The outbreak of the COVID pandemic has fueled fresh data privacy concerns among businesses and governments alike, with cybersecurity leaders and other authorities actively monitoring the potential effects on data security. At the same time, people across entire industries are adapting to new methods of secure remote working.
As this new normal reshapes our work and digital lives, it also brings lucrative opportunities for cyber criminals and hackers. SophosLabs and security teams have already traced such malicious incidents. A phishing attack purporting to be from the World Health Organization with recommendations on “Coronavirus safety measures” is a case in point.
These bad actors are taking advantage of peoples’ fears and launching campaigns of cyber extortion and fraud using every tactic at their disposal – from new ransomware to pandemic-themed phishing attacks. An important challenge for organizations is to manage these security risks with skeletal staff in the ongoing lockdown phase.
Even as businesses begin to educate themselves on the heightened risk of cybersecurity attacks, they need to double down on addressing data privacy practices – specifically, ensuring their data protection strategies embrace the applicable regulatory guidelines and that such adherence is clearly reflected in all they do.
Irrespective of the types of sensitive data that organizations are supposed to protect – whether patient data, employee details, credit card information, contracts, social security details, or student data – businesses across sectors will need to demonstrate greater accountability when it comes to monitoring, anticipating, and managing potential risks associated with such sensitive information. For organizations transitioning to the new normal of remote working and accelerated digital transformation, this is the best way to correct their respective security postures and reach cyber resilience faster.
Personally Identifiable Information (PII) and privacy regulations
The National Institute of Standards and Technology (NIST) provides the following definition of PII:
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Data privacy norms represent a set of regulatory guidelines, laws, and recommended procedures that help establish effective measures to protect such sensitive information from possible attempts of data theft, intrusion, and unauthorized access.
Below are five major data protection and privacy regulations. Let’s look at how they relate to different sectors and how Sophos supports organizations with their regulatory compliance efforts.
1. HIPAA compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to protect the privacy and security of an individual’s Protected Health Information (PHI), among its other requirements. It applies to any organization that collects, stores, or shares PHI, including health plans, healthcare clearinghouses, and healthcare providers who conduct certain financial and administrative transactions electronically, like doctors and hospitals. In the wake of increasing healthcare data breach incidents, this compliance has become extremely stringent, and any violation thereof can invite enormous penalties and eventually heightened risk to brand equity as well.
Sophos provides comprehensive and forward-thinking, next-gen cybersecurity solutions to support healthcare organizations’ efforts to stay HIPAA compliant and keep medical records and patient data safe. Download the Sophos HIPAA compliance card or read the ePHI white paper for further guidance.
2. The EU General Data Protection Regulation (GDPR)
This EU regulation brought about a major uptick in data privacy enforcement activity and inspired several new and stricter regulatory initiatives globally. The EU General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, affects all organizations that hold personal data on EU citizens, regardless of where the organization is based in the world. Implementing a data protection strategy that includes encryption and anti-malware security is vital. The consequences of a data breach under GDPR mandate can be severe, and potential fines can range up to €20m or 4% of worldwide annual turnover – whichever is higher.
Whether thwarting hacking and malware attacks, securing lost or stolen devices, or reducing the impact of human error, Sophos helps to comply with the GDPR mandate and minimize the risk of a fine by keeping your data and devices secure. Read the Sophos reference card for GDPR to learn more about available protection.
3. PCI DSS compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards to ensure all companies that accept, process, store, or transmit credit card information secure it to protect cardholders against misuse of their personal information. The fines arising from not being PCI compliant range from $5,000 to $500,000 and are levied by banks and credit card institutions. Even for companies that are already PCI compliant, it is necessary for them to show continuous compliance.
4. SOX compliance
The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act, was enacted in response to several major corporate and accounting scandals. All publicly traded companies are required to comply with SOX, and several provisions of the Act apply to privately held companies as well.
The Sarbanes-Oxley Act requires implementation of good financial reporting and corporate governance, and compliance is important for financial data security. Sophos can help. Read the Sophos SOX reference card to learn more.
5. CIPA compliance
The Children’s Internet Protection Act (CIPA) requires K-12 schools and libraries to certify that they are enforcing an internet safety policy that includes technology protection measures in order to be eligible for federal funding and discounts for internet access through the E-Rate program. CIPA is intended to keep young learners safe online, and while the cause is noble, compliance presents a real challenge for educational institutions.
Educational institutions including schools, colleges, and universities already face multiple security challenges because of the sudden forced transition to remote learning model. Fortunately, Sophos remains a trusted cybersecurity partner for educational institutions, and with a comprehensive portfolio of easy-to-manage security solutions, Sophos helps ensure secure remote learning and CIPA compliant learning environments. Read the Sophos CIPA compliance reference card to explore available solutions.
As a result of the pandemic, IT security has become increasingly fluid, which can create significant lapses in regulatory compliance efforts by organizations. The world has become prone to several disruptions, including corporate governance, workplace health and safety, employment, supply chain, and data privacy.
Organizations that have not analyzed the impact and risks associated with specific data privacy laws and regulatory guidelines applicable to their respective industries must develop deeper familiarity with these laws and mandates.
It also needs to be noted that meeting the data privacy mandates for each of the above listed regulations requires exhaustive reviews of all organizational elements, some of which go beyond cybersecurity. However, with the right cybersecurity partner, you’ll have an edge when it comes to planning and implementing your data privacy and regulatory compliance efforts.