For some businesses, network security compliance requirements can be a major issue. The problem is that not every business faces the same compliance standards. Different companies will need to meet different cybersecurity compliance standards—in fact, even two businesses in the same industry might have different compliance requirements that they need to meet.
The team here at Compuquip strongly recommends going above and beyond the minimum necessary network security measures required for basic compliance. However, we all understand that many of our readers are more worried about knowing what those minimum compliance requirements are in the first place.
So, to help you out, here are a few heavily abbreviated explanations of different cybersecurity compliance standards, and what kinds of businesses might need to meet them.
What is the Payment Card Industry Data Security Standard (PCI DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) is not a government-mandated compliance standard, but it is one that most businesses will have to meet. This is because major credit card companies like Visa and MasterCard require companies to have PCI DSS validation.
PCI DSS sets down a list of security requirements to help protect payment card data so it cannot be easily stolen from a business and used to commit fraud. The PCI Security Standards Council periodically releases new requirements and updates to PCI DSS, so it’s important for companies to continually revise their cybersecurity to identify gaps and opportunities for improvement to keep up with new versions of this compliance framework.
Virtually any business that handles any kind of payment card will need to follow PCI DSS.
What Does the Sarbanes-Oxley (SOX) Act Have to Do with Cybersecurity?
The Sarbanes-Oxley Act of 2002, sometimes abbreviated SOX, was a piece of legislation introduced after major financial scandals involving companies such as the infamous Enron Corporation rocked the U.S. economy. Enron’s manipulation of financial statements made the company look like it was growing and earning money on paper, even as they were losing assets and actual earning potential. When the bubble finally burst, many investors faced major financial losses.
As noted by Investopedia, “The high-profile frauds shook investor confidence in the trustworthiness of corporate financial statements and led many to demand an overhaul of decades-old regulatory standards.”
So, what does a financial regulation like SOX have to do with security compliance? The major thing that SOX does is impact how companies store and report their financial data. SOX requires companies to store their financial data for a set period of time so officials can verify company reports. It also specifies the types of information that need to be stored, which means that companies need to have security solution in place to protect that data from being stolen or deleted.
As a major consumer protection law, the Sarbanes-Oxley Act affects virtually all American businesses.
How Does the Health Insurance Portability and Accountability Act (HIPAA) Affect Businesses?
The Health Insurance Portability and Accountability Act (HIPAA) is a government-mandated compliance standard that affects businesses in the healthcare industry. As stated on HHS.gov, the HIPAA privacy rule affects the following types of organizations:
- Health plans;
- Health care clearinghouses; and
- Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
Basically, organizations that process patient data of any kind (whether it’s health information or payment information) have to abide by HIPAA’s privacy rules and compliance standards.
HIPAA provides compliance requirements for transactions and billing code standards, data privacy, data security, and breach notifications that organizations who process patient data must follow. Failure to follow HIPAA requirements can result in civil money penalties.
Who Has to Worry about the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) was created by the European Union (EU) to increase the data privacy of EU citizens and provide them with more control over who can store and use their personal data. Although GDPR is a foreign regulatory compliance standard, it targets any business that processes the personal data of EU citizens (who are called “data subjects” in the text of the regulation).
So, if your business regularly handles the personal data of anyone from the European Union, you can expect that these regulatory compliance standards will be applied to it.
To summarize the key components of GDPR, they are:
- Businesses Must Respect the Rights of Data Subjects. Businesses must: explain what a data subject’s rights are; inform them when data is being collected, what is being stored, and how it will be used; delete any collected data if asked by the data subject; provide data subjects free access to collected data; and cease and desist collection of data if the data subject objects to it.
- Notifying Data Subjects of Breaches. GDPR layers on a requirement to notify any data subjects of data breaches without “undue delay,” which is left vague in the regulation’s terminology. To be safe, businesses should send breach notifications as soon as possible after discovering one.
- Ensuring All Data Collected is for Specific Tasks. GDPR requires businesses to justify their data collection activities as being part of a specific task. Collecting data without establishing a justifiable use case can result in penalties.
- GDPR is Considered Technology Neutral. The specific means of collecting and storing data subject information do not matter under GDPR—all of the rule’s compliance standards still apply. Businesses need to be careful about their analog and digital data storage methods under GDPR.
- Penalties for Not Following GDPR’s Compliance Requirements. If a business is found to be violating GDPR compliance standards, it may face significant fines—up to 4% of the business’ annual turnover or 20 million Euros (whichever is greater) for particularly bad violations. This is in addition to any compensation for data subjects.
What about State-Specific Security Compliance Requirements?
The previous regulations are all at a national (or international) level. But, businesses must also contend with state-specific compliance standards for cybersecurity as well. The question is: “How can I check my network security compliance needs for the state (or states) my business operates in?”
The best way to check your company’s security compliance requirements is to reach out to your state’s regulatory bodies to ask for specific guidance. Your local chamber of commerce should also be able to provide an explanation of any major regulatory compliance standards that may affect your business, as well as some resources for achieving compliance.
A lawyer specializing in corporate law can also provide some general advice for meeting legal compliance requirements. Cybersecurity service providers (like Compuquip) can provide specific advice for meeting network security compliance requirements for your business—and even help you increase your security beyond the basic minimums required for compliance.
If you need help checking your network security compliance needs and bringing your cybersecurity up to code, contact Compuquip Cybersecurity today!
