Mar

13

Compliance: Privacy Regulations Based on Industry

Protecting your brand and reputation is crucial to every organization as the number of data breaches is constantly on the rise. There are guidelines already in place for most organizations. Learn more about your industry’s regulations for data security.

Do you accept payment via credit card?

PCI, The Payment Card Industry Data Security Standard, was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is done annually with fines ranging from $5,000 to $500,000. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines.

Are you a publically traded corporation?

The Sarabane-Oxley Act of 2002 ensures that the information each corporation makes available to current and potential shareholders provides a true and accurate picture of the financial state of the company. The act contains 11 titles ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law. Penalties for noncompliance include fines, or imprisonment for up to 20 years.

Are you considered a financial institution?

FACTA (Fair Trade and Credit Transaction Act of 2003) requires financial institutions and creditors to develop and implement a written identity theft prevention program to detect, prevent and mitigate identity theft. As a financial institution or creditor, you are ultimately responsible for complying with the final rules and guidelines even if you outsource an activity to a third-party provider

Applies to: Any person who maintains or otherwise possesses consumer information for a business purpose.

Penalty for noncompliance: Civil liability in which an employee can recover actual damages from his/her employer for all damages incurred from identity theft.

Gramm-Leach-Biley Act also applies to financial institutions, including banks, investment companies, credit unions, or any of their partners that collect and retain private data. Protects a customer or consumer’s personal financial data, including name, address, and Social Security number. CEOs and board members can be held personally liable in identity theft damages.

Do you do business with California residents?

Then California Senate Bill 1386 applies to you. Similar to Gramm-Leach-Biley, the bill provides California residents protection concerning the safety of their driver’s license, Social Security, credit card, and other private information obtained during a business transaction.

  1. How can the corporations determine whether they are subject to this statute?
  2. Does their data include “personal information” as defined by the statute?
  3. Does that “personal information” relate to a California resident?
  4. Was the “personal information” unencrypted?
  5. Was there a “breach of the security” of the data as defined by the statute?
  6. Was the “personal information” acquired, or is reasonably believed to have been acquired, by an unauthorized person?

If you answer yes to all five of these questions then you must report. Penalty for noncompliance: Fines from potential class-action lawsuits are determined on a case-by-case basis.

Are you part of the healthcare industry?

Then you’re probably familiar with HIPAA, the Health Insurance Portability and Accountability Act. All companies that transmit healthcare information, including healthcare providers, have to comply with HIPAA’S patient protection regualtions. Fines of $250,000 and criminal prosecution can occur, learn more about HIPAA.

TechR2 is a leading provider for secure onsite data eradication and technology retirement solutions. We are ISO 27001 certified, ISO 14001 certified, ISO 9001 certified, OHSAS 18001 certified, and R2 certified.

Contact us today to see how TechR2 can assist you with your next project.