Compliance regulations in the data security space are constantly changing and evolving, with more new acronyms for regulatory standards being introduced every year.
But staying compliant with government and industry regulations doesn’t have to be a major burden.
In this guide, we’ll cover:
- The basics of data use compliance
- Limitations of data security compliance laws
- The most common data compliance laws
- Additional standards and frameworks data teams should know
- Where to start when seeking data use compliance
What is Data Use Compliance?
Data use compliance refers to the standards and regulations that govern how companies and government organizations keep data secure, private, and safe from breaches or damage. This often applies to consumer data, but can also cover employee data, financial records, and more.
A company is ‘compliant’ when the way it manages, stores, and transmits data follows the regulations laid out in a series of laws and standards — which we’ll outline in this post.
Why Are Compliance Laws Important?
Compliance laws are more than just a hoop that organizations must jump through to avoid fines. They’re designed to protect consumers, employees, and businesses themselves. These regulations are built around best practices that help keep data secure from breaches, improper use, destruction, leaks, and more. Companies that remain compliant don’t just stay on the right side of the law — they also tend to have a more streamlined data management process that makes them more effective and profitable in the long run.
That said, compliance laws have limitations.
Limitations of Compliance Laws
It’s important to note that while compliance laws are designed to help companies properly store and secure data, they have limits. One trap that many businesses fall into is believing that just because they’re compliant, they are also secure. But since every organization is different, compliance laws can’t account for the intricacies of each one.
For instance, you may be compliant with all relevant standards, but still have holes in your data access controls that could leave you and your customers exposed. And, even if a data breach doesn’t stem from noncompliance, the results can be devastating — from lost consumer trust and bad press, to lawsuits and fines.
Common Compliance Laws
Below is a list of the most significant and widely applicable regulatory compliance laws in the U.S. and beyond. While this is not an exhaustive list of every regulatory law governing sensitive data use, it covers many of the most common and important laws you’ll want to know about when it comes to maintaining compliance.
The European Union signed the General Data Protection Regulation (GDPR) into law in 2018, specifying standards for any organization that processes EU residents’ personal data. In effect, the GDPR applies to not only European companies, but a broad swath of U.S. organizations as well.
The GDPR requires companies to process personal data in a way that helps protect against unauthorized data collection, processing, loss, damage, or destruction. The fines for failing to do so are significant — organizations can be fined as much as 4% of their annual revenue or €20 million, whichever is higher.
The California Consumer Privacy Act (CCPA) applies to organizations with a revenue at or above $25 million, or that possesses at least 50,000 individuals’ data. Under this act, every resident of California has the right to see all data that a company has saved about them, as well as any and all third parties that company has shared their data with at any time.
If a consumer believes that a company is in violation of CCPA as it relates to their data, they have the right to sue that company.
It’s important to note that this applies to the data of individual California consumers, not companies. So, even if an organization is not based in California and has no physical presence there, it can still be affected by CCPA if it stores the data of any California resident.
Failure to comply with CCPA can result in lawsuits and fines. Recently, California voters passed an update to CCPA, called the California Privacy Rights Act.
The California Privacy Rights Act (CPRA) is an evolution of CCPA that will go into effect in early 2023. CPRA will generally expand on the CCPA, making some aspects of it more strict, but also removing smaller companies from its jurisdiction.
The changes of the CPRA include prohibiting businesses from retaining customer data longer than necessary, expanding customers’ rights to opt out from having their data collected, and more.
One of the more widely known compliance laws, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to ensure digital health information is confidential, secure, and available when being stored or transmitted. It also mandates healthcare providers to make reasonable efforts to protect against threats, security breaches, and improper use of health data.
Fines for failing to comply with HIPAA can be steep — up to $50,000 per violation and $1.5 million per year. Some HIPAA violations can even come with prison terms of up to 10 years.
The Federal Information Security Management Act of 2002 (FISMA) affects all federal agencies, their subcontractors, and their service providers, alongside any organizations that operate IT systems for a federal agency.
FISMA requires that these organizations categorize data they store by how negatively impactful it would be if hacked, breached, or compromised. Additionally, these agencies and organizations must conduct regular risk assessments to reduce the risk of data compromise to an ‘acceptable level’ through proper data controls. Organizations that fail to meet FISMA standards can be hit with reduced budgets, more bureaucratic oversight, and limited capabilities.
The Sarbanes-Oxley Act of 2002 (SOX) increased the requirements for public companies to be accurate and reliable in corporate disclosures. Designed to protect both investors and the general public, SOX was enacted by the SEC as a direct response to financial scandals of the early 2000s, such as Enron and WorldCom.
Any public company, as well as management and public accounting firms, must follow the regulations outlined in SOX, which include requirements for how businesses must record and store information, and how long they must retain certain records.
PCI DSS is the Payment Card Industry Data Security Standard. It involves any business that deals with the processing, storage, or transmission of credit card information, and is designed to protect card data that is stored both electronically and in paper records.
Organizations that must follow the PCI DSS are required to build a secure network, implement certain access controls for cardholder data, and maintain a regularly tested security system and vulnerability management program. Companies that fail to follow PCI DSS can expect to be fined as much as $100,000 per month that they’re noncompliant and can even lose the right to accept cards.
Other Standards & Frameworks to Know
The following is a list of some additional standards and frameworks that may affect your business, depending on your industry and the type of data you manage and store.
NIST SP 800-53
The National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) is a framework that provides a standard for government agencies to follow in order to become compliant with FISMA, outlined in the previous section. Though not required for private companies, many organizations choose to follow it, as it helps ensure best practices for data storage and information systems.
NIST Cybersecurity Framework
This additional NIST framework focuses on mitigating cybersecurity risks by improving information security, safeguarding against breaches, and more.
ISO 27000 Series
The ISO 27000 is a series of IT security standards for organizations looking to protect financial data, employee data, IP, and other data assets. These also include a standard for implementing and maintaining information security management systems, or ISMS.
Tips for Complying with Data Security Regulations
Looking to improve your data compliance? It begins with understanding which compliance laws apply to you and your organization. Beyond that, there are three key areas to focus on when getting on the path to data security compliance.
1. Know What Kind of Data You Have
First, it’s important to understand what type of data you’re dealing with on a regular basis. Are you at a healthcare company dealing with patient records, or a business dealing with customer credit card information or other types of secure data? The type of data you store will determine which information security standards and data security laws you’re required to follow, so this is the best place to begin when seeking data security compliance.
2. Develop a Data Compliance Plan
Data security compliance won’t simply happen as a result of your company striving to make smart data security choices. Every organization should have an explicit plan that outlines its compliance requirements and how to reach and maintain compliance with those regulations. In some cases, businesses can partner with third party data security platforms to help achieve and maintain data security compliance.
3. Perform Regular Data Assessments
Many organizations achieve compliance once and determine that their job relative to data security compliance is finished. But over time, the goalposts shift, new regulations emerge, and consumer data standards change. Meanwhile, the standards you’ve established within your company are forgotten or slowly lose priority with new hires or leadership.
That’s why it’s important to perform regular data assessments that help determine where you stand, identify areas to improve compliance and security, and optimize your data security processes.
It’s also worth noting that an increasing number of individual states are proposing specific legislation governing data use and security. This means that while you may be compliant according to one state’s laws, you may not be compliant according to another’s. You may even find that compliance language isn’t consistent from one state or jurisdiction to another. That’s another reason why regular data assessments are so critical.
However, Immuta can help. Our full-scale data access control platform keeps your data secure, compliant, and accessible to the people that need it, when they need it. If you want to learn more, request a demo today.