Question: What do healthcare professionals, retailers and financial service experts all have in common?
Answer: The need to protect consumer data.
No, this isn’t a bad joke. It’s the work that’s happening every day across many industries, as companies try and maintain their reputations, avoid penalties and keep their customers coming back. While we’re all striving to achieve the same goals of data security and data privacy, there is not a “one-size-fits-all” approach to address the needs of all data types.
For example, the retail industry stores and processes the data it collects differently than a healthcare system or professional would. A person’s financial data, while important, is not as valuable as their overall identity. With each passing data breach, the public cries out for more protection against data predators, and elected officials respond with more and more regulation intended to address the crisis du jour. But are more compliance requirements and regulations the answer to data protection issues?
What impacts you and your business?
To better understand their impacts on specific industries or businesses, let’s first give a brief overview of some of the major regulations today:
Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to improve the efficiency and effectiveness of the healthcare system, requiring the Health and Human Services Department to develop national standards for electronic health care transactions and code sets, unique health identifiers and security. In 2000 and 2003, the HIPAA Privacy Rule and Security Rule were published, respectively. The Privacy Rule protects an individual’s identifiable health information, whereas the Security Rule safeguards the confidentiality, integrity and availability of electronic protected health information (e-PHI).
Sarbanes-Oxley Act (SOX) was passed in 2002, in response to the financial scandals at Enron, WorldCom and Tyco, to protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures. Section 302 relates to a company’s financial reporting, requiring the CEO and CFO to accept personal responsibility for all internal controls and to certify that all records are complete and accurate, while Section 404 stipulates further requirements for the monitoring and maintenance of those internal controls. Independent validation in the form of external audits is required to ensure the design and effectiveness of financial and technical internal controls, which are defined by the company itself, the results of which are reported to the SEC. SOX also requires companies save all business records for a minimum of five years.
Payment Card Industry Data Security Standard (PCI DSS) has been a primary focus for retailers since 2004 and is designed to ensure all companies that accept, process, store or transmit cardholder data maintain a secure environment. “Cardholder data” refers to the full Primary Account Number (PAN) or the full PAN along with the cardholder’s name, expiration date and/or service code. While not a regulation, the payment card brands are able to inflict fines for non-conformance, or worse, prevent a retailer from accepting their cards at all.
Finally, the newly enforced EU General Data Protection Regulation (GDPR) applies to any company that collects or processes the personal data of any European Union citizen, regardless of the company’s location. “Personal data” refers to any information that can directly or indirectly identify an individual, including their name, identification number, location data or online identifier. GDPR protects this data in just about every conceivable way.
Each of the above serves its own unique purpose and will impact businesses differently. If you’re lucky, you only need to comply with one of them. When you have multiple sets of requirements to address, you realize quickly that a strategy is necessary. So, what do regulatory bodies need from you? Each expects that you know what data you have, where it’s stored and how you’re using it. Each will require you to implement some degree of internal controls and supporting processes, including a security program focused on data integrity and protection. Lastly, each will hold you accountable if you are not compliant. Wait, that sort of makes all major regulations sound alike. Is compliance a “one-size-fits-all” proposition? Not at all.
Accountability makes all the difference
Where these regulations and standards lack consistency is in their application of independent validation requirements and penalties for non-compliance. While I can appreciate that the last thing a company wants to deal with is another audit, it is during audit periods that best practice is most often discussed, and furthermore, implemented. Audits give you the chance to prove that you’re really doing all the wonderful things your policies and processes document. It’s an occasion to build confidence with consumers of your products and your internal staff, as well as show them you are as good or better than you were yesterday. If you are not having your compliance programs independently assessed, you are missing an opportunity.
Defined evaluation requirements are necessary to ensure appropriate accountability. When someone is coming to evaluate their environments, companies take the requirements more seriously; they rise to the occasion. They make strategic lists of requirements and controls (i.e. an internal control framework) to execute against, with consideration not only for the regulatory requirements that they face, but also their own internal policies and best practices that elevate them from being compliant to being secure.*
*Compliance does not equal security, regardless of what many regulators would like to believe. If you’re unclear on that concept, please read more here.
Fail to Plan and Plan to Fail
If you fail to prepare, there will inevitably be fallout. Failure to prepare for SOX may come as a disclosure statement in your SEC filings. For PCI, perhaps as an undetermined fee to Visa and Mastercard for non-compliance. Here’s hoping you’re not found guilty under GDPR rules, or your non-compliance may cost you fines up to €20 million or 4% of your global revenue (whichever is greater) -Yikes!
How will you know if you’re compliant without an independent assessment, and how do you know how much to care without understanding the penalties of non-compliance?
Fines and penalties are often viewed as the “so what” of regulatory and industry compliance requirements, but they should be the first bullet point in any regulation. If regulators were more consistent and clear in defining penalties, their purpose and intent would ring more clearly with business leaders and would better drive the positive actions each regulator expects.
We’re all trying to do the right thing to protect everyone’s data, regulators and business and technologists alike. As we balance risk and reward, defined and impactful consequences for non-compliance will make those choices easier and will drive desired results.