Network Security Compliance: Which Regulations Apply to Me?

Network Security Compliance: Which Regulations Apply to Me?

The array of regulations and standards which businesses have to follow can be bewildering. Not everyone has to follow every requirement, but doubts about what you may have missed always linger. Making matters worse, many of these requirements are written by and for lawyers, not technical people. Figuring out what they actually demand sometimes seems to require psychic powers.

Getting a definite answer requires a lawyer's assistance. To get a sense of the landscape, though, here's a summary of some of the most important laws and regulations that impact data security compliance in the US, and where they apply.

GSA requirements

Who: Federal employees and contractors

Federal offices and contractors in the United States need to comply with the General Services Administration's security requirements. Any records that contain personally identifiable information (PII) have to protect it. Employees and contractors have to take annual security and privacy training courses.



Who: Health care providers, plans, and clearinghouses

Health organizations that handle protected health information (PHI) on individuals need to follow the requirements of HIPAA (1996) and the updates in HITECH (2009). HIPAA includes the Security Rule and the Privacy Rule, which have overlapping requirements for protection. A negligent breach of HIPAA-protected information can result in huge fines.


Sarbanes-Oxley Act

Who: Publicly held corporations

The Sarbanes-Oxley Act of 2002 is a broad piece of legislation concerning retention and disclosure of corporate information. It isn't primarily about data security, but some of its provisions have a strong impact in that area. Sections 302 and 404 are especially relevant. They require periodic certification of disclosure controls and procedures and evaluation of internal controls over financial reporting. These requirements have strong data security implications.



Who: Financial institutions

The Gramm-Leach-Bliley Act of 1999 requires financial institutions to protect their customers' private information, such as Social Security numbers and credit history. Its Safeguards Rule requires specific protections. Policies and training for employees are required.



Who: Organizations holding personal data on EU citizens

The General Data Protection Regulation (GDPR) was issued by the European Union, not the US government, but it has a long reach. The EU asserts its jurisdiction over any organization that holds personal data on EU citizens. In addition to notification and permission requirements for holding personal data, Section 32 states security requirements, and Sections 33 and 34 require notifications in case of a breach. Fines for violations can run as high as 20 million euros or 4% of a company's annual global turnover.



The volume of laws and regulations requiring security compliance doesn't just look intimidating; it really is. However, not every requirement applies to every organization, and most of the regulations recognize that the level of security should be appropriate to the level of risk. It takes input from both lawyers and technical people to find the best way to achieve compliance.

Engaging in generally accepted security practices, such as encryption, multi-factor authentication, and deployment of network security, will go a long way toward compliance with most regulations. It's important, though, to be aware of where the strictest requirements lie and how to satisfy them.


Are you ready to make the most of IT? Schedule a call with an expert today.