The healthcare industry is one of the top targets for cybercriminals, but it’s not alone. Insurance companies, financial firms, universities and schools, social media and online commerce companies are all at risk and, therefore, have regulations they must adhere to. Basically, if a company or organization handles any personally identifiable information, or PII, you can bet there’s a compliance or regulation standard that must be followed. Here are just a few from around the world that are designed to keep data secure.
HIPAA (United States)
Signed into law back in 1996, the Health Insurance Portability and Accountability Act is designed to make sure that medical information is kept confidential and private and only used for its intended purpose. This means that medical information, defined by HIPAA as protected health information, or PHI, can only be collected, shared, stored, and used for legitimate reasons and must be properly protected.
FERPA (United States)
Sometimes referred to simply as the Privacy Act, or the Buckley Amendment, FERPA is the Family Educational Rights and Privacy Act. It protects both the privacy and security of certain kinds of educational records. It gives students, former students, auditing students, and others privacy rights with respect to personally identifiable educational records.
The official implementation of the General Data Protection Regulation is right around the corner (May 25, 2018) and will replace the current EU Data Protection Directive. Its goal is to extend the regulations of data privacy for European residents to foreign countries, as well as normalize data protections across the European Union. It applies to any organization that processes or controls data of EU residents, regardless of where the organization is located worldwide.
The Personal Information Protection and Electronic Documents Act was signed into Canadian law in April, 2000. Much like the GDPR, PIPEDA was implemented to promote consumer trust in E-commerce, as well as satisfy the EU with Canadian regulations that protect European citizens. You can read more about PIPEDA here: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
Cybersecurity Law (China)
Adopted by the National People’s Congress in November 2016, and officially activated in June 2017, China’s Cybersecurity Law presents a significant upgrade of data privacy in the world’s second largest economy.
China already had various laws and regulations in place. The Cybersecurity Law further defines how personal data may be collected, stored, and transferred, and expands the rights of individuals who have their data accessed. It also establishes more robust processes for protecting critical information infrastructure such as energy, finance, transportation, and water conservation. Read more here: https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf
Japan’s Act on the Protection of Personal Information, or APPI, is one of the longest standing laws in Asia, dating back to 2003. In 2016, Japan appointed the Personal Information Protection Commission to supervise and enforce amendments to APPI, the goal of which was to modernize Japan’s data protection efforts.
One of the biggest changes to the law was the introduction of restrictions for transferring data across borders. Business operators may not transfer personal data to foreign countries unless the individual has provided consent in advance, and the country receiving the data has adequate protections in place. Read more here: https://www.lexology.com/library/detail.aspx?g=efa0a2b0-b73e-456c-b4fa-26a268e9e751
What about the rest of the world?
Some countries have much stricter laws than others. Venezuela, for example, has limited laws for protecting PII, while Argentina and Australia have stern regulations in place. If you want to learn more about privacy laws from around the world, check out this nifty interactive map! https://www.dlapiperdataprotection.com/#handbook/world-map-section/c1_CA
Don’t Forget About NIST
Initially developed for critical infrastructure, the National Institute of Standards and Technology established a framework for improving cybersecurity, now referred to simply as NIST CSF.
At the core of NIST CSF are five functions, and 22 categories within the five functions, which provide a roadmap for organizations to follow and strengthen their defense against cyber-threats. Think of it as a common language that can be understood from the top to the bottom of your organization, regardless of size or industry. Instead of being about compliance, it’s a customizable strategy that can be applied to existing security programs or used to build one from the ground up.
Although it’s not an official regulation or required compliance (in fact, it’s completely voluntary) the NIST Cybersecurity Framework offers tremendous upside for organizations of all shapes and sizes. Read more about it here: https://www.nist.gov/cyberframework
Why Compliance Matters to Your Organization
Organizations of all sizes and every industry are targets, and therefore, have a twofold responsibility: knowing which compliance regulations they must adhere to, and ensuring that end-users are aware of those regulations. But simply checking the compliance box is not enough. Organizations must train their employees on why security matters, and how it affects them from both a personal and professional standpoint. By making security awareness training personal, your employees are much more likely to understand the importance of data protection, and much less likely to cause a data breach.
For more information on how to plan, launch, and manage a successful training program, check out our resource library, where you’ll find a ton of useful materials. And feel free to contact us with any questions regarding compliance or any other matters related to developing a culture of strong human firewalls!