privacy measures in existing markets and proactively implement compliance models that meet GDPR-like requirements in new markets. Our proactive approach to data protection compliance allows us to seamlessly meet local requirements as they arise. In Brazil, due to our robust data privacy practices, we quickly met requirements of their GDPR equivalent, the Brazilian General Data Protection Law (LGPD) when it became fully enforceable in August 2021.

As a global company, Equinix closely monitors developments to data localization and sovereignty requirements. We are committed to operating in a responsible manner and work to keep ahead of emerging discussions and regulations. We are actively working on being compliant with updated SCHREMS II requirements regarding the safe transfer of personal data from Europe around the world, in line with the time frames prescribed by the EU.

Our data security policies, programs and protocols are aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST 800-53) and have achieved certification against the ISO 27001 and ISO 27002 Information Security Management Frameworks. We are an early adopter to be compliant with Cybersecurity Maturity Model Certification (CMCC) for contracting with the U.S. federal government and its agencies and preparing for certification when released government authority.

Information Security programs are approved by the Executive Leadership Team, reported quarterly to the Board of Directors Audit Committee and are managed as part of Golden Fortress, a set of 12 cybersecurity programs focused on building greater security and resiliency at Equinix. We are fully compliant with SOX regulation.

Improving our Trust and Transparency

Trust and Security Landing Site

As part of a Golden Fortress trust and transparency program, we developed a Trust and Security Landing Site to share compliance certifications, responsible disclosures, and links to our Global Privacy Policy and other privacy content for our customers. The future state will add an authenticated access secure portal where customers can share formal feedback and receive additional data security information.

Our Security Policy Statement will be available to all customers on the future state authenticated access secure portal. To ensure that our information security management is fully integrated and supports all business requirements, our Chief Information Security Officer defines and implements security-related policies, all of which are aligned to the NIST framework, that are annually reviewed and endorsed by the Information Security Governance Committee, a committee of senior and executive management to govern information security programs, and by the Nominating and Governance Committee. All Equinix managers, employees and contractors are trained on and responsible for complying with these policies.

Audits and Review

  • We conduct regular internal audits, penetration testing of common controls, and an enterprise threat and vulnerability management program to prioritize remediation of technical risk as part of assurance.
  • In 2021, we deployed a converged security system across our industrial control systems to ensure compliance with NIST 800-82.

Zero Trust Platform

Zero Trust principles are grounded on least privilege access and continuous authorization instrumented by machine learning. Equinix philosophy is that organizations should not automatically trust anything inside or outside its security perimeters and should continuously validate everyone and everything trying to gain access. By enabling zero trust principles and controls through our security platform, we increase our security posture and strengthen our customers’ confidence in our commitment to security. We recognize the global threat landscape is continuously evolving and tactics by threat actors continue to mature. The collective intelligence of our cybersecurity platform allows us to continuously evaluate threats and vulnerabilities with the agility to adapt our controls as appropriate. Equinix deployed the GRC platform in 2020 for Information Security policy management and self-attestation of common controls.

Employee Data Privacy Notice

The trust of our employees is critical to our success, and we want to be fully transparent to them about their personal data and how we handle it. In 2021, we prepared and shared a new Data Privacy Notice with all employees globally, that meets all local regulatory requirements but also sends a globally consistent message. This notice provides details on how Equinix is processing employee personal data, for what purpose, how we keep it secure and allows employees the opportunity to ask questions, and exercise their regulatory rights, where applicable. The plan is to refresh this Data Privacy Notice on a periodic basis.

Cultivating a Culture of Trust and Security

Building our Team

In 2021, we focused on repatriating the core capabilities of security operations, security awareness and incident response teams. We have established Equinix as a security destination of choice for customers and IT professionals and are committed to continue building our talent and security capabilities. While growing our investments in security governance, controls and in-house people, we have emphasized the importance of diversity and inclusivity within the organization. Our teams have strong capabilities aligned with top NIST controls while at the same time aligning with our culture of belonging and trust.

Training and Development

We conduct regular employee trainings on how to spot suspicious activity and educate our employees on potential data privacy and security risks.

In 2021, we launched a dedicated online data privacy training module, focused on GDPR requirements, for employees and managers who handle personal data in their scope of responsibility, which is approximately 30% of the employee base. This training module sits between the data privacy components of our Code of Ethics training programs that all employees undertake, and specific departmental training exercises focused on specific aspects of data privacy compliance, such as marketing consent management, breach notification and management, etc.

The Information Security team regularly tests our Incident Response training. Training includes playbooks for responding to data breach scenarios ranging from insider risk to external unauthorized access. This playbook is based on real incidents that we have effectively managed, as well as tactics used by threat actors. The enhanced playbook helps to accelerate our response rate and disclosure requirements that would be activated and by identifying external global authorities, vendors, and internal functions that need to be notified in the case of a breach.

Advocacy and Collaboration

Advocacy is a hallmark of our strategy as we leverage the buying power of many companies through a single voice