Compliance: Why It Matters and How to Achieve It
October 11, 2016
According to a recent report on data security compliance, industries ranging from retail to healthcare to banking claim that protecting data to comply with corporate policies, industry regulations, or data privacy laws is very important, especially in sectors which are highly regulated.
Why is compliance so important to your business’ culture? Of the U.S. companies surveyed, 72% of the data breaches were caused by human or processing errors due to lax or non-existent compliance procedures.
The consequences of data loss or non-compliance can be devastating: compensation costs, legal actions, bank fines, federal audits, loss revenue, and damaged reputation. Consider Target’s 2014 breach, causing estimated losses of $440 million, or health insurer Anthem’s breach resulting in over 50 class-action lawsuits.
Bottom line: When your data is not secure, either your business gets mired in expensive recovery operations or the cost of business becomes unsustainable. Implementing your data compliance strategy is the first step to mitigating or eliminating data risk.
Don’t Be Remembered for the Rules You Break
Your organization must comply with several types of regulatory standards. Some are federal mandates, others are industry standards, while others are just good practice. Your business should have internal policies to either meet or exceed federal or industry expectations. Consider these examples:
Sarbanes-Oxley Act of 2002 (SOX): This Congressional act aims to protect investors from possible fraudulent accounting activities by improving financial disclosures through strict reporting reforms and oversight into accounting activities.
Health Insurance Portability and Accountability Act of 1996 (HIPAA): This act required the Department of Health and Human Service (HHS) to develop regulations to protect the privacy and security of health information. The Privacy Rule established national standards for the protection of certain health information. The Security Rule outlined federal standards for protecting information held or transferred electronically.
Federal Information Security Management Act of 2002/Modernization Act of 2014 (FISMA): The 2002 act defines a framework to protect government information, operations and assets against natural or man-made threats. The 2014 act updates cybersecurity practices by detailing authorities of the Department of Homeland Security (DHS) to administer information security policies and clarifying the Office of Management and Budget (OMB’s) oversight over federal agency information security practices.
Payment Card Industry Data Security Standard (PCI-DSS): This standard, mandated by credit card brands (Visa, MasterCard, American Express, Discover), increases controls over cardholder information and reduces credit card fraud.
International Organization for Standardization Standards for Information Security (ISO27001): While not obligatory, these standards help organizations keep their information assets secure through detailing requirements of information security management systems. When organizations comply with these standards, they may obtain a certification via an independent agency.
Family Educational Rights and Privacy Act: This act protects the privacy of student records and allows parents and eligible students access to these records.
These are but a few regulatory and industry standards regarding the protection of and access to data. There may be more which apply to your organization. It is your responsibility to keep up to date with the most current requirements. Know the rules and follow them, or your organization will become (in)famous for breaking them.
How Do I Achieve and Maintain Compliance?
Achieving data compliance is an ongoing investment for companies; but to get there, you must have a plan. Here are a few steps:
If you are ready to get serious about compliance, we can help.