Organizations Are Storing More Data that Triggers Regulatory Req

Organizations Are Storing More Data that Triggers Regulatory Requirements

Most organizations understand their regulatory compliance obligations with regard to data security and privacy. Or do they?

Two key trends are complicating compliance: laws and regulations are becoming more numerous and complex, and organizations are storing more data than ever. For example, organizations that have COVID-19 vaccination requirements are storing information on their employees’ vaccine status. In other words, organizations outside the healthcare industry are storing personal health data that must be kept private and secure. The HR department is often a treasure trove of information, including Social Security Numbers, insurance coverage, 401(k) and retirement funds, and more. The payroll department has salary, bank account and tax information. A data breach affecting any of these data stores would be devastating. A data breach that exposed data across the enterprise would be cataclysmic. In addition to the cost and business disruption of the breach and the impact on productivity and morale, the organization could be facing stiff fines and other penalties due to regulatory compliance violations.

Interested In Learning More?

Many Regulations Implicated

In our last post, we discussed the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Organizations that administer their own health plans may be covered entities under HIPAA.

Organizations are subject to the Payment Card Industry Data Security Standard (PCI DSS) if they hold credit or debit card information. Direct deposits are subject to the Electronic Funds Transfer Act (EFTA). Financial information may be covered by the Gramm-Leach-Bliley Act (GLBA) and many others. The Employee Retirement Income Security Act (ERISA) covers retirement plans and now correlates with HIPAA to the extent that health information is implicated.

Most states require organizations to protect the privacy of a broad range of personal information. It doesn’t matter where the organization is located — a state’s privacy rule is typically implicated if you store data related to one of the state’s citizens. With the rise of remote work and small satellite offices, even small organizations are subject to multiple state privacy rules and international laws such as the E.U.’s General Data Protection Regulation (GDPR).

Organizations should not look at these regulations as distinct burdens. On the contrary, it’s critical to take a holistic approach to regulatory compliance. Furthermore, compliance should not be treated as an annual event. By developing a continual compliance strategy, organizations will always be prepared for audits and able to prove compliance should a breach occur. Best of all, they’ll be less likely to suffer a breach and will have the tools and procedures in place to quickly respond to threats.

Comprehensive Approach

Our last post focused on the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), which is designed to facilitate compliance with HIPAA, the GDPR and various state privacy requirements. There are many other frameworks and standards, including:

National Institute of Standards and Technology Cybersecurity (NIST) Risk Management Framework (RMF),
International Organization for Standardization (ISO) 27001 standard
Control Objectives for Information and Related Technologies (COBIT) framework
The Center for Internet Security Critical Security Controls (CIS) framework

Frameworks give organizations a proven strategy for defining and prioritizing their security efforts. Instead of simply reacting to new threats, IT teams have a means of determining where to focus their attention.

DeSeMa is here to help as well. Through our assessments, strategy and policy development, and data inventory services, we can help you identify weaknesses in your infrastructure and determine where your sensitive data is located so it can be protected.

As organizations store more data, they face growing regulatory requirements. Contact DeSeMa to discuss your specific challenges and concerns.