Emerging Data Privacy Regulations
Organizations need to comply with an increasing number of data privacy regulations. In addition to regulations such as PCI, HIPAA/HITECH, GLBA/FFIEC, and Sarbanes-Oxley, states are passing their own privacy laws. For example, Massachusetts says that if you are doing business with anyone in their state, you must comply with their privacy law – even if your business is located across the country. NIST-certified encryption and key management can help meet these emerging regulations.
I recently sat down with Patrick to discuss the emerging data privacy regulations - as well as how to meet them and what it is like to have an audit.
There are lots of different data privacy regulations for people dealing with sensitive information. Can you speak a little about each one?
You are right. There are a lot of regulations and companies are finding themselves falling under more than just one. Probably the one that most people know about is the PCI Data Security Standards (PCI DSS). Any organization that accepts credit cards for payment falls under these regulations. In the medical segment we have the HIPAA and HITECH Act, which sets the standards for protecting patient information. In the banking and financial area we have the GLBA and FFIEC regulations which cover a broad set of financial institutions. FERPA is for educational institutions. Sarbanes-Oxley (SOX) covers any publicly traded company. Finally, we have state privacy laws on the books and there are about 44 or 45 of them. So you are right, there are a lot of different privacy regulations and there are over-lapping and different requirements for each regulation.
So, an organization can be faced with several different compliance regulations, is there any common solution?
You need to be aware of each one, though there are some overlapping definitions of what constitutes Personally Identifiable Information (PII). It is important to follow proper encryption and key management best practices and make sure your solutions are NIST certified. State Privacy Laws are starting to follow PCI guidance. It is important to note that State Privacy Laws are now starting to extend beyond the boundaries of the state.
Do any of these regulations have any real “teeth”?
Oh, yes! A data breach can have lasting financial and business impacts. Just ask the companies who have had major data breaches. One credible study by the Ponemon Institute estimates that TJ Maxx may eventually spend a total of about 9 billion dollars (yes, that’s billion with a “B”) as a result of their data breach. There have been numerous fines levied against merchants, medical providers, and businesses related to data security breaches. There are real financial penalties for these breaches.
Less well known is the fact that an embarrassing data security breach can sink your business. If a big part of your business is based on Internet sales, for example, you can find your business disappearing in the event you have a data breach.
What is the process of undergoing an audit like?
Don’t panic. It can be painful, but in most cases and audit involves a routine set of questions. You can actually prepare for that experience. It is good to know the configuration of your network and where things stand in terms of data protection. Having good documentation on your policies, procedures, your network, and your business applications is going to be very helpful in an audit. Also, you should see your auditor as an important partner in compliance. A good relationship with an auditor will help get you through the process. You can see your auditor as someone who can really advise you on best practices for securing data.
Also, your software supplier can be an important partner. For example, we offer a lot of questions about compliance regulations and best practices when we work with our customers and prospective customers – trying to get them educated on what really is best practice.
Are there any emerging regulations that our listeners should be aware of?
Congress is working on a Federal Privacy law that would replace the 44 or 45 state privacy regulations. Businesses struggle to keep up with the differences between all of the state laws, and there is business support for passing a federal law. A version has passed the House of Representatives, and there are two or three versions pending in the Senate. These will have to get consolidated into a single law, and then rationalized with the House bill. But eventually I think this will happen.
I think we can make some predictions about how a new federal law will affect businesses. We already have a template in the HITECH Act of 2009. I suspect that the FTC or some other federal agency will be tasked with defining the data security regulations. It is highly likely that the National Institute of Standards and Technology (NIST) will be the basis for standards and certification of solutions. Then there will be published rules and guidelines on how to implement data protection.
If I am right about this, it will prompt businesses to be sure that their data protection solutions meet NIST standards. And I don’t mean sorta, kinda, maybe. You need to find solutions are NIST certified to FIPS-140-2 or similar standards with the paper certificates to prove it.