Omega can help you get caught up
Keeping up with compliance standards may seem daunting. The good news is that if you stick to security best practices, you will meet the bulk of compliance requirements by default. In this page, we’ll give an overview of the major compliance frameworks for the United States and Europe. We’ll discuss the core components of each framework, penalties for non-adherence, and how these frameworks may apply to your specific industry.
Due to the recent explosion in cyberattacks, compliance standards are now being enforced more stringently. It is probable that new rules will be added to current standards to meet evolving threats. Also, entirely new frameworks will be created for industries that lack clear guidance. As compliance requirements pile on, are more stringently enforced, and penalties increase, it will be difficult for those that fall behind now to catch up. However, business owners who stay a step ahead of compliance will be at an advantage.
No organization enforces compliance with NIST. However, the Federal Information Security Management Act (FISMA) is based on the NIST framework. If your business acts as a contractor for the Department of Defense, you must comply with FISMA. Federal contractors that fail to comply with FISMA risk loss of federal funding, being called for government hearings, and being blocked from participating in future federal contracts.
The National Institute of Standards and Technology (NIST CSF or NIST) is a public resource designed to be used by businesses, government agencies, and non-profit organizations to manage IT security risks and integrate cyber threat information. It pushes organizations toward a culture of "shared responsibility" and helps shift them from a defensive posture to a proactive one. The core material of NIST is organized into 5 “functions”:
Combined in aggregate, these 5 functions assess and improve the ability for an organization to prevent, detect, and respond to cyber attacks. NIST itself is a public framework that any organization can use to strengthen cyber posture.
No organization enforces compliance with NIST. However, the Federal Information Security Management Act (FISMA) is based on the NIST framework. If your business acts as a contractor for the Department of Defense, you must comply with FISMA. Federal contractors that fail to comply with FISMA risk loss of federal funding, being called for government hearings, and being blocked from participating in future federal contracts.
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard created to prevent credit card fraud. Created by the Payment Card Industry Security Standards Council (PCI SSC) in 2004, the standard lays out 252 requirements for merchants handling card data to follow. If your organization handles, processes, stores, or transmits credit card data, you must follow PCI DSS guidelines. The PCI Security Standards Council (SSC) defines cardholder data as the full Primary Account Number (PAN) or any data that contains (1) the cardholder name (2) the expiration date of the card and/or (3) the Service Code.
Merchants that fail to follow PCI standards increase liability and risk financial penalties. In the event of a cybercrime, a noncompliant merchant will be on the hook for the amount stolen. This amount could be small, or could result in a catastrophic loss. Additionally, fines for noncompliance post-incident can range from $5000 to $100,000 per month until the merchant achieves compliance. To make matters worse, the bank/processor may either terminate your relationship or increase transaction fees.
To make matters worse, the bank/processor can terminate your ability to process cards. Many merchants will roll the dice thinking “it can’t happen to me.” Yet, a single cybercrime incident can cause a catastrophic loss, forcing your business to close its doors. It would be reckless not to insure your home against flood and fire. Many merchants fail to understand that a breach can cause more monetary damage. If you are a merchant, you must view PCI compliance as insurance. Treat your business like you would treat your home -- ensure you’re PCI compliant today.
The General Data Protection Regulation (GDPR) outlines requirements for how companies that do business in the EU or EEA protect citizens’ data. The intention behind GDPR is to increase individual EU/EAA citizens' control over their personal data, and also to define data rights. Effective as of May 2th, 2018, GDPR became model legislation for other privacy laws and shares similarities with the California Consumer Privacy Act (CCPA).The legislation makes clear that its regulations would apply to any companies handling personal data of EU citizens. How does it define personal data?
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
As you can see, the definition of “personal data” is broad and essentially encompasses any kind of customer data. Because this definition casts a wide net, we strongly recommend you adhere to all GDPR requirements if you do business in the EU. You can see a checklist of requirements here https://gdpr.eu/checklist/
Failing to comply with GDPR puts your business at risk of severe penalties. GDPR applies regardless of the size of your business: whether your business has 1 employee or 100,000; whether your business does a few hundred dollars in revenue or a few million. If your organization has customers that are EU/EAA citizens, you must comply with GDPR requirements or risk severe penalties. Penalties for non-compliance typically start at 2% of annual global revenue or up to 10million euros with the maximum penalty for severe infringements topping out at 4% of annual global revenue or a maximum of 20 million euros.
GDPR has acted as a genesis point for legislation in many other countries. In the United States, the closest regulation is the CCPA. Many other states in the US are following suit. In the coming years, it is probable that similar legislation will be introduced at the Federal level. Even if you do not do business with EU citizens, GDPR is a useful framework. Putting in place policies that would make your organization compliant with GDPR will keep you a step ahead of impending regulations in the United States.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal statute enacted in 1996 that protects the privacy of personal health information (PHI). The definition of PHI is broad, and encompasses any personal data about a patient that is stored, transmitted, or received. We’ve detailed a list of the types of data covered under the umbrella of PHI in our Data Discovery section.
HIPAA requires that healthcare providers, health plans, and healthcare clearinghouses protect sensitive information about individuals in their care. They must safeguard patient privacy, conduct only necessary disclosure of private data, and proactively use technology to counter threats to information security.
Fines for HIPAA violations can be significant and consist of penalties that are either imposed by the HHS or a court of law. Tiered by the definitions of negligence, fines can be up to $50,000 per individual violation and up to $1.5 million cumulatively within a calendar year. In severe cases (albeit rare), knowingly violating HIPAA rules with malicious intent can result in prison.
Falling behind on HIPAA compliance? We will help you catch up
US Congress enacted The Gramm-Leach Bliley Act (GLBA) in 1999. Also known as the Financial Services Modernization Act of 1999, GLBA requires financial institutions in the United States to disclose information-sharing practices to customers and protect sensitive customer data. “Financial Institution” is defined as any organization that is “significantly engaged” in providing financial products or services to US citizens. Any organization that is a financial institution or an affiliate of a financial institution must comply with GLBA.Examples of financial institutions include banks, non-bank mortgage lenders, loan brokers, investment advisors, debt collectors, tax return preparers, and title companies.
To meet the main requirements of disclosing information-sharing practices and protecting customer data, GLBA maps out 3 main rules:
Merchants that fail to follow PCI standards increase liability and risk financial penalties. In the event of a cybercrime, a noncompliant merchant will be on the hook for the amount stolen. This amount could be small, or could result in a catastrophic loss. Additionally, fines for noncompliance post-incident can range from $5000 to $100,000 per month until the merchant achieves compliance. To make matters worse, the bank/processor may either terminate your relationship or increase transaction fees.
The Safeguards Rule necessitates the creation of a documented information security plan. This plan should detail how your financial institution protects customer NPI. A coordinator you appoint should perform a risk assessment in the event of a breach.
An appointed in-house coordinator must perform a risk assessment of this plan to determine what might happen in the event of a breach. Logical controls should be implemented in response to the risks that have been identified by the risk assessment. Controls are somewhat flexible; they should be “logical” and “proportionate” based on the size of the organization. A small title office will not have the same controls as the largest mortgage lender in a city. These controls should also apply to any vendors that your institution deals with.
The Pretexting Prohibition prohibits collecting sensitive data under false pretenses. “Pretexting” refers to when an individual makes false, fictitious, or fraudulent statements to attempt to extract PHI from a customer. This provision applies to any communication with the customer, including documents.
