What You Need to Know About Data Protection Laws and Compliance Regulations
Companies face numerous struggles when it comes to becoming and remaining compliant with data protection and
privacy laws. This is why our focus at TechWerxe is securing critical data, no matter where it resides and
how it is accessed. Our main objective is to educate and assist our customers on how to keep their data
safe, while creating a productive and cost-effective environment.
In this post, we’ll cover the laws and regulations various industries need to know to remain compliant.
Data Protection Law for All Verticals
- The New Jersey Data Protection Law of 2018 follows the principles of the European General
Data Protection Regulations (GDPR). This New Jersey bill mandates that any firms collecting
personal data tell people in plain language how the information will be used. Additionally,
customers can ask companies for a copy of their personal data and request that the information
be deleted at any time. This Law applies to any business in the state of New Jersey.
Regulations for the Financial Industry
- The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the NY
Department of Financial Services (NYDFS), that places cybersecurity requirements on all covered
financial institutions. These regulations acknowledge the growing threat posed to financial
systems by cyber criminals and are designed to ensure businesses protect their customers'
confidential information from cyber-attacks. This regulation is specific to NY at this time,
however, I would suspect that other states will follow suit in the near future. The key elements
of this regulation are to:- Establish a cybersecurity program
- Adopt written cybersecurity policies
- Mandate a Chief Information Security Officer
- Introduce and maintain cybersecurity training for employees
- Conduct Bi-annual third-party risk assessments
- Establish an Incident Monitoring and Reporting program and regularly conduct penetration testing and vulnerability management
- Provide proof of Information Security Audits
- Submit notification of incidents to the NYDFS (within 72 hours)
- PII is personally identifiable information such as names, addresses, social security numbers or other identifying numbers, telephone numbers, email addresses, etc. Alternatively, it includes
information an agency intends to identify specific individuals with, in conjunction with their
other data. If data is lost, compromised, or disclosed without authorization, consequences can
include substantial harm, embarrassment, inconvenience, or unfairness to the individual. One
of the most familiar PII violations is identity theft. This can occur when people are careless with
information, such as Social Security numbers and people's date of birth. They can easily become the victim of a crime. - Payment Card Industry Data Security Standard (PCI-DDS) sets the requirements for
organizations that are selling goods/services to safely and securely, store, process, and transmit cardholder data during credit card transactions to prevent fraud and data breaches. PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by the credit card companies. These penalties depend on the volume of clients, the volume of transactions, the amount of time the company has been non-compliance and the level of PCI-DSS that the company should be following. Below are 11 regulations designed to reduce fraud and protect customer credit card info that are part of the PCI-DDS:- Install and maintain a firewall configuration to protect cardholder data. Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by your organization.
- Do not use vendor-supplied defaults for system passwords and other security parameters. Hardening your organization’s systems such as servers, network devices, applications, firewalls, wireless access points, etc. is required.
- Protect stored cardholder data. You must first know all the data you are going to store along with its location and retention period. All cardholder data must be encrypted using an industry-accepted set of rules.
- Encrypt transmission of cardholder data across open, public networks such as Bluetooth or the Internet.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications by deploying critical patches in a timely manner.
- Restrict access to cardholder data by business. service providers and merchants must be able to allow or deny access to cardholder data systems.
- Assign a unique ID to each person with computer access. Every authorized user must have a unique identifier and their passwords must be complex.
- Restrict physical access to cardholder data. It requires monitoring entry and exit doors of physical locations such as data centers. The logs of authorized visitors and employees’ movements should be kept for a minimum 90 days.
- Track and monitor all access to network resources and cardholder data. A (SIEM) Security Information and Event Monitoring tool, can help you log system and network activities, monitor logs, and alert of you of suspicious activity. Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel. The information security policy must be reviewed annually and distributed to all the employees, and vendors. Users must read the policy and accept it.
Regulations for Healthcare Organizations
-
- Health Insurance Portability and Accountability Act (HIPPA) is a federal law that outlines national standards of physical, administrative, and technical safeguards which specific and business associates must uphold to protect the integrity of Protected Health Information (PHI) in a healthcare setting. HIPPA protects sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPPA:
- Assures health insurance portability during job transition or unemployment when
individuals have pre-existing conditions. - Reduces healthcare fraud and abuse.
- Enforces standards for health information.
- Guarantees security and privacy of health information.
- Assures health insurance portability during job transition or unemployment when
- Sarbanes Oxley Act (SOX), also known as the Public Company Accounting Reform and Investor Protection Act, is an annual audit that public companies are required to follow to provide proof of accurate financial reporting. SOX requires companies to maintain financial records for a minimum of seven years.
- The Cybersecurity Maturity Model Certification (CMMC) was released by the Department of Defense (DOD) in January 2021 as a verification tool to ensure that defense contractors implement appropriate cybersecurity practices and processes to protect Federal contract information and controlled unclassified information within their unclassified networks. The government has implemented a tiered approach to audit the defense contact supply chain with contractor compliance. It is based on five different levels of maturity expectations. The DOD estimates the roll-out of CMMC standards will affect about 300,000 companies and that most companies will require a certification between Level 1 and Level 3 to qualify for government contracts. The Cyber Security Maturity Assessment (CSMA) is a gap analysis and risk assessment that utilizes cybersecurity best practices and to answer these questions surrounding your existing security program. Here’s a little more on each level.
- Health Insurance Portability and Accountability Act (HIPPA) is a federal law that outlines national standards of physical, administrative, and technical safeguards which specific and business associates must uphold to protect the integrity of Protected Health Information (PHI) in a healthcare setting. HIPPA protects sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPPA:
CMMC Level 1
Processes: Performed
Level 1: requires organizations to perform the specified practices. Because the organization maybe able to perform these practices only in an ad-hoc manner and may or may not rely on
documentation, process maturity is not assessed for Level 1.
CMMC Level 2
Processes: Documented
Level 2: requires that an organization establish and document practices and policies to guide the
implementation of their CMMC efforts. The documentation of practices enables individuals to
perform them in a repeatable manner.
CMMC Level 3
Processes: Managed
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the
management of activities for practice implementation.
CMMC Level 4
Processes: Reviewed
Level 4 requires that an organization review and measure practices for effectiveness.
CMMC Level 5
Processes: Optimizing
Level 5 requires an organization to standardize and optimize process implementation across the
organization.
Yes, these are a lot of rules, but they are for your organization’s protection. It’s critical that you have an in-house team or find a Managed IT partner that understands these regulations, how they apply to your business, and can ensure you remain compliant. If you have any questions about how data protection laws and compliance regulations can impact your organization, reach out to us at jmadsen@techwerxe.com.