If you’re a business owner, you probably already know how overwhelming compliance issues can be. Depending on the industry you’re in and services you provide, you may have to deal with one or many different types of compliance. Most compliance issues have a technology component and it can be difficult for small to medium-sized businesses to keep up on what it means to be compliant. The first step toward being compliant is knowing the different types of compliance and which apply to you. Here are the most important:
If you handle credit card information for customers or clients, you will need to abide by the Payment card industry (PCI) compliance regulations. This includes technical and operational standards developed and managed by the PCI Security Standards Council that protect credit card data that is provided to you by your clients. The requirements include six major objectives, 12 key requirements, 78 base requirements, and more than 400 test procedures. The most important requirements are the six major ones, which are as follows:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
If you’ve ever signed a HIPPA form at your doctor’s office, you’re already familiar with this type of compliance. HIPAA stands for Health Insurance Portability and Accountability Act and was enacted to protect those covered by health insurance and to ensure there are standards for protecting and storing personal and private medical and identification data. Healthcare billing services, health insurers, HMOs, and medical facilities are just a few of the entities that must abide by HIPAA. HIPAA compliance includes extensive requirements for technology in the business, documents, and even social media. Those who do not comply with HIPAA can face criminal charges or fines. Here are some common reasons for HIPAA violation citations:
- Lost or stolen laptops, phones, or desktops that contain private patient information.
- Texting patient information.
- Mishandling of patient records such as accidentally leaving them in an exam room for another patient to see.
- Posting patient photos on social media.
- Accessing patient information on home computers.
- Releasing patient information without a signed consent form from the patient.
- Unsecured forms on websites where patients can fill in private information.
Did you think the Americans with Disabilities Act (ADA) only applied to your physical office spaces? Along with having accessible bathrooms and walkways, businesses must also have accessible electronic and information technology according to the Americans with Disabilities Act Standards for Accessible Design. Those organizations that need to comply with this act include private employers with 15 or more employees, businesses that operate for the benefit of the public, and state and local government agencies.
The General Data Protection Regulation is a European law, but it still affects U.S.-based businesses if they have website visitors from Europe. The regulation affects how your website obtains and stores cookie consents from EU visitors in regard to processing and moving their personal data. Personal data includes any that can be linked to an individual and identify them, including first and last names, browser history, geolocation, and email addresses. Basically, if your website processes personal data from users in Europe, it must be done only:
- If it’s needed to complete a contract.
- If it’s needed to carry out a task that is in the public’s interest.
- If it’s needed for compliance with legal obligations.
- If it’s needed for legitimate interests pursued by the controller or a third party.
- If the subject consents.
The National Institute of Standards and Technology has created standards for the tech and science industries that assist federal agencies and contractors meet requirements under the FISMA (Federal Information Security Management Act) and similar regulations. NIST has created a framework that can be used by any business to assess their security risks, though the only organizations required to comply are procurement service companies, manufacturers that sell to the government, government staffing firms, manufacturers that sell to government suppliers, consulting companies, research institutions, and service providers.
In addition to these standards, there are also a number of auditing procedures and standards that can help your business keep private information safe and protect against cyber incidents. The procedures most helpful to you will depend on the size of your company, the industry you’re in, the type of private information you handle, and your infrastructure.
Though some companies have their own internal teams that focus on compliance, many smaller companies do not. These businesses would benefit from working with an expert like those at Elkhorn Services to ensure they are in compliance and that their infrastructure is protected from data theft and other cybercrime.