Information security is one of the biggest challenges facing our society today:  How do I protect my personal data? How much information should I give away? Just this week, Experian announced a new program that would provide consumers who opt in a modest boost to their credit score — a potential boon to those with subprime credit. The catch? You must give Experian access to your bank records and utility payment histories.

Consumer advocates are rightfully concerned:  few have forgotten the 2017 Equifax breach in which upwards of 150 million American saw their personal information blown away with the wind.

Frankly, you were probably one of them.

With entire swaths of our personal lives stored online, tucked away in server farms we will never see sight of, what last little bit of control we do have is at risk of eroding for good. This is our new reality.

In an effort to curb consumer data loss, numerous information security acts have been passed. For businesses in the healthcare, banking, finance, and insurance industries especially, corporate responsibility has never been greater. Maintaining compliance with all state, federal, and yes, even international, regulations must be a top-to-bottom priority. Period. Non-compliance to these mandates carries stiff penalties, up to and including jail time.

Considering all that is at risk, do you know which regulations apply to you? Moreover, in order to comply to the letter of these laws, are fully aware of what your tech needs are?

Let’s take a look the most prominent information security mandates on the books, what each individual Act regulates, and who it pertains to — bearing in mind that some companies may fall under the scope of more than one.

The MANDATE What does it regulate Who does it affect
HIPAA (Health Insurance Portability and Accountability Act) HIPAA is a bill in two parts. Title I establishes health coverage continuity and protections for American workers and their families. Title II protects individual patient privacy, and requires organizations to implement electronic security protocols to ensure the confidentiality of protected health information (PHI) and prevent patient data loss. Any company, organization, or office that handles PHI. This includes, but is not limited to, “covered entities” such as the healthcare providers, healthcare clearinghouses, insurers and health plans, and any school or employer with access to PHI, as well as “business associates” (e.g. subcontractors or vendors) of a covered entity.
Payment Card Industry Data Security Standard (PCI-DSS) These 12 regulations “set the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.” PCI DSS applies to “all entities involved in payment card processing — including merchants, processors, acquirers, issuers, and service providers”, as well as those who “store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”
Gramm Leach Bliley Act (GLBA) GLBA requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Applies to companies that offer financial products or services to individual, such as loans, financial or investment advice, or insurance. In addition to the usual suspects, GLBA might also affect certain auto dealers, mortgage lenders, real estate appraisers, debt collectors, and tax return preparers.
General Data Protection Regulation (GDPR) This directive is designed to protect EU citizens from privacy and data breaches with increased territorial scope (extraterritorial applicability), penalties for non-compliant entities, strengthened consent conditions, mandatory breach notifications, and expanded data subject rights. Any company — American corporations included — that collects the personal data or behavioral information of an EU citizen while said citizen is physically located in the European Union. The scope does not extend to data collected from an EU citizen while they are visiting the United States.
New York State Department of Financial Services Cybersecurity Requirements for Financial Institutions (NYDFS) This act requires financial services industries subject to New York law to adopt robust cybersecurity standards designed to protection customer information, as well as the information technology systems used by these regulated entities. Each company must file an annual certification confirming full compliance with these regulations. The NYDFS cybersecurity requirements apply to person or entity operating under or required to operate under NYDFS licensure, registration, certification, or any “similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” This includes: state-chartered banks, licensed lenders, mortgage companies, private bankers, insurance companies, and foreign banks licensed to operate and/or doing business in New York.
Sarbanes Oxley Act SOX, passed in response to a number of high-profile corporate scandals, contains mandatory provisions about corporate governance, financial disclosures, and the willful destruction or falsification of documents in an effort to hinder federal investigators. Companies are required to hold onto financial records for seven years. This broad act applies to entities across all industries, including U.S. public company boards, privately held companies, non-U.S. companies with a U.S. presence, HR departments, accounting firms, and management companies.

Knowing which regulations apply to your business is only half the battle. Now, you must become compliant.

Implementing the provisions of these above acts can be expensive and time-consuming. From a technological standpoint, many companies struggle to figure out where to begin. From security, to electronic communications, to data sharing, and software — maintaining compliance isn't easy. But, it probably shouldn't be. A barrier of entry, tough as it might be to climb over, makes it more likely we'll be able to keep consumer data safe.

So how do companies do it? They read Part 2 of this article, and give us a call.

Contact JNT TEK today for guidance on how to establish top-to-bottom IT compliance within your company, and adhere your industry’s security regulations.