Compliance Alphabet Soup
No matter what industry you’re in, compliance acronyms are abundant, filling your days with both confusion and regulation. We call it the compliance alphabet soup. It’s time to make a little bit more sense of all those acronyms and what they likely mean for your business.
Professional Rules of Conduct: Lawyers and other professionals are subject to specific rules in the Professional Rules of Conduct, exclusions in cyberliability insurance policies, and malpractice standards. These rules govern attorney competence in technology, the protection of client confidential information, and responsibilities regarding non-lawyer assistance (e.g., outsourced IT, IT security, and cloud services). There are specific exceptions to cyberliability insurance policies that car bar coverage. If attorneys fail to maintain privacy and security, they may also be subject to malpractice liability. We will discuss these in detail in a later blog.
GDPR (General Data Protection Regulation): While this regulation only applies to the European Union and information leaving the EU, we are seeing its effects state-side because it requires businesses that interact with EU citizens to comply, regardless of location. The goal of GDPR is to create greater data privacy and protect from breaches. If there is even the slightest likelihood that someone from the EU will be visiting your site or interacting with you online, make sure that you comply with GDPR regulations. We’ll cover GDPR in greater detail in our next blog.
HIPAA (Health Insurance Portability and Accountability Act of 1996): While this law has been on the books since 1996, many medical practices are still not HIPAA compliant and believe that they are too small to be touched. Even if you aren’t directly in the medical industry, pay attention! Beyond the practices themselves, any organization that works with a medical practice has a responsibility in HIPAA compliance through associate agreements. These agreements particularly apply to IT companies, law practices, accounting firms, and others that might have access to patient data in any way. The bottom line, all patient data must be protected, encrypted, and safe. You also need to have a specific HIPAA-compliance plan, breach response plans, and data recovery methodology. HIPAA has gained notoriety with larger-scale medical breaches in recent years, in addition to larger fines levied for HIPAA breaches. The largest fine currently on record is $16 million. Small companies are also being hit with violations costing about $1.5 million apiece.
HITECH (Health Information Technology and Clinical Health Act): HITECH entered the picture in 2009 and brought teeth to HIPAA violations. This regulation specifically covers the electronic transmission of health information. In its best form, it’s meant to improve patient care through better doctor coordination, better sharing of information, and strong data security of electronic health records. In practice, all those privacy forms that you sign whenever you go to the doctor really do have an important purpose.
I-9 (Employment Eligibility Verification): This is the form that new hires must fill out within three days of employment to verify that they are eligible to work within the US. While this piece of paper may get lost among the sea of new hire paperwork, it should never be overlooked. Even if you’ve been correctly employing the I-9 form for years, you may want to go back and check for form updates. Some updates will have no impact; but to be truly in compliance, you’ll sometimes need to go back and have every employee update their I-9 information and verification documents.
PCI DSS (Payment Card Industry Data Security Standard): Do you collect credit card information within your business? Any payment data collected and stored must be PCI compliant. To ensure compliance:
Employ strong security standards, like firewalls, anti-virus protection, and regular updates that protect your network as a whole
Encrypt all credit card information transmitted across open networks
Maintain strong data access controls to ensure that rogue people don’t gain access to your information
These are just a few of the compliance acronyms you may encounter in your daily work. Don’t get lost in the compliance alphabet soup. A quality IT Security firm can help you comply with the vast majority of these and will be able to put a clear plan of action in place to increase your cybersecurity footprint.