Which Data Security Regulations Affect My Company?

With so many state, federal, and international regulations governing the protection of different data types, we help you identify which laws your organization may be subject to.

State, federal, and international regulations continue to adapt to today’s digital world. These laws improve data security and protect your customers. But failure to keep up with changes in the law can result in major fines, stolen customer information, and a damaged reputation.

Do you have a website?

If you collect information of any kind on your website — for example, an email newsletter signup or contact form — or if you use Google Analytics or capture any other kind of analytics, you need a Privacy Policy and Terms & Conditions. These documents must be linked prominently from your website, usually in the website footer.

A Privacy Policy is a required statement that outlines the ways you gather, use, disclose, and manage customer data.

Terms and Conditions are a legally-binding agreement between your company and the visitor to your website. This commonly outlines how visitors may use the information on your website and limits (or attempts to limit) your company’s liability related to materials on your website and how users interact with them.

Do you handle data on EU citizens?

You must comply with EU GDPR. The European Union’s General Data Protection Regulation, which goes into effect May 25, 2018, is a sweeping update to the EU’s existing 1995 law, the Data Protection Act or Directive 95/46/EC.

Under GDPR, the privacy of EU residents’ personal information is protected by requiring companies that handle or process that information to comply with a wide set of privacy, consent, notification, and data retention regulations.

This law applies to US-based businesses, too, and can be enforced internationally. For more information, check out our blog on why American companies need to comply with GDPR.

Are you based in MA or do you handle information on Massachusetts residents?

You must comply with MA 201 CMR 17.00. These are the minimum standards for the protection of personal information of Massachusetts residents, designed to protect residents against threats, unauthorized access, and breached confidentiality.

A major component of compliance with MA 201 CMR 17.00 is the development of a Written Information Security Plan (WISP). This document outlines the steps your company takes to protect sensitive personal information and establishes a process for reporting data breaches.

In the unfortunate event your company experiences a data breach, there are automatic fines right off the bat if you don’t have a WISP in place.

Do you offer financial products or services, like loans, investment advice, or insurance?

If so, then the GLBA is for you. GLBA (Gramm-Leach-Bliley Act) mandates that companies secure the private information of clients and customers, and are required to explain how they share and protect that information. Most accounting firms and tax preparers are also subject to GLBA.

Additionally, depending on the nature of your business, companies in the financial industry may be subject to other regulations and requirements, such as regulations from the SEC (U.S. Securities and Exchange Commission) or rules from the FTC (Federal Trade Commission) and the IRS.

Do you handle credit card information?

You must comply with PCI-DSS (the Payment Card Industry Data Security Standard). This is a set of 12 security regulations designed to reduce fraud and protect customer credit card information. It applies to anyone that accepts, processes, stores, or transmits credit card information.

Do you handle student educational records?

Schools, universities, and any organization that handles student educational records must comply with FERPA if they receive federal funding of any kind.

FERPA (Family Educational Rights and Privacy Act) protects student educational records by requiring certain cybersecurity practices be in place, and requiring proper information releases. The U.S. Department of Education maintains a searchable website of frequently asked questions about FERPA.

Do you handle healthcare data?

You must comply with HIPAA and HITECH. HIPAA (Health Insurance Portability and Accountability Act of 1996) protects the privacy of patients by ensuring secure and private electronic exchanges of health information. HITECH (Health Information Technology for Economic and Clinical Health Act) requires anyone who handles healthcare data to use secure electronic health records (EMR) and supporting technology.

Are you a contractor, supplier, or manufacturer for the federal government?

Depending on the nature of your business, security requirements under CMMC, DFARS, FAR, and ITAR may apply. With DFARS (Defense Federal Acquisition Regulation), all Department of Defense (DoD) contractors that process, store, or transmit Controlled Unclassified Information (CUI) must meet minimum standards for “adequate security.” Generally speaking, these regulations require implementation of the security controls outlined in NIST SP 800-171 and the development of applicable security policies and procedures.

Don’t know if you’re in compliance?

We speak all these acronyms and more! Steel Root can guide you through the complex requirements of data security compliance. Contact us or schedule a technology security assessment today.