AComp Cybersecurity Compliance Solutions

The specific laws that apply to your business depend on the type of business and the type of data you work with. There are, however, sweeping federal cybersecurity laws that apply to many businesses whether in whole or in part:

• Health Insurance Portability and Accountability Act (HIPAA) of 1996

This law applies to almost every organization that deals with medical information. The law establishes standards for how medical information is to be stored, accessed, and shared.

• Gramm-Leach-Bliley Act (GLBA) of 1999

Organizations that deal with personal and private financial information are likely subject this law. The law mandates standards for when and how information is collected, how that information is stored, and what parties have access to it.

• Homeland Security Act, which included the Federal Information Security Management Act (FISMA), of 2002

This law is similar to the previous two and applies primarily to organizations that deal with government information. By and large, this applies to government agencies, but contractors and suppliers who work with the government may also be subject.

• Cybersecurity Information Sharing Act (CISA) of 2015

The purpose of this law is less about protecting data and more about collaboratively responding to threats. The law allows the government and tech companies to share data in order to identify and respond to threats sooner.

• Federal Exchange Data Breach Notification Act of 2015

Organizations that participate in a health insurance exchange are required to report any breach to affected individuals within 60 days of the breach occurring.

In today’s rapidly evolving digital landscape, cybersecurity compliance is not just a checkbox but a crucial component of your organization’s success.

The exact nature of the penalty is often relative to the nature of the attack and the amount of data that was exposed. There are also penalties beyond fines and fees – public shaming for example – that will negatively impact some organizations more than others. Even in the best cases, however, violating cybersecurity laws is an expensive and disruptive process:

HIPAA

The fine is calculated based on the number of medical records exposed, with fines ranging from $50-$50,000 per record. Fines are capped at $1.5 million per year, but organizations may receive the maximum fine for multiple years. Violators may even face prison time ranging from 1-10 years.

GLBA

Organizations are fined up to $100,000 for each violation of this law, and the officers and directors of the organization may be fined up to $10,000 personally. Individual may also face up to 5 years in prison.

FISMA

Since this law applies primarily to federal agencies the penalties range from formal censure from Congress to reductions in public funding.

In addition to laws that exist at the federal, state, and local level companies may also be subject to international laws and industry-specific standards. Since these laws are not necessarily top-of-mind it is especially easy for businesses to overlook and accidentally fall into non-compliance:

• General Data Protection Regulation (GDPR)

This sweeping set of regulations is designed to protect the personal information of all citizens in the European Union. Since many US businesses work with European firms and customers, these businesses must comply with GDPR. Unlike most other cybersecurity laws, this one mandates the use of encryption. GDPR is also especially punitive, with fines potentially totaling tens of millions of dollars.

• Payment Card Industry Data Security Standards (PCI DDS)

Any organization that accepts payment card – credit cards, debit cars etc. – is subject to this law developed by the payment card industry. Organizations must meet 12 requirements related to securing payment card information. Being in breach of PCI DDS exposes organizations to minimum fines of $5,000 per month and maximum fines of $100,000 per month.