In 2018, one thing is for certain: changes are happening—fast. Technology changes, as usual, are the focus this year as we watch new innovations unfold, new products emerge, and businesses take hold of new opportunities. However, tech isn’t the only thing changing rapidly. This year, Digital Edge’s Compliance articles have covered brand new regulations that have taken effect, which are likely to have impacted your business.
Businesses must be aware of new laws and policy changes, no matter where they operate or what kind of business it is. A recent article published by Business News Daily says it best, “Staying apprised of policy changes could be the difference between gaining a competitive edge or falling behind due to compliance issues or strategic missteps.”
But, what about IT laws and regulations that already exist? Are you aware of what guidelines you should be already following? That is why, Digital Edge's VP of Compliance breaks down all the laws in this months Ask Our VP of Compliance!
Please note, that the regulations listed below are intentionally US-centric but includes selected laws of other nations that have an impact on US-based global companies.
What are the broadly applicable laws and regulations that we need to follow?
- Sarbanes-Oxley Act (aka Sarbox, SOX)
- Payment Card Industry Data Security Standard (PCI DSS)
- The Gramm-Leach-Bliley Act (GLB) Act of 1999
- Electronic Fund Transfer Act, Regulation E
- Customs-Trade Partnership Against Terrorism (C-TPAT)
- Free and Secure Trade Program (FAST)
- Children's Online Privacy Protection Act
- Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule
- Federal Rules of Civil Procedure (FRCP)
What are the industry-specific regulations and guidelines?
- Federal Information Security Management Act (FISMA)
- North American Electric Reliability Corp. (NERC) standards
- Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
- Health Insurance Portability and Accountability Act (HIPAA)
- The Health Information Technology for Economic and Clinical Health Act (HITECH)
- Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
- H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
Are there other state regulations besides NYS DFS 500 and California Data Protection Act?
- Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
- Nevada Personal Information Data Privacy Encryption Law NRS 603A
In addition to GDPR, are there other international security and privacy laws?
- Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA) — Canada
- Law on the Protection of Personal Data Held by Private Parties — Mexico
Laws explained:
What are the broadly applicable laws and regulations that we need to follow?
Sarbanes-Oxley Act (aka Sarbox, SOX)
What Sarbanes-Oxley covers: Enacted in 2002, the Sarbanes-Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. It was enacted after the high-profile Enron and WorldCom financial scandals of the early 2000s. It is administered by the Securities and Exchange Commission, which publishes SOX rules and requirements defining audit requirements and the records businesses should store and for how long.
Who is affected: U.S. public company boards, management and public accounting firms.
Full text of Sarbanes-Oxley Act: http://www.gpo.gov/fdsys/pkg/PLAW-107publ204/content-detail.html
Payment Card Industry Data Security Standard (PCI DSS)
What it covers: The PCI DSS is a set of requirements for enhancing security of payment customer account data. It was developed by the founders of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa to help facilitate global adoption of consistent data security measures. PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
The Council has also issued requirements called the Payment Application Data Security Standard (PA DSS) and PCI Pin Transaction Security (PCI PTS).
Who is affected: Retailers, credit card companies, anyone handling credit card data.
Link to the PCI DSS requirements: The current version is PCI DSS v2.0, issued 10/28/2010. https://www.pcisecuritystandards.org/security_standards/documents.php
The Gramm-Leach-Bliley Act (GLB) Act of 1999
What it covers: Also known as the Financial Modernization Act of 1999, the GLB Act includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.
Who is affected: Financial institutions (banks, securities firms, insurance companies), as well as companies providing financial products and services to consumers (including lending, brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; collecting consumer debts).
Link to the law: The Privacy of Consumer Financial Information rule within GLB: https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm Laws and rules pertaining to GLB: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
Electronic Fund Transfer Act, Regulation E
What it covers: Enacted in 1978, this law protects consumers engaging in electronic fund transfers from errors and fraud. It carries out the purposes of the Electronic Fund Transfer Act, which establishes the basic rights, liabilities, and responsibilities of EFT consumers of financial institutions that offer these services. EFTs include ATM transfers, telephone bill-payment services, point-of-sale terminal transfers in stores and preauthorized transfers from or to a consumer's account (such as direct deposit and Social Security payments). Effective August 2010, a new provision states that institutions may not impose dormancy, inactivity or service fees for pre-paid products, such as gift cards, nor can they have an expiration date of less than five years.
Who is affected: Financial institutions that hold consumer accounts or provide EFT services, as well as merchants and other payees.
Link to the law: http://www.fdic.gov/regulations/laws/rules/6500-3100.html
Customs-Trade Partnership Against Terrorism (C-TPAT)
What it covers: C-TPAT is a worldwide supply chain security initiative established in 2004. It is a voluntary initiative run by U.S. Customs and Border Protection, with the goals of preventing terrorists and terrorist weapons from entering the U.S. It is designed to build cooperative government-business relationships that strengthen and improve the overall international supply chain and U.S. border security. Businesses are asked to ensure the integrity of their security practices and communicate and verify the security guidelines of their business partners within the supply chain.
Benefits for participating in C-TPAT include a reduced number of CBP inspections, priority processing for CBP inspections, assignment of a C-TPAT supply chain security specialist to validate security throughout the company's supply chain and more.
Who is affected: Trade-related businesses, such as importers, carriers, consolidators, logistics providers, licensed customs brokers, and manufacturers.
Link to overview of C-TPAT:
Free and Secure Trade Program (FAST)
What it covers: FAST is a voluntary commercial clearance program run by U.S. Customs and Border Protection for pre-approved, low-risk goods entering the U.S. from Canada and Mexico. Initiated after 9/11, the program allows for expedited processing for commercial carriers who have completed background checks and fulfill certain eligibility requirements. Participation in FAST requires that every link in the supply chain — from manufacturer to carrier to driver to importer — is certified under the C-TPAT program (see above). Cards cost $50 and are valid for 5 years.
Benefits of using FAST and C-TPAT include:
- Upon terrorist alerts, FAST/C-TPAT drivers will be allowed to cross the border.
- Dedicated lanes for greater speed and efficiency
- Reduced cost of compliance with customs requirements.
Who is affected: Importers, carriers, consolidators, licensed customs brokers, and manufacturers.
Link to FAST program details: https://www.cbp.gov/travel/trusted-traveler-programs/fast
Children's Online Privacy Protection Act
What it covers: COPPA, which took effect in 2000, applies to the online collection of personal information from children under 13. Monitored by the Federal Trade Commission (FTC), the rules limit how companies may collect and disclose children's personal information. They codify what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online.
Who is affected: Operators of commercial Web sites and online services directed to children under 13 that collect personal information from children, as well as general audience Web sites with actual knowledge they are collecting personal information from children.
Link to the law: http://www.ftc.gov/ogc/coppa1.htm
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule
What it covers: Passed in December 2003, FACTA is an amendment to the Fair Credit Reporting Act that is intended to help consumers avoid identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in the legislation. The Act also says businesses in possession of consumer information or information derived from consumer reports must properly dispose of the information.
The Red Flags Rule establishes new provisions within FACTA requiring financial institutions, creditors, etc. to develop and implement an identity theft prevention program. The Red Flags Rule has been delayed several times and is currently scheduled for enforcement by the FTC starting December 31, 2010.
Who is affected: Credit bureaus, credit reporting agencies, financial institutions, any business that uses a consumer report and creditors. As defined by FACTA, a creditor is anyone who provides products or services and bill for payment.
Link to the law: http://www.ftc.gov/os/statutes/031224fcra.pdf
Red Flags Rule: http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf
Federal Rules of Civil Procedure (FRCP)
What it covers: In place since 1938, the FRCP discovery rules govern court procedures for civil lawsuits. The first major revisions, made in 2006, make clear that electronically stored information is discoverable, and they detail what, how and when electronic data must be produced. As a result, companies must know what data they are storing and where it is; they need policies in place to manage electronic data; they need to follow these policies; and they need to be able to prove compliance with these policies, in order to avoid unfavorable rulings resulting from failing to produce data that is relevant to a case.
Security professionals may be involved in proving to a court's satisfaction that stored data has not been tampered with.
Who is affected: Any company that is — or could be — involved in a civil lawsuit within the federal courts. In addition, because states have adopted FRCP-like rules, companies involved in litigation within a state court system are also affected.
Link to the rules: http://www.law.cornell.edu/rules/frcp/
What are the industry-specific regulations and guidelines?
Federal Information Security Management Act (FISMA)
What it covers: Enacted in 2002, FISMA requires federal agencies to implement a program to provide security for their information and information systems, including those provided or managed by another agency or contractor. It is Title III of the E-Government Act of 2002.
Who is affected: Federal agencies.
Link to the law: http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
North American Electric Reliability Corp. (NERC) standards
What it covers: The current set of 83 NERC standards were developed to establish and enforce reliability standards for the bulk-power system of North America, as well as protect the industry's critical infrastructure from physical and cyber threats. These overall standards became mandatory and enforceable in the U.S. on June 18, 2007. Critical Infrastructure Protection (CIP) elements of the reliability standard have been subsequently updated, most recently in 2009. CIP standards include identification and protection of both physical assets and digital ("cyber") systems.
Who is affected: North American electric utilities.
Link to the NERC reliability standards: http://www.nerc.com/files/Reliability_Standards_Complete_Set.pdf
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
What it covers: Part 11, as it is commonly called, was issued in 1997 and is monitored by the U.S. Food and Drug Administration. It imposes guidelines on electronic records and electronic signatures in an effort to uphold their reliability and trustworthiness.
Who is affected: All FDA-regulated industries that use computers for regulated activities, both in the U.S. and outside the country.
Link to the law: http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?cfrpart=11
With 2010 amendments: http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=58&showFR=1.
Health Insurance Portability and Accountability Act (HIPAA)
What it covers: Enacted in 1996, HIPAA is intended to improve the efficiency and effectiveness of the health care system. As such, it requires the adoption of national standards for electronic health care transactions and code sets, as well as unique health identifiers for providers, health insurance plans and employers. (Note: HIPAA's requirements are significantly updated by the HITECH Act — see next entry).
Who is affected: Health care providers, health plans, health clearinghouses and "business associates," including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.
Link to the law: https://www.hhs.gov/hipaa/
The Health Information Technology for Economic and Clinical Health Act (HITECH)
What it covers: Part of the American Recovery and Reinvestment Act of 2009, the HITECH Act significantly modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement.
Who is affected: Health care providers, health plans, health clearinghouses and "business associates," including people and organizations that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.
Link to the law: http://www.hipaasurvivalguide.com/hitech-act-text.php (easy to read format)
More formal version: https://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
What it covers: Enacted on January 19, 2009, PSQIA establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides federal privilege and confidentiality protections for patient safety information, which includes information collected and created during the reporting and analysis of patient safety events.
These confidentiality provisions are intended to improve patient safety outcomes by creating an environment where providers may report and examine patient safety events without fear of increased liability risk. The Office of Civil Rights administers and enforces the confidentiality protections provided to PSWP. The Agency of Healthcare Research and Quality administers the provisions dealing with PSOs.
Who is affected: Healthcare providers, patients and individuals/entities that report medical errors or other patient safety events.
Link to the law: http://edocket.access.gpo.gov/2008/pdf/E8-27475.pdf
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
What it covers: The CFATS regulation went into effect in 2007 and was developed as part of the Homeland Security Appropriations Act. It imposes federal security regulations for high-risk chemical facilities, requiring covered chemical facilities to prepare Security Vulnerability Assessments and to develop and implement Site Security Plans that include measures to satisfy the identified risk-based performance standards. The regulations are in place through October 2011, at which point they will either be made permanent or will be extended with tougher requirements. One requirement under consideration is the Inherently Safer Technologies provision that would require some facilities using, storing and manufacturing certain chemicals to possibly change processes and the chemicals used.
Who is affected: Chemical facilities, including manufacturing; storage and distribution; energy and utilities; agriculture and food; paints and coatings; explosives; mining; electronics; plastics; and healthcare.
Link to the law: http://energycommerce.house.gov/Press_111/20091001/hr2868_billtext.pdf
Are there other state regulations besides NYS DFS 500 and California Data Protection Act?
Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
What it covers: This Massachusetts law — which went into effect March 2010 — works to protect the state's residents against fraud and identity theft. It requires that any business that stores or uses personally identifiable information about a Massachusetts resident develop a written, regularly audited plan to protect this information. It takes a risk-based approach — rather than a prescriptive one — to information security. That means it directs businesses to establish a security program that takes into account the business size, scope, resources, nature and quantity of data collected or stored and the need for security rather than requiring the adoption of every component of a stated program.
Who is affected: Businesses that collect and retain personal information of Massachusetts residents in connection with the provision of goods and services or for the purpose of employment.
Link to the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
Nevada Personal Information Data Privacy Encryption Law NRS 603A
What it covers: In January 2010, Nevada was the first state to enact a data security law that mandates encryption for customers' stored and transported personal information.
Who is affected: Businesses that collect and retain personal information of Nevada residents.
Link to the law: http://www.leg.state.nv.us/nrs/nrs-603a.html
In addition to GDPR, are there other international security and privacy laws?
Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA) — Canada
What it covers: This Canadian privacy law governs how public and private organizations collect, use and disclose personal information in the course of business. It went into effect in January 2001 for federally regulated organizations and in January 2004 for all others.
In May 2010, Bill C-29 introduced numerous amendments to PIPEDA, involving exceptions for the use and disclosure of personal information without consent and further requirements for business transactions.
Who is affected: All private-sector companies doing business in Canada.
Link to the law: http://www2.parl.gc.ca/HousePublications/Publication.aspx?pub=bill&doc=c-6&parl=36&ses=2&language=E
Law on the Protection of Personal Data Held by Private Parties — Mexico
What it covers: Published in July 2010, this Mexican law requires organizations to have a lawful basis — such as consent or legal obligation — for collecting, processing, using and disclosing personally identifiable information. While there is no requirement to notify processing activities to a government body, as in many European countries, companies handling personal data must furnish notice to the affected persons. Individuals must also be notified in the event of a security breach.
Who is affected: Mexican businesses, as well as any company that operates or advertises in Mexico or uses Spanish-language call centers and other support services located in Mexico.
Link to the law (Spanish language): http://www.dof.gob.mx/nota_detalle.php?codigo=5150631&fecha=05/07/2010
In an increasingly digitized world, we value privacy and are committed to protecting your personal information. Data and its protection are at the core of everything Digital Edge does. As such, our business is built on Stability, Security, Efficiency, and Compliance, enabling us to protect our customers’ most valuable assets. We are committed to complying with the new and old legislation and will collaborate with partners throughout this process.
Contact us today to further explore how our team can provide your business with an unparalleled cybersecurity solution.
Still have questions? Feel free to contact myself, Danielle Johnsen, at djohnsen@digitaledge.net or our Cyber Security Compliance team at compliance@digitaledge.net .