The South Florida Business Guide To Compliance
(HIPAA, FINRA & More)
The margin for error in business is razor-thin when it comes to compliance and data security.
Especially in light of the many compliance systems—FINRA, HIPAA, PCI-DSS, CMMC, and more—it’s more important than ever that you confidently manage your compliance practices.
The fact is that as technology changes so do the regulations that govern it. Whether you have to stay compliant with PCI, HIPAA, or another set of strict regulations, you need the right technology and support to keep up with changing regulations.
4it can help. We’re often asked how we meet our cybersecurity and data privacy compliance obligations.
While some customers see compliance and regulation as a burden to the business, the fact is that meeting local compliance regulations is a good way to kill two birds with one stone—you both reduce your organization’s cybersecurity risks, while also avoiding hefty fines and charges resulting from non-compliance.
Compliance In The United States
In the US, compliance is quite complicated. There is no single overarching regulation, so it depends on where you operate, and in what field.
The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 and amended by High Tech Act 2013. It applies to the operations of members and vendors in the healthcare industry, in order to maintain the security of Protected Health Information (PHI).
HIPAA becomes more complicated because it changes on a state-by-state basis. That means that you have specific breach notification regulations, depending on which state you operate in.
The Gramm-Leach-Bliley Act (GLBA) of 1999 was an attempt to update and modernize the financial industry. It was brought into effect during the Obama administration.
GLBA requires financial institutions offering consumers loan services, financial or investment advice, and/or insurance, to fully explain their information-sharing practices to their customers. Firms must allow their customers the option to “opt-out” if they do not want their sensitive information shared.
Introduced in November 2020, The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared within the supply chain.
CMMC builds upon the requirements set out by Defence Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).
The DoD has implemented a basic set of cybersecurity controls through DoD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit CUI. These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and organizations”.
U.S. DoD contractors or their subcontractors who collect, store, or transmit Covered Defence Information (CDI) or CUI must comply with NIST regulation 800-171 and DFARS 252.204-7012.
General Business & Other Compliance Systems
Data Privacy In Business
The Federal Trade Commission Act (FTCA) of 1914 is one of the oldest legislations in the country. It is primarily concerned with ensuring businesses do not misrepresent their privacy and data security. The FTC wields very broad power and oversees business across the country.
For an example of how serious FTCA issues can be, consider that, in 2019, Facebook paid $5 billion to the FTC for failing to achieve an acceptable level of accountability and transparency.
The Family Educational Rights and Privacy Act (FERPA) of 1974 regulates the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
The Children’s Online Privacy Protection Act (COPPA) of 1998 imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
The Payment Card Industry Data Security Standard (PCI-DSS) applies to your business if you handle cardholder information for debit, credit, ATM, e-purse, POS, and prepaid cards.
PCI requires card issuers and holders to retain an audit trail history for a time period that’s consistent with its effective use and legal regulations. It’s necessary to undergo PCI compliance auditing to ensure your customers’ data is protected during credit or debit card transactions.
If your business is noncompliant, banks and credit card institutions can impose fines anywhere from $5,000 to $500,000. Bank fines are based on the research they perform to remediate your noncompliance. Credit card institutions impose fines as a punishment for noncompliance, and they may enforce a timeline of increasing fines.
Founded in 1901, The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. NIST provides invaluable guidelines for maintaining adequate cybersecurity standards.
While NIST regulations were once used to oversee the DoD contracting sector, they have recently been replaced with CMMC. However, NIST cybersecurity standards remain a reference for many businesses in a range of industries. In addition to other resources, NIST’s Cybersecurity Framework consists of standards and practices to promote the protection of critical IT infrastructure.
Privacy & Compliance Trends Around The World
The General Data Protection Regulation (GDPR) is an internet privacy law that affects all internet business worldwide. All businesses, small or large, and even entrepreneurs who do business on the Internet with consumers located in the European Union need to be aware of how the law affects them.
It doesn’t matter if your company is inside the EU, or anywhere else in the world. If you do business with anyone in the countries covered by GDPR, you must comply with it.
Privacy As A Right
As the world has become more and more digitized, countries around the world have begun to see digital information privacy as a basic human right. Personally identifiable information (PII)—any data that could potentially identify a specific individual—is gaining protection via similar laws and legislation in virtually all developed countries worldwide.
Compliance In The Workplace
As compliance has become an expected part of business processes, related roles in the workplace have become more common. You can expect to see “Data Protection Officer” positions become a regular part of the business world as data compliance regulations continue to evolve.
Compliance As Competition
Maintaining compliance and security isn’t just a matter of avoiding fines and consequences—doing so actually adds value to an organization as well. As consumers become more knowledgeable about the importance of their data privacy, they will seek out companies that have better track records in terms of data security and compliance.
The Raising Stakes Of Noncompliance
As the worldwide data privacy culture develops, penalties for noncompliance are becoming more severe:
In Singapore and Brazil, monetary fines are scaled according to the infringer’s revenue. In Switzerland and South Africa, those held responsible for data breaches can face criminal sanctions, in addition to conventional fines and consequences.
The Future Of Cybersecurity & Compliance
As both technology and data privacy compliance systems evolve, it’s important to look ahead and consider what steps you will need to take to keep up:
Data Inventory Management
You have to make sure you know where data is stored, where it is accessed from, and who has access to it. Each and every part of this chain could trigger legal obligations.
Take inventory of your servers, data centers, vendors, and staff members based on their permissions and access levels. This reduces the data that can be stolen in a breach.
Separate data in separate departments can be difficult to manage while maintaining compliance. It’s smarter to centralize your data, eliminate redundancies, and reduce your storage requirements (and associated costs).
Common Compliance Mistakes You Need To Avoid
It can be easy to over-promise when developing your privacy notice. If you say you’ll comply with every single system, then you have to. Failure to comply with a given system that you promised you would leave you open to an audit by the FTC.
Don’t make the mistake of constantly changing the way you assess and manage your cybersecurity.
A given organization may start with daily penetration tests, then move to vulnerability scanning, and so on. While this may be effective, it doesn’t look good to regulators. They want to see systematic improvements with processes and practices that are consistent across the entire organization.
Maintain Detailed Documentation
As mentioned above, be careful about what you include in your privacy notice. Anything you do include needs to be documented and demonstrated in your organization so that you can provide it for regulators when requested.
Many organizations make the mistake of thinking compliance can be simplified into a basic checklist. They perform a risk assessment, focus on any identified areas, and then assume they are compliant.
It’s wiser to approach compliance from a “zero-trust” mindset—assume nothing is compliant until it can be confirmed otherwise. This comprehensive model for compliance management will yield much better results.
Overlooking Your Supply Chain
Don’t forget about your supply chain—all your vendors and business associates that access your client data are subject to the same compliance systems that you are.
For example, Business Associate Agreements (BAAs) are an important part of HIPAA compliance for your practice. These contracts should clearly outline a Business Associate’s responsibilities regarding your PHI and can pose a serious liability risk if the BAA isn’t negotiated effectively.
Any outside entity or individual that is charged with receiving, maintaining, creating, or transmitting PHI is considered a Business Associate and needs to have a BAA of their own in place with your practice.
Don’t Forget About Insider Risks
The fact is that 90% of cybersecurity incidents can be traced back to human error
That’s why you need to train your staff members. directly affect the future of your business. If you’re breached, the best case scenario is thousands, if not millions of dollars in damage.
You can’t expect a firewall and antivirus solution to keep you 100% secure. Cybercriminals know that the user is the gap in a business’ cyber armor—that’s where they’re going to aim.
Why Should You Partner With 4it For Compliance And Cybersecurity Support?
The 4it team offers expertise in industry regulations compliance and management.
As your security risk assessment partner, we’ll assist in your compliance efforts with industry regulations like HIPAA, CMMC, PCI DSS, GDPR, and more. We will help you avoid hefty fines and charges due to noncompliance.
Our comprehensive compliance reporting program involves reviewing your internal and external IT infrastructure to detect potential risks and creating a summary of the findings, followed by the development of a mitigation strategy.
How Do Our Compliance Support Services Work?
As your partner in compliance, we work with you to not only develop a plan of action but also to implement it. We follow a risk-based approach to compliance management, with service features including:
- Multi-stakeholder improvement and training to ensure everyone involved understands how to maintain compliance in their work.
- We help you develop, update and implement consistent cybersecurity policies.
- We help you write your privacy notices, ensuring you do not overextend your organization, as well as that you follow through on your commitments.
- We ensure all levels of your hierarchy understand compliance, from the receptionist to the C-Suite.
- We implement a reasonably flexible third-party risk-management program, which includes your supply chain and vendors.
With our help, you’ll develop and follow a robust Incident Response Plan:
- We ensure external firms (legal, forensic cybersecurity, and more) are available when you need them.
- We help you document the incident for future reference.
- We help you determine to what extent you are required to disclose a breach.
4it Will Help You Manage Your Compliance
As you can see, failing to manage compliance is damaging and expensive. That’s why you shouldn’t bother trying to oversee your compliance personally.
You’re too important in your actual role in your business to split focus and risk overlooking something.
Let 4it take care of it for you. Don’t put your compliance at risk—4it’s team of compliance experts are available to manage it for you.