Understanding and complying with regulations provides companies with business opportunities and reduces risk.
To many, information security looks to be governed by an ever-changing plethora of laws, policies and regulations; each somewhat relevant and apparently originating in a different jurisdiction. If it appears complex, that’s because it is: we are dealing with a non-technical subject, which is open to interpretation, when we talk about compliance and regulation. Further, within a single company, different regulations will apply to different departments — depending on their particular activities, their customers and their physical locations.
In this article, we will provide fundamental concepts of compliance and regulation for data security. We will look at the incentives and disincentives of compliance, and share background on common regulations.
What Are Common Information Security Compliance Regulations?
Compliance regulations often address security and privacy together. As well as laying down directives to safeguard a company’s IT systems and its data from cyber attacks, regulations put a responsibility on companies to protect themselves from accidental breaches. Data regulations also cover paper records in a similar manner to digital records.
With respect to the online and networked data, companies can undertake several actions to protect their systems and their information, including anti-virus software, firewalls, data encryption and intrusion-detection systems. Training employees to use the company’s cybersecurity structures is a prerequisite. Taken together, these actions start a company on its journey towards compliance.
Well-known regulations include the U.S. Federal Information Security Management Act (FISMA), and Europe’s Directive on Security of Network and Information Systems (the NIS Directive). These regulations contain over-arching directives and guidelines, and are relevant for nearly all companies handling data. Similarly, the Payment Card Industry Data Security Standard (PCI DSS) addresses issues related to the use of credit cards in online and offline environments.
Later in this article, we look at some specific regulations in different sectors, including finance, healthcare and education.
If audited, companies must demonstrate they are aware of and are implementing measures to comply with applicable regulations. They must produce evidence, or compliance data, which is a set of all data belonging or related to them that can validate compliance.
What Are the Benefits of Information Security Compliance Regulations?
Benefits accruing from compliance fall broadly into two categories: carrots and sticks.
Carrot: Creating Opportunities to Secure and Enhance the Business
Compliance does not happen in isolation — organizations must work at it. This work provides a framework to secure company systems and data. Demonstrating compliance may cost additional resources, but the end result is a more secure company. This will reassure existing customers and build the company reputation to help attract new customers. In addition, company structure and focus are enhanced when staff responsibilities related to data risks are clearly established.
Stick: Penalties and General Loss of Revenue in Case of Non-Compliance
Penalties for organizations found to be non-compliant depend on the jurisdiction in which the offence occurs. Usually, a spectrum of penalties is available to the regulator/prosecutor, reflecting the seriousness of the failure. On the upper end of the scale, fines can run to millions of dollars and imprisonment of individuals deemed responsible. But penalties on the lower end of the spectrum may be even worse in the long term: publication of judgement. This will likely cause serious reputational damage, reducing a company’s standing among its customers and competitors, and having an obvious impact on the business.
Compliance Regulations You Need to Know
Below we list common data-security regulations by industry. Where relevant, the geographic jurisdiction is stated for each.
Finance Compliance Regulations:
- Gramm-Leach-Bliley Act, U.S.: Also known as the U.S. Financial Modernization Act, it requires companies that offer consumers financial products or services like loans, financial advice or insurance, to explain their information-sharing practices to their customers and safeguard sensitive data.
- Basel II — global: Relevant for large, internationally active banking organizations, these regulations seek to protect against financial and operational risks faced by the banking industry; specifically in terms of internal and external fraud from unauthorized activity, theft, and system security incidents, such as theft of information.
Healthcare Compliance Regulations:
- Health Insurance Portability and Accountability Act (HIPAA). U.S.: This regulation contains both a privacy rule (establishes national standards) and a security rule (technical and non-technical safeguards). It covers clinical applications such as electronic health records (EHR), as well as radiology, pharmacy and laboratory systems
- GDPR, EU: Within the general GDPR, particular attention is given to data within the healthcare sector. National governments are assisting healthcare providers to prepare for when the regulation comes into effect in May 2018.
Education Compliance Regulations:
- Family Educational Rights and Privacy Act (FERPA), U.S.: This Federal law protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
- Data Protection Act, UK: As with GDPR, the wider Data Protection Act is interpreted and applied to the education sector and those handling data from primary to third level.
Government Compliance Regulations:
- Criminal Justice Information Services (CJIs), U.S.: This security policy covers the lawful use and appropriate protection of criminal justice information.
- Australia Privacy Amendment, Australia: This act was updated in 2017 to address notification of eligible data breaches, so that organizations must inform individuals if their unencrypted data is in danger from a potential breach. This applies to non-government entities also, but is of particular significance to governmental bodies.
In our next article, we look at how companies can work toward identifying and complying with regulations relevant to their sector.
- Federal Information Security Management Act of 2002, Wikipedia
- The Directive on security of network and information systems (NIS Directive), European Commission A comparative guide to data security penalties in 10+ jurisdictions, Lexology
- GDPR Portal: Site Overview, EU GDPR
- Gramm-Leach-Bliley Act, FTC
- Basel Compliance Solutions, SafeNet
- Summary of the HIPAA Security Rule, HHS
- General Data Protection Regulation (GDPR) guidance, NHS
- Family Educational Rights and Privacy Act (FERPA), U.S. Department of Education
- Data Protection and Information Security for the Education Sector, University of Salford
- CJIS Security Policy Resource Center, FBI
- Privacy Amendment (Notifiable Data Breaches) Act 2017, Australian Government