Security Compliance

Compliance

Compliance

  • Meeting the standards of laws, policies, and regulations

A healthy catalog of rules

  • Across many aspects of business and life
  • Many are industry-specific or situational

Penalties

  • Fines, loss of employment, incarceration

Scope

  • Domestic and international requirements

Compliance Reporting

Internal

  • Monitor and report on organizational compliance efforts
  • Large organizations have a Central Compliance Officer (CCO)
  • Also used to provide details to customers or potential investors

External

  • Documentation required by external or industry regulators
  • May require annual or ongoing reporting
  • Missing or invalid reporting could result in fines and/or sanctions

Regulatory Compliance

Sarbanes-Oxley Act (SOX)

  • The Public Company Accounting Reform and Investor Protection Act of 20002

The Health Insurance Portability and Accountability Act (HIPAA)

  • Extensive healthcare standards for storage, use, and transmission of health care information

The Gramm-Leach-Bliley Act of 1999 (GLBA)

  • Disclosure of privacy information from financial institutions

HIPAA Non-Compliance Fines and Sanctions

↵ Fine of up to $50,000, or up to 1 year in prison, or both; (Class 6 Felony)

↵ Under false pretenses; a fine of up to $100,000, up to 5 years in prison, or both; (Class 5 Felony)

↵ Intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both; (Class 4 Felony)

↵ Civil fines; maximum is $100 for each violation, with the total amount not to exceed $25,000 for all violations of an identical requirement or prohibition during a calendar year; (Class 3 Felony)

Reputational Damage

Getting hacked isn’t a great look

  • Organizations are often required to disclose
  • Stock prices drop, at least for the short term

October 2016 — Uber Breach

  • 25.6 million Names, email addresses, mobile phone numbers

Didn’t publicly announce it until November 2017

  • Allegedly paid the hackers $100,000 and had them sign an NDA
  • 2018 — Uber paid $148 million in fines

Hackers pleaded guilty in October 2019

  • May 2023 — Uber’s former Chief Security Officer sentenced
  • Three years probation and a $50,000 fine

Other Consequences

Loss of license

  • Significant economic sanction
  • Organization cannot sell products
  • Other cannot purchase from a sanctioned company
  • May be expensive to re-license

Contractual impacts

  • Some business deals may require a minimum compliance level
  • Without compliance, the contract may be in breach
  • May be resolved with or without a court of law

Compliance Monitoring

Compliance monitoring

  • Ensure compliance in day-to-day operations

Due diligence/care

  • A duty to act honestly and in good faith
  • Investigate and verify
  • Due care tends to refer to internal activities
  • Due diligence is often associated with third-party activities

Attestation and acknowledgement

  • Someone must “sign off” on formal compliance documentation
  • Ultimately responsible if the documentation is incorrect

Internal and external

  • Monitor compliance with internal tools
  • Provide access or information to third-party participants
  • May require ongoing monitoring of third-party operations

Automation

  • A must-have for large organizations
  • Can be quite different across vertical markets
  • Many third-party monitoring systems
  • Collect data from people and systems
  • Compile the data and report

Privacy

A constantly evolving set of guidelines

  • We are all concerned about privacy

Local/regional

  • State and local governments set privacy limits
  • Legal information, vehicle registration details, medical licensing

National

  • Privacy laws for everyone in a country
  • HIPAA, online privacy for children under 13, act.

Global

  • Many countries are working together for privacy

GDPR — General Data Protection Regulation

European Union Regulation

  • Data protection and privacy for individuals in the EU
  • Name, address, photo, email address, bank details, posts on social networking websites, medical information, a computer’s IP address, etc.

Controls export of personal data

  • Users can decide where their data goes
  • Can request removal of data from search engines

Gives “data subjects” control of their personal data

  • A right to be forgotten

Data Subject

Any information relating to an identified or identifiable person

  • An individual with personal data

This includes everyone

  • Name, ID number, address information, genetic makeup, physical characteristics, location, etc.
  • You are the data subject

Laws and regulations

  • Privacy is ideally defined from the perspective of the data subject

Data Responsibilities

High-level data relationships

  • Organizational responsibilities, not always technical

Data owner

  • Accountable for specific data, often a senior officer
  • VP of Sales owns the customer relationship data
  • Treasurer owns the financial information

Data Roles

Data controller

  • Manages the purposes and means by which personal data is processed

Data processor

  • Processes data on behalf of the data controller
  • Often a third-party or different group

Payroll controller and processor

  • Payroll department (data controller) defines payroll amounts and timeframes
  • Payroll company (data processor) processes payroll and stores employee information

Data Inventory and Retention

What data does your organization store?

  • You should document your data inventory

Data inventory

  • A listing of all managed data
  • Owner, update frequency, format of the data

Internal use

  • Project collaboration, IT security, data quality checks

External use

  • Select data to share publicly
  • Follow existing laws and regulations