Community corrections agencies are responsible for managing sensitive personal data—everything from GPS location and behavioral health records to communications between individuals and their families. Managing this responsibility carefully helps prevent data security issues and supports legal compliance, while maintaining stakeholder confidence.
Agencies can further reduce risk by working with technology providers that meet Service Organization Controls 2® (SOC 2) compliance standards.
If you’re not familiar with SOC 2, here’s what you need to know and why it matters for your agency.
What Is SOC 2 Compliance?
SOC 2 is a voluntary framework developed by the American Institute of Certified Public Accountants (AICPA). It’s used to evaluate how well a company protects customer data. SOC 2 is not mandated by law, but it is widely adopted across industries as a benchmark for data security and operational integrity.
SOC 2 is based on Trust Services Criteria (TSC): Security (required), Availability, Confidentiality, and Integrity.
A SOC 2 Type I report looks at whether a company has the right controls in place at a specific point in time. A SOC 2 Type II report goes further, reviewing how well those controls perform over time, typically across a 12-month period. The longer-term Type II review helps agencies gain confidence that the vendor’s security practices are not only well-defined but consistently applied.
Why Is This Important?
Agencies handle data that includes Personally Identifiable Information (PII), criminal justice records, and behavioral health details. Careful handling of this information helps minimize compliance risks and reinforces confidence among stakeholders.
More specifically, SOC 2 compliance helps agencies:
- Evaluate vendors using a recognized standard
- Ensure consistent data protection practices
- Support procurement decisions with documented security credentials
What Drives Enhanced Data Privacy in Community Corrections?
Supreme Court decisions and recent federal enforcement actions are raising the bar for data privacy:
Carpenter v. United States (2018)
The Supreme Court ruled that law enforcement must obtain a warrant before accessing mobile location data. This affects any system that tracks individuals, such as GPS monitoring or mobile check-ins, and it reinforces the need for privacy safeguards.
FTC Enforcement Actions (2024)
The Federal Trade Commission took action against companies that mishandled sensitive data, including:
- Selling location data without consent
- Sharing behavioral health information with advertisers
- Misusing biometric data
These actions show that vendors serving justice agencies must meet high standards for transparency and consent.
Legislative Trends to Watch
Some states are also introducing laws that demand more transparency and accountability in corrections. These include:
- Public reporting on incidents in custody
- Independent oversight of correctional programs
- Stronger protections for individual rights and data privacy
BI Incorporated: Leading by Example in Data Security
As agencies work to protect sensitive information and comply with new legal standards, it’s important to make operational choices—like vendor management and data access controls—that meet current requirements and help stay ahead of future security needs.
BI Incorporated is proud to share that we’ve successfully achieved SOC 2 Type 1 attestation, receiving a clean opinion from an independent auditor.
This isn’t just a box checked. It’s an independent validation that the security controls and processes implemented by BI meet the rigorous Trust Services Criteria for security, confidentiality, integrity, and availability.
Plus, BI already has a Federal Authority to Operate (ATO) based on NIST 800-53 & FedRAMP standards. For agency partners, this means:
- Independent Validation: Our security controls have been formally reviewed and verified by a trusted third party.
- Stronger Data Protection: Your information is protected by industry-leading security measures that address today’s threats and tomorrow’s challenges.
- Operational Excellence: The processes and governance frameworks used by BI are designed to support high standards for data integrity and availability.
Our Commitment to Operational Excellence
BI is trusted with the most sensitive data, and we don’t take that responsibility lightly. As a partner in data protection, we’re fully invested in strengthening our systems and raising the bar for security—not just meeting expectations but leading by example.
Which is exactly why SOC 2 Type 1 attestation isn’t the finish line for us. Our commitment to protecting agency data is ongoing. BI is in the process of pursuing SOC 2 Type 2 attestation, which will validate how our controls perform based on the TSC over time and demonstrate our dedication to continuous security excellence.
If your agency is exploring its data security needs, contact us to learn how BI can help you meet today’s standards and build a future-ready foundation for tomorrow.