Townsend Security Data Privacy Blog

What Data Security Compliance Regulation Does My Company Face?

Posted by Liz Townsend on Jun 13, 2012 9:30:00 AM

AES Encryption & Related Concepts

AES White Paper

Download the white paper "AES Encryption & Related Concepts"

Click Here to Download Now

Data breaches are becoming an impending reality for any company maintaining sensitive data on their systems—which is the majority of them. Due to the increase in breaches, you may be asking yourself at this point, “Which compliance regulations apply to my organization?”

Currently, the network of compliance regulations is somewhat fragmented across multiple regulating organizations. Some of them are government based and some are private industry based. The common regulations that all organizations are likely to run into are:

Payment Card Industry Data Security Standards (PCI DSS)

  • If you take or process credit card information, you absolutely fall under PCI DSS standards. This means that you must encrypt credit card information, when it is at rest or in motion. You also must implement encryption key management that uses proper dual controls and separation of duties. PCI DSS also requires periodic encryption key rotation.
  • PCI section 10 requires the collection of logs, storage of logs, and monitoring of system logs in order to monitor for potential breaches. Over time, as companies have done forensics on data breaches, in many cases the investigators found that a breach could have been easily detectable early on before the data was lost, had logs been properly monitored using system logging.

HIPPAA/HITECH

  • If your company operates in the medical sector—which is any organization defined as a covered entity within the HIPAA act—you fall under HIPAA/HITECH data security regulations.
  • The HITECH act of 2009 strengthened HIPAA regulations tremendously by referring to the National Institute of Standards and Technology (NIST) for both encryption standards, best practices of encryption key management, and the collection of system logs.
  • Although there is no mandate in HHS and HIPAA/HITECH that you must encrypt patient information, there is a “back door” mandate that in the event of a data breach, all covered entities must report the breach to HHS. The only safe harbor from breach notification and potential fines is properly encrypted data.

GLBA and FFIEC

  • The Gramm-Leach-Bliley Act and Federal Financial Institutions Examination Council regulate data security in the financial sector. Under these regulations the financial industry is defined broadly and certainly includes banks, but also covers credit reporting agencies and other financial institutions. FFIEC is tasked with conducting audits and making sure banks line up with regulations, which have a strong focus on protecting consumer information. One statement they make in their documentation is that effective and proper key management based on industry standards is crucial.

SOX (Sarbanes-Oxley)

  • Any publicly traded company in the United States falls under SOX regulations. There has been quite an increase in the focus on data privacy by SOX auditors--particularly encryption key management and system logging. From the beginning SOX auditors have held departments to high standards in terms of best practices and proper control of data. This increased focus on data protection has developed within the last 12 months or so. Several of our customers have told us they’ve been penalized for their insufficient encryption key management strategy by SOX auditors

Federal and State Laws

  • Currently 45 out of 50 states have data privacy regulations. Many organizations are unaware of their own state’s data privacy laws, or assume those laws do not apply to them, when in fact they almost always do.
  • Apart from the data security standards listed above, there is currently a proposed federal privacy law working through congress. It is safe to assume that a new federal data privacy law will be enacted soon.

Ultimately, regulations are becoming more stringent, not less. Fines and penalties are getting steeper, not cheaper. And certifications are becoming more important, not less important. Even more critical is the fact that these regulators demand that you use industry standard, NIST and FIPS 140-2 certified key management and encryption. Without these credentials, your company may not be compliant.

For more information on AES, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and key management work together to secure your data.

Click me

Topics: Compliance