Data Compliance Basics You Need to Know
Reviewing the various privacy and compliance requirements for data can have you looking around for an interpreter — pronto. This quick breakdown will help you catch the lingo.
Data privacy laws are evolving dramatically, and those changes are likely to accelerate in the future. For instance, who expected the nearly 20-year-old Sarbanes-Oxley Act (SOX) to get an update that would seriously impact IT departments in 2019? Stricter protocols are emerging across the business landscape, and those concerns are filtering down to IT departments around the world. Understanding these various data privacy and compliance requirements is the first step towards ensuring that they are adequately implemented at your business. This quick primer will provide a broad view and some deeper research to help you bring the major privacy and compliance concerns to light and how they could potentially impact your business.
2019 SOX Update
After the dot-com bubble burst in 2000, Congress decided that it was time for more progressive rules around financial reporting and internal controls of publicly-traded companies. Per the SOX Act, it was passed to “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws”. Fast-forward to 2019, and Congress has once again decided that greater oversight is needed to protect the public. This update to the Act is focused on the way financial data is stored and that all of the proper protocols have been followed. According to Section 302, senior officers of the organization must now affirm and certify that their business is in compliance with regular assessments and transparency.
Healthcare businesses are quite familiar with the basics of HIPAA compliance, such as the requirement that the business provides a Security Officer in charge of ongoing education and how to safeguard patients’ protected health information. The Department of Health and Human Services maintains these national standards for the protection of certain health information that is either held or transferred in electronic format. A few of the HIPAA compliance requirements include:
- Physical safeguards such as limited facility access and authorized user controls for businesses hosting sensitive data.
- Restrictions on the sharing, disposing and storing electronic personal health records.
- Audit reports and tracking logs for hardware and software.
- Automatic log-off procedures, employee controls and emergency access procedures.
These common-sense recommendations can help organizations protect the sensitive business and personal data that patients entrust to their care.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standards (PCI DSS) are considered the gold standard of technology protection, with a focus on proactively providing a comprehensive suite of recommendations for the protection and storage of financial data. The robust PCI Security Standards Council provides training for internal auditors, payment software vendors and network professionals to ensure organizations are able to securely conduct business with adequate safeguards in place to protect the public. You can find specific requirements on the US Treasury’s website, but card associated rules consider the following Prohibited Data that should not be stored after a sale under any circumstance: the three or four-digit code from the reverse side of debit or credit cards, full content of a card’s magnetic stripe, PIN or PIN blocks that have been encrypted.
HIPAA covers healthcare data while PCI and SOX are meant to support the financial and auditing capabilities of a business. GDPR (General Data Protection Regulation) provides similar protections for the personal data of consumers. While GDPR originated in Europe in 2016, many US organizations are still scrambling to provide similar levels of data protection that will meet these requirements. The goal was to provide a more consistent level of protection for consumers across the EU. In order to be compliant, organizations must anonymize data to protect the privacy and provide swift notifications of any security or data breach. Perhaps one of the most challenging requirements for business was the need to obtain and manage the consent of individuals for their data to be included for processing. Any organization, regardless of their physical location, that markets to EU residents are subject to the strict privacy policies of the GDPR — making this crucial for many American businesses.
Whether you’re just getting started on business compliance or need an in-depth audit, the knowledgeable security professionals at ECW Network & IT Solutions can help ensure you are meeting the needs of your business and the required compliance factors. Contact us today at (561) 306-2284 for a free initial review of your business security. You can also contact us via chat on our website or learn more about the services that we offer online.