3/20/2019

Ask Our VP of Compliance: March 2019

What Cyber Laws Apply to Me?

 

In the past, cybersecurity and information security was largely an issue that was handled only by a company’s IT Department. However, in today’s increasingly digitized world, companies are finding that cyber compliance is critical from the top to the bottom, in all departments. Currently, there are many cybersecurity regulations in place, where non-conformity can lead to major fines and/or data breaches.

Most major companies’ operation within the United States are subject to some type of security regulation, which were created with the intention to build and improve a business’ information security management systems.

Compliance is critical and it begins by understanding which regulations affect your company and then outlining the steps to bring you into compliance.

 

 Act/Law  What it Regulates?  Companies Affected
NYS DFS 500 The regulation requires all DFS regulated entities, subject to certain exemptions, to adopt the core requirements of a cybersecurity program, including a cybersecurity policy, effective access privileges, cybersecurity risk assessments, and training and monitoring for all authorized users, among other requirements. The regulation also requires the establishment of governance processes to ensure senior attention to these important protections. It covers any individual or entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance, or financial services laws. Smaller entities have some exceptions but are still expected to comply with many of the regulation's requirements.
GDPR It is a new set of rules governing the privacy and security of personal data laid down by the European Commission; in addition to the right to be forgotten, the law holds provisions that could potentially increase consumers’ rights over their data.

GDPR has serious implications for companies in countries outside the EU. So even if you’re based overseas, but hold data belonging to anyone living in Europe, you’re liable.

 So, in short, if you process data that belongs to individuals living and working within the EU, you will be subject to aspects of the directive.
HIPAA This act is a two-part bill. Title I: protects the health care of people who are transitioning between jobs or are laid off. Title II: meant to simplify the healthcare process by shifting to electronic data. Also, it protects the privacy of individual patients. The sort of company affected by this bill is any company or office that deals with healthcare data. That includes but is not limited to doctor’s offices, insurance companies, business associates, and employers.
Personal Information Protection and Electronic Documents Act (PIPEDA) Canada It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents.

PIPEDA applies to organizations that are federally regulated and fall under the legislative authority of the Parliament of Canada.

PIPEDA also applies to the private sector of each province.
Sarbanes Oxley Act This act requires companies to maintain financial records for seven years. It was implemented to prevent another Enron scandal. U.S. public company boards, management and public accounting firms.
Federal Information Security Management Act of 2002 (FISMA) This act recognized the information security as matters of national security. Thus, it mandates that all federal agencies develop a method of protecting the information systems. All Federal agencies fall under the range of this bill.
Gramm Leach Bliley Act (GLBA) This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers. This act defines “financial institutions” as: “…companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.”
Family Educational Rights and Privacy Act (FERPA) Section 3.1 of the act is concerned with protecting student educational records. Any postsecondary institution including universities, academies, colleges, seminaries, technical schools, and vocational schools.
Payment Card Industry Data Security Standard (PCI-DSS) A set of 12 regulations designed to reduce fraud and protect customer credit card information. Companies handling credit card information.

 

Simple right? Not quite. The question I am asked the most, “with all these regulations, which ones are we supposed to follow, and what do they even mean”, as these laws are difficult to interpret, and the average decision maker is not an IT security professional?  This is where a security professional, like Digital Edge can greatly help your business navigate through this complex web of regulation.

 

For more information on Digital Edge’s robust Cybersecurity Compliance team, contact us today at complaince@digitaledge.net.

Was this article helpful?
Danielle Johnsen
VP of Compliance

Danielle V. Johnsen joined the Digital Edge team in 2015 as the VP of Compliance.  With a passion for information security and organizational compliance, Danielle’s vision is to enable collaboration between 'The Business' and Information Technology, thus creating common objectives and outcomes that benefit the organization, while staying in compliance with all regulatory bodies and companywide policies. Specializing in security frameworks and policies such as: ISO 9001, ISO 27001, NYS DFS 500, NIST, HIPPA, GDPR, PCI, OSPAR, and more!