Network Security Compliance: Which Regulations Apply to Me?

The array of regulations and standards which businesses have to follow can be bewildering. Not everyone has to follow every requirement, but doubts about what you may have missed always linger. Making matters worse, many of these requirements are written by and for lawyers, not technical people. Figuring out what they actually demand sometimes seems to require psychic powers.

Getting a definite answer requires a lawyer's assistance. To get a sense of the landscape, though, here's a summary of some of the most important laws and regulations that impact data security compliance in the US, and where they apply.

GSA requirements

Who: Federal employees and contractors

Federal offices and contractors in the United States need to comply with the General Services Administration's security requirements. Any records that contain personally identifiable information (PII) have to protect it. Employees and contractors have to take annual security and privacy training courses.

Highlights:

• PII sent over the Internet must be encrypted.

• Reporting of incidents involving PII is mandatory.

• Individuals can't use their personal devices for storing PII.

• Transmission of printed records requires a paper trail.

HIPAA

Who: Health care providers, plans, and clearinghouses

Health organizations that handle protected health information (PHI) on individuals need to follow the requirements of HIPAA (1996) and the updates in HITECH (2009). HIPAA includes the Security Rule and the Privacy Rule, which have overlapping requirements for protection. A negligent breach of HIPAA-protected information can result in huge fines.

Highlights:

• Maintain the confidentiality, availability, and integrity of electronic PHI (ePHI).

• Guard against threats to the information.

• Prevent unauthorized use or disclosure.

• Report any incidents that may have leaked PHI.

Sarbanes-Oxley Act

Who: Publicly held corporations

The Sarbanes-Oxley Act of 2002 is a broad piece of legislation concerning retention and disclosure of corporate information. It isn't primarily about data security, but some of its provisions have a strong impact in that area. Sections 302 and 404 are especially relevant. They require periodic certification of disclosure controls and procedures and evaluation of internal controls over financial reporting. These requirements have strong data security implications.

Highlights:

• Business records need to be protected against tampering or improper deletion.

• Individuals may be prosecuted for deliberate misrepresentation.

• Auditing of internal controls is required.

Gramm-Leach-Bliley

Who: Financial institutions

The Gramm-Leach-Bliley Act of 1999 requires financial institutions to protect their customers' private information, such as Social Security numbers and credit history. Its Safeguards Rule requires specific protections. Policies and training for employees are required.

Highlights:

• A financial institution must draw up an information security plan.

• Private personal data has to be guarded against unauthorized access.

• Tracking of access to protected records is required.

• Safeguards need to be monitored and tested.

GDPR

Who: Organizations holding personal data on EU citizens

The General Data Protection Regulation (GDPR) was issued by the European Union, not the US government, but it has a long reach. The EU asserts its jurisdiction over any organization that holds personal data on EU citizens. In addition to notification and permission requirements for holding personal data, Section 32 states security requirements, and Sections 33 and 34 require notifications in case of a breach. Fines for violations can run as high as 20 million euros or 4% of a company's annual global turnover.

Highlights:

• Personal data on EU citizens has to be encrypted.

• If the availability of personal data to its owners is interrupted, it has to be restored quickly.

• Security processes need to be subject to regular testing and evaluation.

• Data breaches need to be reported to the appropriate authority and the people affected.

Summary

The volume of laws and regulations requiring security compliance doesn't just look intimidating; it really is. However, not every requirement applies to every organization, and most of the regulations recognize that the level of security should be appropriate to the level of risk. It takes input from both lawyers and technical people to find the best way to achieve compliance.

Engaging in generally accepted security practices, such as encryption, multi-factor authentication, and deployment of network security, will go a long way toward compliance with most regulations. It's important, though, to be aware of where the strictest requirements lie and how to satisfy them.