Data security is of the utmost importance to businesses and individuals alike. Due to the rapidly evolving market of differing technologies, the threat of cyber-attacks and data breaches has increased, resulting in governmental and legislative bodies becoming more active in governing the affairs of business operations. These bodies have introduced security regulations and protocols that businesses must abide by, including laws for data privacy and information security. In order for your company to remain reputable and operational you must be aware of these regulations and understand how they affect your business practices.
Your business is responsible for upholding strict data privacy and protection laws as determined by governing bodies for the sake of consumer protection. If your company is breached, the legal ramifications that you will be held accountable for may include fines due to non-compliance, class action lawsuits, etc. and do not include the damage to your reputation that follows such events. The monetary and operational costs associated with a post-data breach event are equally as significant as the legal ramifications, which can extend beyond the initial attack. The type of data that has been compromised, the data that have been leaked exfiltrated, the specific sector of a business operation that was directly affected, etc. all relate to the type of fines that a business may be subject to due to not complying with governing legislation's.
As determined by the PCI Security Standards Council (2016), the PCI DSS and the PCI Council works with vendors to help implement secure systems and standards for proper and secure payment infrastructures, and also with financial institutions to ensure that their payment systems are hardened, secure, and safe for consumers to use. This can help mitigate social engineering attacks, identity theft, and breaches of private consumer data. The regulations set forth by the PCI DSS necessitate that you set up and maintain secure systems, use access control mechanisms to harden your IT infrastructure, networks, applications, and operations, ensure that customer cardholder data is kept private, and regularly train your developers and staff on secure data handling methods.
Specifically, this includes using vulnerability management programs, engaging in regular monitoring and testing of company networks, hardening your business systems via layered security, and the utilization of appropriate security controls. It also includes using Network Access Control for company systems, maintaining corporate policies associated with incident response and information security, having black-box and white-box penetration tests done on company networks, regularly using patch management, and more. Your company should make sure to comply with all of the PCI DSS guidelines, and in doing so you can better protect your customers, yourself, and your organization.
Using both in-house and external security engineers allows for a multi-faceted security assessment that can give a more complete picture of your security posture while ensuring compliance. For ease of use and legal compliance your business should become intimately acquainted with the PCI DSS guidelines and should seek to carry out thorough security assessments regularly.
The Sarbanes-Oxley Act (SOX) of 2002 may also have significant pertinence to your company. There are two major parts of SOX: section 404 and section 302. These sections are related to technology-based systems that govern modern financial reports and internal controls of corporations, and are specifically connected to protecting the rights of investors while also mandating how businesses should carry out their financial activities and maintain internal security. The scope of a thorough security policy includes, but is not limited to:
- Application and network assessments
- Network monitoring and auditing
- Implementing network access controls (nac) and security controls
- Encrypting data and using best practices for data-storage
- Maintaining incidence response protocols and patch management
- Securing all systems using authorization and authentication-services
In addition to legislation associated with company security policies, there are also guidelines stipulating how financial companies should protect the data of their customers. One such legislation is the Gramm-Leach-Bliley Act, which sets forth requirements for businesses that render financial services or goods to adhere to, including keeping customer data secure and confidential.
Specifically, this act dictates that financial companies must reveal to their customers exactly how their information will be shared among different business networks, and that these companies take sufficient steps to safeguard their customer's information. This includes providing security training to employees and implementing risk management programs, as well as monitoring, updating and testing business systems, evaluating security-control efficacy and identifying, assessing and mitigating threats to customer information.
There are other regulatory bodies that exist to mandate comprehensive information security policies, and whose guidelines can affect you and your business. For instance, the New Basel Capital Accord (Basel II) establishes mandates in relation to bank capital requirements, which may also have ramifications for data protection in relation to any financial operations that are carried out. In establishing capital and risk management stipulations, cyber-attacks and information security are taken into account for some of the other guidelines of various legislative bodies, such as the aforementioned Basel II.
The Federal Sentencing Guidelines are a set of regulations that are directly pertinent to senior executives of small businesses and organizations. Such executives are required to secure customer data and use due diligence with their information security responsibilities. In the event of a data breach, the failure to have utilized all security measures possible to protect customer data may result in a maximum fine of $290 million by the government.
It is imperative for you to be aware of all governing information security regulations, and to implement corporate-wide security policies (such as regular security assessments) in order to provide proof of due diligence such that if a breach should occur you and your company will be legally covered.