icon

Compliance Laws & Regulations

Compliance Laws

OSPAR: "The new OSPAR Data and Information Management Strategy was signed in 2017. The new strategy continues the current pace of development of data and information in OSPAR whilst ensuring that an archive of historic data continues to be supplemented and maintained.

The new strategy will see steps forward in data policy and citation, metadata, data and information accessibility, and the use of data standards."

https://www.ospar.org/work-areas/cross-cutting-issues/data-and-information

 

SHIELD: "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act, defines "Private Information" to include Social Security number, driver's license number, credit or debit card number, financial account number (with or without security code), biometric information, username or e-mail address with a password that permits access to an online account, and requires all companies doing businesses in New York to implement a "data security program” that reasonably safeguards New York residents’ "Private Information" while broadening New York's security breach notification requirements.

Every employer with employees in New York must comply with the SHIELD Act because "private information" includes an individual's name and Social Security number."

https://www.shrm.org/resourcesandtools/legal-and-compliance/state-and-local-updates/pages/new-york-shield-act.aspx

 

CCPA: “The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.”

https://www.oag.ca.gov/privacy/ccpa

 

GDPR: "Regulation (EU) 2016/679 of the European Parliament and of the Council1, the European Union’s ('EU') new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU."

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

 

HIPAA: "HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers."

https://searchhealthit.techtarget.com/definition/HIPAA

 

FISMA: "FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies."

https://www.dhs.gov/cisa/federal-information-security-modernization-act

 

Compliance Regulations

NIST: "NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST also assists those agencies in protecting their information and information systems through cost-effective programs."

https://digitalguardian.com/blog/what-nist-compliance

 

DFS: "The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions."

https://digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial

 

PCI: "PCI DSS, or the Payment Card Industry Data Security Standard, is the set of requirements for organizations who process card payments."

https://www.tripwire.com/state-of-security/regulatory-compliance/beginners-guide-pci-compliance/

 

Frameworks

ISO: International Organization for Standardization is an independent non-governmental organization providing world-class specifications for products, services and systems, to ensure quality, safety and efficiency framework, "ISO creates documents that provide requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose."

https://www.iso.org/standards.html

SOC: System and Organization Controls are a suite of reports from the AICPA that accounting/audit firms can issue in connection with system-level controls at a service organization. Currently there is a SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity report offering. In addition, there are SOC + reports where another standard can be added (i.e. HIPAA, HITRUST, NIST, etc.).

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

 

 

 

 

 

 

 

Let's talk: 800-714-5143

Speak to a specialist