Compliance rules and regulations effect everybody in every business and organization regardless of whether you work with that organization or you are a customer of that organization. Various rules and regulations have been created to protect information, employees, consumers and investors from security breaches.
Compliance is not an easy task to tackle. You first need to understand all of the various rules and regulations out there that apply to your industry. You then need to understand out of those rules which ones directly apply to your information systems. Once you finally figure this out you now need to know how to enforce those policies. In addition, you need to be prepared with tough situations in which business needs require a breach of those security policies and when the solutions put in place detect a breach, what do you do?
Here is an overview on the major compliance rules that must be taken into consideration and understood to protect your organization:
The Federal Rules of Civil Procedure, enacted on December 1, 2006, applies to any organization that has the potential to be involved in litigation in the U.S. Federal Court system. The amendments, which went into effect on December 1, 2006, mandate that companies be prepared for electronic discovery. The organization must know where their data is, how to retrieve it, how to meet data requests and they must determine what data will not be subject to search.
Any organization in any industry has the potential of being involved in litigation in the U.S. Federal Court system.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996.
Title I of HIPAA improves the portability and continuity of health insurance coverage for American workers and their families.
Title II provides for administrative simplification, requiring the development of standards for the electronic exchange of health care information including standard identifiers. HIPAA administrative simplification also requires the protection of the privacy of personal health information and the establishment of security requirements to protect that information.
More specifically, HIPAA Administrative Simplification calls for:
HIPAA calls for severe penalties for noncompliance, including: civil fines up to $25K for violations per standard in a calendar year, and criminal fines up to $250K and/or imprisonment up to 10 years for knowingly misusing individually identifiable health information.
- Unique health identifiers for individuals, employers, health plans and health care providers
- Standardization of electronic patient health, administrative and financial data
- Privacy and Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.
Most entities have 24 months from the effective date of the final rules to achieve compliance. Normally, the effective date is 60 days after a rule is published. The Transactions Rule was published on August 17, 2000. So the compliance date for that rule is October 16, 2002*. The Privacy Rule was published on December 28, 2000, but due to minor glitch didn't become effective until April 14, 2001. Compliance is required for the Privacy Rule on April 14, 2003
Entities who filed a compliance plan by October 16, 2003 to be compliant with the transactions for more details on the extension, go to the Centers for Medicare and Medicaid Services (CMS) web site at http://www.cms.hhs.gov/hipaa/hipaa2/default.asp
The Sarbanes-Oxley Act, enacted on July 30, 2002, also referred to as the Public Company Accounting Reform and Investor Protection Act was primarily put in place to protect investors investing in public companies and help instill a renewed system of checks and balances within corporate accounting and executive leadership. This act has strict guidelines around accounting practices, the auditing process for those practices and specifically makes executive management team personally responsible for fraudulent activities including insider trading and conflicts of interest.
The Gramm-Leach Bliley Act, enacted in 1999, also referred to as the Financial Services Modernization Act provides limited privacy protections against the sale of your private financial information. This act also aids in enforcing rules to ensure those who do obtain your personal information do so under the correct pretenses.
GLBA protects customers of organizations that may be owned by larger conglomerates that have other businesses that could use your personal financial for their own personal gain in one way or another. For example your insurance company may be owned by an investment firm or banking institution that could leverage your personal information for solicitation of other services. Under this act your information may not pass through without your authorization.
The Financial Industry Regulatory Authority is a non-governmental regulator for all securities businesses within the United States. FINRA is responsible for monitoring all aspects of securities trading and also helps create and implement regulations to help protect investors of the US Markets.
FINRA actively educates companies on how to properly research, invest and save securities. FINRA is also actively in enforcement of its policies.
Payment Card Industry Data Security Standard was developed for the purpose of creating guidelines for companies that accept credit cards to safeguard against credit card related crimes such as credit card fraud, system hacking or identity theft. If your company processes more than 80,000 credit card transactions per year you may perform a self assessment and not require external auditing validation. If you do process more than 80,000 transactions you are required to be PCI compliant.
The Childrens Internet Protection Act requires that schools and libraries monitor the online activities of minors. Schools and Libraries subject to CIPA must adopt and implement an internet usage policy. This policy monitors and enforces the online activity by minors to ensure the activities performed are not illegal activities and are deemed to be appropriate for minors.
The Investment Advisers Act of 1940 was created to regulate the actions of investment advisers. Its guidelines were put into to place to define what exactly an investment adviser is and requires that these advisers register with the SEC. The act also sets standards on how they may advertise, disclosure, fees, liabiltiy and record keeping. Investment advisers heavily impact security exchanges, traditional banking and the overall domestic economy and as such the act was enabled to protect the private investor.
ISDefender pioneers creative solutions to blend applicable laws into your business environment and aid you in sifting through the many compliance laws and what is applicable to your business. In addition we can leverage advanced technology solutions to aid in enabling compliance without impacting key business processes and productivity.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
- School officials with legitimate educational interest;
- Other schools to which a student is transferring;
- Specified officials for audit or evaluation purposes;
- Appropriate parties in connection with financial aid to a student;
- Organizations conducting certain studies for or on behalf of the school;
- Accrediting organizations;
- To comply with a judicial order or lawfully issued subpoena;
- Appropriate officials in cases of health and safety emergencies; and
- State and local authorities, within a juvenile justice system, pursuant to specific State law.
Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.