The simplest definition of compliance is the act of complying with a wish or task. If only Information Technology (IT) compliance was that simple. Unfortunately, compliance in the IT industry can be incredibly complicated with a wish or task equating to the government- or industry-mandated standards, rules, processes, or guidelines. Part of these compliance regulations include what specific data needs to be protected, the processes that are considered acceptable, and the penalties for failing to meet and follow the rules.
It is critical not to confuse data compliance and data security. These processes are regularly bundled together and discussed as if they are interchangeable, but they are not. Although they have the same goals, managing risks to protect data, compliance ensures you are meeting the minimum legally-mandated standards. On the other hand, data security refers to all procedures, processes, and technologies that define how you manage sensitive data and guard against vulnerabilities and attacks.
The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020, and is considered one of the toughest consumer protections in the United States. It is California’s equivalent to GDPR, and even tougher in certain requirements. For instance, it broadens the view of the defined private data including information used to create a customer profile that impacts characteristics, preferences, predispositions, behavior, intelligence, attitudes, psychological trends, aptitudes, and abilities.
One of the ways to be compliant in information technology is to follow one of the newest standards issued by the European Union: the General Data Protection Regulation (GDPR) which was implemented in May 2018. GDPR outlines the rules of people’s right to know what data companies are collecting on them, how companies can use the data, and stricter rules on breach reporting.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 focuses on how U.S.-based organizations manage individuals’ medical and healthcare data. The purpose of this requirement is to ensure the confidentiality and safety of these medical records. Since the details of this information are incredibly personal and sensitive, the penalties for failing to comply can be strict. For instance, in 2018, Anthem, an insurance provider, paid $16 million after a hacking attack released the medical information of around 79 million individuals.
To be compliant, HIPAA requires all electronic health records to be restricted only to those who need to view them. That means encryption with strong controls is a requirement. These standards apply to information held in a database and when being shared so the necessary steps must be followed to ensure file transfers and emails are completely protected, monitored, and controlled.
Companies that deal with customer financial information must follow the Payment Card Industry Data Security Standard (PCI DSS) as it rules how companies manage and protect cardholder information. While PCI DSS is not government-mandated, it is still an industry standard so companies that do not follow its rules could have relationships with payment processors or banks terminated and face hefty fines. Although companies typically use third-party payment processing services, it is the merchant’s responsibility to ensure the safety of any gathered, stored, or transmitted information.
The Sarbanes-Oxley (SOX) Act of 2002 aims to protect against corporate accounting scandals that were set by Enron two decades ago. This regulation focuses more on financial reporting than data protection, so some IT experts consider this to be less important than other regulations. This is not the case as IT departments have defined roles to ensure the company is compliant. First, they must assist the CEO and CFO by providing real-time reporting on financials. To do this, systems must be implemented to automate reporting and set up alters that are triggered when specific events require attention. Second, IT teams must ensure all records are correctly stored and retained which requires timely backups of critical information.