Regulatory compliance is something every company faces today, regardless of the industry they work in. And there are more than a few regulations that apply to each industry. Each regulation carries a set of rules in the form of policies, guidelines or standards or laws that an organization must conform to, and sometimes these regulations may overlap (think GDPR and HIPPA).
Here we take a look at four of these regulations.
HIPPA (Health Insurance Portability and Accountability Act)
The Health Insurance Portability and Accountability Act (HIPPA) is designed to protect patients from data breaches of healthcare insurers and providers. It was signed into law in 1996 and provides a series of rules that cover data privacy and security of patient information, including their medical data.
There are several components to HIPPA, the two that relate to our discussion are the HIPPA Privacy Rule and the HIPPA Security Rule.
- HIPPA Privacy Rule: this rule provides standards organizations must follow to protect patient information
- HIPPA Security Rule: this rule covers how organizations need to secure electronic health information
A few additions to the regulation over the years include:
- Breach notification rules were extended to electronic health records (EHR) system vendors and related EHR system providers. (2010)
- Clarifying the guidance covers cloud-based service providers (2016)
- The Security Rule was strengthened by connecting it to the NIST Cybersecurity Framework to ensure HIPPA aligns with national cybersecurity standards (2016)
According to HIPPA, PHI (Patient Health Information) includes not only basic patient information like their name, address, birthdate and social security number, but also all information related to their mental and physical condition, any treatments provided and all payment information.
Penalties for not complying with HIPPA range from $100 per violation for unknowingly breaking the rules to up to $50,000 per violation for willful neglect that isn’t corrected in a defined time period. In 2017, there was $19,393,200 million imposed in penalties.
GDPR (General Data Protection Regulation)
Everyone knows about the new European Union’s General Data Protection Regulation (GDPR) that came into effect this past May. GDPR applies to all organizations doing business in the EU who provide products and services to customers in the EU (not that we don’t specific EU citizens, but people who are in the EU when the service is provided). GDPR covers how companies collect and store information related to people who visit their websites and other digital properties.
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. “(source)
Personal data is anything that applies to a natural person (so not an entity, company, or a dead person) either directly (name, address, other PII, PCI data) or indirectly (device id, browser cookies, IP addresses).
This is a sizeable regulation and has had major implications to all organizations who have a presence in the EU. It’s a topic we’ve covered a lot, so you can read some great information here. A few highlights:
- Data subjects (those persons you collect and store data on) have a series of rights that include being told what data you are collecting, what you are doing with it, the ability to see it, change and request that you delete it (right to be forgotten).
- Data controllers (companies that collect the data) and data processors (companies that perform some actions on this data/using the data) both have obligations to comply with this regulation.
Fines for not complying with GDPR are pretty steep amounting to 20 million Euros or 4 percent of annual global revenues.
NYDFS Cybersecurity Regulation (23 NYCRR 500)
The New York Department of Financial Services enacted the 23 NYCRR 500 – Cybersecurity Regulation in 2017:
“… this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. ” (from the regulation).
The regulation applies to all entities operating under a DFS licensure, registration, charter or other DFS-regulated entity. It include chartered banks in the State of New York, mortgage companies, insurance companies and service providers among others.
The cybersecurity regulations outline a series of rules affected companies need to do including:
- Define and implement a cybersecurity plan
- Designate a CISO (Chief Information and Security Officer)
- Implement a comprehensive Cybersecurity Policy
- Set up a reporting system for Cybersecurity events
Three areas where your governance program might be affected by this regulation include:
- Limitations on Data retention: periodic disposal of information no longer used or required
- Application security: Secure development practices for custom apps and procedures to confirm security of off-the-shelf applications
- Encryption of non-public information: controls to provide information at rest or in transit over external networks
GLBA (Gramm Leach Bliley Act)
Another regulation for financial institutions, Gramm Leach Bliley Act(GLBA) is a federal regulation that applies to information sharing practices and the safeguarding of sensitive data. There are three components to this act: Safeguards Rule, Privacy Rule and the Pretexting Provision.
Privacy Rule: This rule relates to the collection of financial information. It includes a requirement to disclose in writing to your customers and consumers your privacy and information-sharing practices relating to “non-public information (NPI).
From the Act:
- any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
- any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
- any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).”
Safeguards Rule: This rule provides a series of guidelines on how to ensure the security of information. It requires a written information security plan; one that applies to the size and type of company, the sensitivity of the information and the scope of its activities. It also outlines guidelines for working with information systems that store and process information, including guidelines for the secure collection and transfer of customer information, the storage of information and it’s secure disposal.
The Pretext Provision covers the access of private information using false pretenses.
Which Regulations Affect Your Governance Programs
The challenge with regulations is that you often have to adhere to more than one and in some cases regulations may have opposing rules or guidelines. Data privacy is the underlying concern in all the regulations above, but there are others we haven’t mentioned that you might need to get a handle on. For instance, the State of California passed its own “mini” version of the GDPR in June called the Consumer Privacy Act. And if you are in Canada, you have another set of privacy laws, including PIPEDA to deal with.
The first step is knowing which regulations apply to you and what data and applications are affected. Then you can put in place a plan to follow the regulations to ensure compliance. You will need to ensure that your data practices, from collection, to storage, to disposal are properly aligned; your employees are aware of how to comply with these practices and your IT systems support them fully.
To learn how Everteam supports these regulations and others, reach out for a talk, we’ll fill you in.