Are you Compliant?
When performing on the national or even international stage it is incumbent upon an organization to adhere to a multitude of compliancy issues – not just in their home country but on the world stage too. As in previous blogs, once again we look to the U.S. as the arbiter of legislation that protects both the consumer and the organization. If recent rumblings out of the U.S. (and certainly new Canadian CASL legislation has now taken effect as of July 1st, 2014) are anything to go by, new gold standards are being determined rapidly, forcing organizations to review best practices to ensure they are in compliance with ALL current regulations concerning the use, dissemination and transmission of sensitive data.
With all the initials associated with various legislation it might feel like you are choosing from a big bowl of “alphabet soup.” However, the reality is, to be compliant you must adhere to all regulations not just some. Particularly when dealing with sensitive data, below we highlight several you should be aware of:
- PCI
- HIPAA/HITECH
- GLBA
Enough has been written about CASL and the legislation is now in effect. Instead, today we touch on these others. When it comes to PCI (Payment Card Industry – Data Security Standards) virtually all card processors have adopted standards that help prevent identity theft and protect cardholder data at the same time. Recently released, PCI DSS 3.0 helps organizations by raising security standards and “making compliance status quo.” It promotes best practices for implementing security into an organizations “business as usual” activity and helps organizations implement password strength that is appropriate to their overall security strategy. Additionally, you gain flexibility in prioritizing log reviews that reflect a company’s overall risk management strategy.
HIPAA has been around for over 15 years and is typically referred to as the HIPAA Privacy Rule. It was one of the first “nationally recognized regulations (governing) the use and disclosure of an individual’s health information.” It defines how individually identifiable (and/or protected health information) should be treated. Email messages must be encrypted and senders and recipients properly verified and authenticated. It ensures that email servers and the messages they contain are also protected and in an even more recent ruling (2013) HIPAA suggests that data privacy and security requirements be expanded to include even “business associates” of those entities originally subject to HIPAA.
Finally, GLBA passed in 1999, aims, as its’ primary goal, to protect the private financial data of consumers. Originally geared to financial institutions (and to whom it still principally applies) many organizations are now embracing GLBA as a means to govern the collection, use and disclosure of financial information and the process companies must take to safeguard this information. Again, the legislation speaks to the requirements of an organization to encrypt email traffic based on message sender, recipient or content.
Organizations that continually review, monitor and adapt to changing legislative requirements will find that they are in fact creating best practices in the process. In meeting or exceeding legislative standards they are placing their organization in a legally defensible position and naturally both preserving and safeguarding data. So ask yourself….are you compliant? If the answer is yes, you’re probably engaged in good practices as part of your every day business too!
Please share this information with your colleagues or send us your questions, comments and feedback to: waynes@flexnet.com . Additionally, if you would like to review our email encryption solutions, or you can find more email security resources on our web site www.flexnetsoftware.com. We look forward to answering any Email Management or Information Governance questions you may have; please contact us at 1 (800) 263-8733
