Cloud security is not only good for consumers — but it’s also a requirement for businesses in many industries. Understanding compliance regulations (like GDPR) and security frameworks (like NIST) can help IT teams create strong, layered privacy and security controls and data loss prevention using a range of platforms and integrations. Here are the most common and comprehensive security standards that businesses need to know to be cloud compliant.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act, known as HIPAA, is enforced by the Department of Health and Human Services (HHS) and protects protected health information (PHI). HIPAA sets standards to protect sensitive patient information from being disclosed without consent.
There are 18 PHI identifiers that make medical information “identifiable” and traceable back to a specific individual. Examples of these types of identifiers are things like Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and names of patients, relatives, or employers, among other things. You can read more about PHI that HIPAA protects in this guide: PHI Compliance: What It Is and How To Achieve It.
HIPAA’s regulations refer to two parties — a covered entity and a business associate — that are required to adhere to PHI compliance. While HIPAA requires organizations to safeguard the confidentiality, integrity, and availability of PHI, there are few specifics in the HIPAA regulations as to how to go about securing patient information. Therefore, we’ve provided a free resource to help HIPAA-governed organizations manage their data security.
[FREE Download: Guide to HIPAA Compliance for SaaS Applications Checklist]
Payment Card Industry Data Security Standard (PCI-DSS)
PCI-DSS is a standard set by the major credit card brands: Mastercard, Discover, American Express, and Visa. These providers set security rules to protect customer credit and debit card data for any business that accepts their cards.
There are four PCI compliance levels determined by the volume of Visa transactions that the business processes over a 12-month period (including credit, debit, and prepaid sales). If your business accepts any non-cash payments, it’s likely you will have to meet PCI-DSS standards.
There are also 12 PCI requirements that you must meet — from having a firewall to regularly testing network security — to ensure you are PCI compliant. These 12 requirements apply whether you are a Level 4 business or a Level 1 business, though the specifics for compliance may vary based on the level.
Nightfall’s PCI compliant controls and its detectors, which are trained on PCI-relevant PII like credit card numbers, can help businesses keep their customer data safe.
California Consumer Privacy Act (CCPA)
The CCPA began to take effect in July 2020 and is considered one of the most demanding pieces of privacy legislation in recent history. The CCPA applies only to: “companies that have gross annual revenues above $25 million; those that buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; or businesses that derive 50% or more of their annual revenue from selling consumers’ personal information.”
This landmark law secures new privacy rights for California consumers, including the right to know; the right to delete personal information (with some exceptions); the right to opt-out of the sale of their personal information; and the right to non-discrimination for exercising their CCPA rights.
For applicable companies, the CCPA will require developing comprehensive data discovery and data security programs organization-wide. This means understanding how data is used, where it’s stored,, and who has access to it. Companies need to build consistent security processes with the help of tools like privileged access management, securely configured firewalls, and application security controls like data loss prevention. As a data discovery platform, Nightfall can help IT teams classify their customer data properly and reduce the risk of a privacy breach.
[Read more: The California Consumer Privacy Act (CCPA)]
General Data Protection Regulation (GDPR)
The GDPR is a well-known compliance standard by now. It was passed in 2018 by the European Union to protect consumer privacy by mandating companies to be transparent about the data they collect, regulate how companies process data, and to improve reporting of data breaches.
GDPR compliance has many requirements, but in practice, it comes down to obtaining an individual’s consent to collect data and minimizing the amount of data stored by your business. Mastering security and complying with privacy protocols like GDPR starts with data governance. This process involves assessing what data you have, where it is stored, and what security protocols are already in place.
[Read more: A DLP Security Checklist for IT Professionals]
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is a Canadian law that governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents.
PIPEDA is similar to the CCPA and GDPR in that it gives individuals control over their information. PIPEDA grants individuals the ability to give consent, access, and correct their information, as well as the assurance that businesses will safeguard their PII. This Act governs the "handling" personal information, which covers collecting, disclosing, or using "information about an identifiable individual."
Businesses worried about PIPEDA can follow similar protocols required by the PCI-DSS requirement. Nightfall’s PCI-compliant controls can help PIPEDA businesses keep their customer data safe.
Family Educational Rights and Privacy Act (FERPA)
FERPA applies to all schools that receive funds from the U.S. Department of Education. FERPA protects the privacy of student “education records”— a broad term that includes things like grades and transcripts, student schedules, exams and papers, student email, advising records, and any personally identifiable information (PII). Educational records do not include law enforcement records, employment records, medical records, or post-attendance records.
Under FERPA, schools are responsible for what their vendors do with data. That means that if a vendor intentionally or accidentally misuses students’ education records, the school would still be at fault. Therefore, for remote learning in addition to in-school technology, administrators need to find security solutions that help protect PII and minimize the proliferation of PII in the organization.
Gramm-Leach-Bliley Act (GLBA)
The GLBA was passed in 1999 to update and modernize the financial industry. It is best known for repealing the Glass-Steagall Act, an act created in the wake of the stock market crash in 1929 to protect bank depositors from additional exposure to risk.
GLBA includes measures to protect consumer financial privacy, requiring any companies that offer financial products or services, such as loans, bank accounts, or investment advice, to explain their information-sharing practices to customers. GLBA compliance also requires putting measures in place to keep sensitive data secure.
GLBA compliance requirements are divided into three sections: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions. Financial institutions that don’t adhere to the GLBA financial privacy rule are subject to civil penalties that can add up to $100,000 for each violation
To ensure your financial institution is compliant with GLBA requirements, read the checklist in the resource below.
New York State Department of Financial Services (NYDFS) Cybersecurity Regulations
NYDFS is a GDPR-like cybersecurity regulation that was released in 2017 for New York’s financial industry. It includes strict requirements for breach reporting, limiting data retention, data security, risk assessments, documentation of security policies, and more. To be compliant, the simplest route is to follow the NIST framework, which is outlined below.
National Institute of Standards and Technology (NIST)
Moving on to security frameworks, NIST is a non-regulatory agency, which means that NIST compliance is not compulsory for any business. However, NIST works with many commercial sectors and government agencies to create policies and standards that will benefit technology development. The NIST cybersecurity framework is considered standard best practice for many in the industry.
The NIST framework is designed to be used by businesses of all sizes in many different industries. As a result, it is flexible, cost-effective, and iterative, providing layers of security through DLP tools and other scalable security protocols.
Financial Industry Regulatory Authority (FINRA)
FINRA is an independent, NGO that enforces rules governing registered brokers and broker-dealer firms in the US. As such, FINRA evaluates a financial company’s approach to cybersecurity risk management by reviewing the institution’s controls in areas such as data loss prevention. Through these reviews, FINRA also assesses an organization’s ability to protect the confidentiality, integrity, and availability of sensitive customer information.
FINRA’s cybersecurity checklist asks a few key questions, including:
- Does your organization store, use, or transmit PII or firm sensitive information electronically?
- Where is this business-critical data located on your org’s systems or other electronic storage (i.e. Slack)?
- Has your organization taken steps to minimize the use and proliferation of PII or sensitive data?
FINRA does have the ability to take disciplinary action against those that violate the financial industry rules, such as GLBA or SOX. It also maintains BrokerCheck, a consumer-facing database of brokers, investment advisors, and financial advisors, their certifications, and any enforcement actions taken against them.
International Organization for Standardization (ISO/IEC 27001:2013)
The ISO 27001 (officially known as ISO/IEC 27001:2013) provides a set of standards to help organizations keep corporate data — such as financial information, IP, and employee details — confidential. This framework helps organizations build a comprehensive infosec program, providing tools to assess risk, cover the security of transmissions within the organization’s network, and identify which industry regulations (such as HIPAA) are applicable.
ISO 27001 certification can be achieved through a successful audit carried out by an accredited certification body. ISO certification is not legally required, however it can be achieved by any business that seeks to improve its processes around securing its information assets.
HITRUST Common Security Framework
HITRUST is a data protection standards and development certification organization that helps providers, business associates, and vendors better safeguard their sensitive data and manage IT risk, across all industries and throughout the third-party supply chain. HITRUST’s latest framework integrates GDPR and CCPA requirements, making it easy for organizations to achieve compliance across both regulations.
Service Organization Controls (SOC 2)
Last, but not least, SOC 2 is a set of compliance requirements for third-party service providers. SOC 2 compliance is based on specific criteria for managing customer data correctly, which consists of five Trust Services Categories: security, availability, processing integrity, confidentiality, and privacy.
There are two types of SOC 2 compliance. SOC 2 Type 1 details the systems and controls in place for security compliance. Auditors check for proof and verify whether you meet the relevant trust principles. Think of it as a point-in-time verification of controls.
SOC 2 Type 2 assesses how effective your org’s processes are in providing the desired level of data security and management over a period of time.
Across each of these frameworks and security regimes, Nightfall can help keep your data secure. To learn more about Nightfall, set up a demo using the calendar below.