Today’s businesses hold more data than ever before, and with this comes a raft of responsibilities related to how this information is stored, shared, protected and used.
The recent scandals plaguing firms such as Facebook and Cambridge Analytica clearly illustrate what can happen if data is misused, so it’s clear that any firm can suffer severe reputational damage if they fail to look after confidential information.
But there is also the prospect of financial penalties should companies be found to have acted carelessly or unethically. Indeed, in the last few years, the number and complexity of regulations that businesses are required to comply with has increased significantly as authorities seek to take back control of the huge amounts of data now stored on servers and in the cloud around the world. The value of fines that have been issued in light of breaches have also increased, making this more important than ever.
As well as key general data protection rules that every company must be aware of, there are also a range of industry-specific compliance issues that firms will have to take into account.
What is data compliance?
Data compliance refers to any regulations that a business must follow in order to ensure the sensitive digital assets it possesses – usually personally identifiable information and financial details – are guarded against loss, theft and misuse.
These rules come in a number of forms. They may be industry standards, state or federal-level laws or even supra-national regulations such as GDPR, but they will typically spell out what types of data need to be protected, what processes will be considered acceptable under the legislation, and what the penalties will be for firms that fail to follow the rules.
It’s important not to confuse data compliance with data security. These two processes are often bundled together and referred to as though they are interchangeable, but this isn’t the case. While they have the same goals – to minimize and manage the risks businesses are exposed to – compliance only ensures you meet legally-mandated minimum standards. Data security, on the other hand, covers all the processes, procedures and technologies that define how you look after sensitive data and guard against breaches.
Just because you’re compliant, doesn’t mean you’re secure, and while doing the bare minimum may give you some legal protection in the event of a data breach, it won’t save you from the many other consequences of a security incident, such as financial losses and reputational damage.
One of the newest and most-wide-ranging standards, it’s been hard to ignore the European Union’s General Data Protection Regulation (GDPR) over the last year. Coming into force on May 25th 2018, this lays out a range of rules regarding people’s right to know what data businesses have on them, how companies should go about processing this data, and tighter rules on the reporting of breaches.
It doesn’t just apply to firms based in Europe either. If you do business with any individual subject to the EU’s jurisdiction, you’re required to abide by GDPR’s provisions. While there are many rules within the regulation, the majority can essentially be boiled down to three basic principles; obtaining consent, minimizing the amount of data you hold, and ensuring the rights of data subjects.
It can seem like a big task, but the first step any company needs to take to ensure it is following GDPR is to assign someone to oversee its activities. This individual, the data protection officer, is mandatory in certain organizations that use large amounts of data, and their job is to overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
HIPAA, or more formally the Health Insurance Portability and Accountability Act of 1996, sets out how US organizations that deal with individuals’ healthcare and medical data need to ensure the safety and confidentiality of these records.
As these details are some of the more sensitive records an organization will hold, the penalties for failing to protect this information can be severe. In 2018, for example, insurance provider Anthem agreed to pay a fine of $16 million after a hacking attack exposed the health information of almost 79 million people.
HIPAA requires that all electronic health records are restricted only to those with valid reasons for viewing them, so encryption and strong access controls are a must. The standards not only apply to records when they are within the database, but also when they are being shared, so steps must also be taken to ensure activities such as emails and file transfers are fully monitored, protected and controlled.
A key feature of HIPAA is its requirement for full audit trails that detail every interaction someone has with this data. This means that event log management software is an essential tool for IT staff looking to ensure compliance with these regulations. This ensures that full records are automatically kept every time a file is accessed or changed, and can also help alert organizations to any potential security breaches as soon as they occur.
For businesses dealing with customers’ financial information, the Payment Card Industry Data Security Standard (PCI DSS) is a vital part of any compliance process, as it sets out rules regarding how companies handle and protect cardholder data such as credit card numbers.
Unlike the others on this list, PCI DSS isn’t a government-mandated set of rules, but an industry one. However, this doesn’t make it less important, as any company found to be non-compliant with its rules may face heavy fines, or even have relationships with banks or payment processors terminated, making it very difficult for companies to accept card payments.
Even if firms use third-party services for handling card payments, which is the case for many businesses both large and small, it is still the merchant’s responsibility to ensure the safety of any credit or debit card data it gathers, transmits or stores, is secure.
The exact steps firms will have to take vary depending on how many transactions they actually process – those with bigger customer bases will face much more stringent requirements – but ultimately, PCI DSS standards require businesses to ensure a certain level of security.
Fortunately, the Payment Card Industry Security Standards Council sets out a series of steps detailing what firms must do to meet these standards. The 12 essential requirements range from having an adequate firewall in place to protect cardholder data (requirement one) to regularly testing systems and processes (requirement 11), so there should be no excuse for not having a clear plan in place for meeting these standards.
The Sarbanes-Oxley Act of 2002 (SOX) is intended to protect against any repeat of the corporate accounting scandals that engulfed the likes of Enron a few years ago. As such, it’s more about financial reporting than data protection, so IT professionals may dismiss it as less important than some of the other regulations they have to deal with.
However, this is not the case, and IT departments do have clear roles to play in ensuring these requirements are met. For starters, they need to provide assistance to the CEO and CFO by ensuring they receive real-time reporting on the firm’s financials. This means putting systems in place to automate reporting and setting up alerts that can be triggered when key events occur that will require closer attention.
IT teams also need to ensure all records are being properly retained. Therefore, effective timely backups of key information and document management systems is essential in remaining compliant with these regulations. However, they must also ensure they have full visibility into every part of their firm’s digital estate in order for this to be effective.
Spreadsheets, emails, IMs, recorded phone calls and financial transactions will all need to be preserved for at least five years in case auditors require them, so it’s essential the right management systems are in place.
Ultimately, the job of IT pros when complying with SOX is to ensure recordkeeping and auditing go as smoothly as possible. Tools to automate workflows, manage and monitor data flow and archive and retrieve information quickly will all have key roles to play in this.
The California Consumer Privacy Act, or CCPA, was passed into law in 2018 and comes into force from January 1st 2020. This is one of the toughest consumer protections many US-based businesses will face. It has been described as California’s equivalent of GDPR and, while not as demanding as GDPR in areas such as reporting requirements, it is in some respects even tougher than its European counterpart.
For example, it takes a broader view of what is defined as private data, including any information from which inferences can be drawn to create a customer profile that reflects a person’s “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes”.
CCPA compliance won’t be necessary for every business. It only applies to companies that have gross annual revenues above $25 million; those that buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; or businesses that derive 50% or more of their annual revenue from selling consumers’ personal information.
While that puts many smaller firms out of its scope, it means almost any medium or large organization interacting with customers based in California will be covered. This may make it more relevant to many US firms than GDPR, as while some organizations opted to stop doing business in Europe altogether to avoid this regulation, it may be much harder for them to bypass the CCPA, as they don’t have to be based in California, or even have a physical presence in the state, to fall under its provisions.
Potential fines for data breaches are as high as $7,500 per record – and considering many large data breaches in recent years have compromised of tens or even hundreds of millions of records, the cost of non-compliance could quickly add up.