In addition, however, data security is governed by a complex web of laws, rules, regulations, and policies (for this purpose, we’ll refer to them collectively and individually as “rules”). The purpose of such rules is to prevent abuse of information to which an enterprise has access, Carneiro explains. Which rules apply depends upon the nature of the data being protected, the applicable industry, the unique characteristics of the company in question and even different departments within the company, and who and what has jurisdiction over the relevant company.
Many of the rules derive from statute (most of the acronyms you might be familiar with when it comes to rules refer to statutes), but some derive from common law (such as case law regarding privacy). Some of the rules (for example, rules arising under common law, the Data Privacy Act of 1974, and to some extent, HIPAA (The Health Insurance Portability and Accountability Act of 1996) pre-date the current data breach boom that began around 2005.
The following rules apply primarily to enterprises governed by the laws of the U.S. and the European Union. For enterprises governed by the laws of their nations still more rules will apply.
The National Institute of Standards and Technology
A number of rules are based on, and comply with, the guidelines and standards issued by the National Institute of Standards and Technology (NIST), a non-regulatory agency that is part of the United States Department of Commerce, whose mission is advancing security standards in the interest of promoting U.S. innovation and competition. These include:
FISMA - the U.S. Federal Information Security Management Act, which requires implementation of information security controls, including periodic risk assessments and security awareness training, in each case using a risk-based approach. FISMA applies to all federal government agencies, state agencies that administer federal programs, and private companies that support federal programs, sell services to the federal government, or receive federal grant money.
HIPAA, which imposes national standards for electronic health care transactions to guard the security and privacy of personal health information.
FedRAMP, which is a government-wide program that provides a standardized approach to cloud security.
HITRUST CSF – the HITRUST Common Security Framework, which is a set of standards put forth by a non-regulatory agency that nevertheless is intended to meet the requirements of multiple regulations and standards: which is a prescriptive set of controls that meet the requirements of multiple security rules, all pertaining to healthcare organizations and their business associates. HITRUST CSF is not only based on NIST, but compliance with it should ensure compliance with:
HIPAA (described above)
PCI DSS (Payment Card Industry Data Security Standard), which is a set of requirements for enhancing security of payment customer account data and is applicable to retailers, credit card companies, anyone handling credit card data.
ISO/IEC 27000-series (also known as the ‘ISMS Family of Standards’ or ‘ISO27K’ for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and provides best practice recommendations on the management of data security risks through data security controls.
GLBA - the Gramm-Leach-Bliley Act of 1999 (also known as the Financial Modernization Act of 1999), which aims to protect consumers’ personal financial information held by financial institutions, and is applicable to financial institutions and companies providing financial products and services to consumers.
VA 6500 – information security standards in connection with information stored in or accessible by the Veterans Administration. Security standards in connection with the Veterans Administration.
IRS 1075 - encryption requirements for Federal Tax Information.
EFTA – The Electronic Fund Transfer Act, dating back to 1978, protects consumers engaging in electronic fund transfers from errors and fraud and applies to financial institutions that hold consumer accounts or provide electronic fund transfer services, as well as to merchants and other payees.
FACTA - The Fair and Accurate Credit Transaction Act, enacted in 2003, amends the Fair Credit Reporting Act to help consumers avoid identity theft. It applies to financial institutions, credit bureaus, credit reporting agencies, any business using a consumer report, and any business that collects payments.
GDPR – The General Data Protection Regulation consists of data security rules applicable to the U.K. and the E.U., and it dovetails with the Privacy Shield Framework with regard to transferring GDPR- governed data to the U.S.
FERPA – The Family Educational Rights and Privacy Act protects the privacy of student education records and applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
How to know which rule(s) apply to your enterprise
It’s not always obvious which rules might apply to your particular enterprise, and it gets even more complicated when you’re a global provider of services across multiple industries like Exela is. Accordingly, it’s always advisable to either have a compliance expert on staff or to have one with whom you consult regularly, not just on compliance but on record-keeping with regard to such compliance. As alluded to in here, that’s something you should be thinking about as part of your data security best practices. In addition, please be aware that Exela offers solutions to help keep you in compliance.
In the weeks ahead, we’ll be diving in to explore how system and data security dovetail with data privacy and all the laws and regulations with which your digital transformation provider should be compliant. We’ll also explore those security matters you’ll want to consider when choosing your digital transformation partner. If you missed the earlier posts in this series on cyber security, you can catch up here on: