Compliance is a huge responsibility for every organization, and the number of regulations to which an organization must adhere continues to grow. Achieving and maintaining compliance can be complicated. This guide is designed to help you understand what you need to know about compliance and what you can do to protect your organization and avoid putting yourself at risk of fines and other regulatory actions.
Jump to Section
- What Is Compliance?
- The Challenge of Unstructured Data
- Compliance Regulations That May Impact Your Columbus Business
- The Risks of Non-Compliance
- What Can I Do to Better Ensure Compliance at My Organization?
- Achieving Stronger Compliance
- How Can an MSP Help My Organization with Compliance?
- thinkCSC Is Your Compliance Partner in Columbus
- Additional Resources
What Is Compliance?
Compliance is the act of adhering to specific regulations set forth by local, regional, state, federal, and international agencies to manage data. These regulations are designed to protect consumers, maintain their privacy, and ensure they have control over what information companies have, store, access, and use. In recent years, the notion of personal data privacy has had a significant impact on how organizations operate, and it can be extremely costly for an organization that fails to comply with specific regulations. While structured data is relatively easy to manage and store securely, most data is unstructured.
The Challenge of Unstructured Data
One of the biggest issues facing organizations of all sizes when it comes to ensuring compliance is unstructured data. Structured data is data that fits into specified fields – zip codes, for example. Unstructured data is all the information your company collects that is not stored in traditional structured database slots. Texts, for example, are considered unstructured data. However, if you conduct business on your phone, it’s entirely possible that your text messages contain information that should not only be preserved but has confidential information that must be protected.
Many businesses have unstructured data – email messages, web pages, and media files – that makes it difficult to manage compliance. This information can be vital to your business. But corralling that data and protecting it – and your clients – can be a huge challenge. According to a recent survey by AIIM, a non-profit organization that provides independent research, training, and certification for information professionals, organizations expect the volume of information coming into their organizations to grow by a factor of 4.2 over the next two years, and 60% of that growth will be unstructured data.
Compliance Regulations That May Impact Your Columbus Business
There are several different compliance regulations that have been established by the federal government and international agencies, governing how you store data, the required reporting, and the options you must provide your clients regarding the use and storage of their data.
- Sarbanes-Oxley Act of 2002. Sponsored by Ohio Representative Michael G. Oxley, the Sarbanes-Oxley Act (SOX) was in response to economic suffering realized as a result of huge financial scandals, such as WorldCom and Enron. These scandals compelled Congress to enact laws that would protect consumers, shareholders, and the public from fraudulent practices and accounting errors. But the act also established specific rules about what data, and how long that data, must be stored in a company’s IT systems, including auditable tax records.
- CAN-SPAM Act. The CAN-SPAM Act addresses email marketing and communications, protecting consumers from unethical marketing via email, by giving them the ability to opt out. The act also requires organizations to use a legitimate email address for a return address and to clearly label commercial emails as advertising.
- Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA addresses patient data privacy and issues governing how electronic health records are stored, accessed, and shared. Violations of this act can be extremely costly.
- Payment Card Industry Data Security Standard (PCI DSS). Using a strategic framework, the goal of the PCI Security Standards Council (PCI SSC) is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.
- General Data Protection Regulation (GDPR). GDPR is a European Union regulation on data privacy; resulting laws went into effect in 2018. They not only impact EU individuals, they impact any company that does business with people in the EU, taking into consideration newsletter subscriptions and other innocuous interactions.
- Gramm-Leach-Bliley Act (GLBA). The Gramm-Leach-Bliley Act requires financial firms and other companies, such as auto dealers and other businesses that offer financing, financial advice, insurance, or loans, to “explain their information-sharing practices to their customers and to safeguard sensitive data.” These organizations must offer consumers the ability to “opt out” of information sharing.
The Risks of Non-Compliance
Non-compliance results in sanctions, the loss of business, and the loss of loyalty from customers who expect you to handle their personal data with the degree of importance it deserves. While no organization intentionally mishandles personal data, a lackadaisical approach to security, employee awareness training, patch management, offsite replication, backup and disaster recovery, and other measures that help protect data can put your organization at risk. And fines can be severe.
- Sarbanes-Oxley Act – Executives who defraud shareholders of publicly traded companies can face up to 10 years in prison and up to a $1 million in fines.
- CAN-SPAM Act – According to the FTC, each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $46,517.
- HIPAA – Depending on the severity and level of negligence, fines can range from $100 to $50,000 per violation.
- PCI DSS – Fines can reach $500,000 when organizations are found to be in non-compliance.
- GDPR – Fines can rise to €20 million (approximately $20.4 million), depending on the level of infringement and the revenue of the organization.
- GLBA – Fines for GLBA non-compliance can be as high as $100,000 per violation for organizations, as well as $10,000 in fines for officers of the organization who have fiduciary responsibility.
What Can I Do to Better Ensure Compliance at My Organization?
Regulatory compliance requirements are becoming an increasingly complex area of operations for most organizations. Because of ongoing aggressive attacks from sophisticated cybercriminals, governments are stepping in to try and protect consumers, by introducing stricter requirements that require enhanced security.
The average organization must meet compliance in several different regulatory areas; managing that compliance is costly and often inefficient. And because regulations are constantly changing, with new regulations being introduced in legislatures across the country, it’s a struggle to keep up.
Achieving Stronger Compliance
To ensure that you are meeting compliance requirements for your organization, consider the following assessments:
- Regulatory Assessment
Your first step is to identify the compliance regulations that impact your organization and what the requirements are for each of those regulations. During the assessment, you can identify any gaps in your security that might prevent you from meeting the security requirements of any compliance regulation.
- Technology Assessment
Nearly every data privacy regulation requires specific measures, either through a specified security framework or in response to a reporting requirement. Identifying what security measures your organization must have to meet the necessary compliance regulations may necessitate an upgrade in your technology, from updating and patching software to investing in new equipment.
- Data Assessment
To better understand, define, and control your unstructured data, an assessment of the data, its risk value, and data retention requirements (HR, finance, payroll) is necessary. You cannot protect data if you don’t know what you have and where it is.
- Cybersecurity Assessment
When privacy regulations like HIPAA and PCI DSS are involved, your cybersecurity policies and solutions become a critical aspect of your ability to remain compliant. This means more than just a firewall. A variety of measures designed to protect your data may be necessary, including multi-factor authentication and robust mobile device management.
How Can an MSP Help My Organization with Compliance?
The challenge for organizations is that compliance is a must-have, but it is not always something for which your organization has the resources and expertise to manage without taking away from your operational efficiency. Help is often necessary and prudent.
By outsourcing most of your compliance requirements, including your assessments, to an MSP, you can remain focused on your business operations, knowing that you have a partner who is dedicated to ensuring that best practices are implemented and followed, including:
- Regular, secure backups to a locally hosted secure cloud server
- Immediate updates to software and patch installations
- 24/7 threat monitoring
- Expert consultation with a vCIO who is familiar with your organization and industry
- Depth of experience and compliance requirements by industry
- Significant cost savings through scalable, fractional services that are designed to meet your business needs, size, and industry
- Recommended actions to maintain compliance
- Implementation of software solutions that help you identify, classify, and store data securely
thinkCSC Is Your Compliance Partner in Columbus
If you’re struggling to meet compliance requirements for your organization or are concerned that you may be subject to fines or penalties because of non-compliance, get in touch. thinkCSC can help you implement vital compliance solutions that keep your data and your business safe.