Information Technology and Ethics/Why compliance management?

Compliance management is a process that enables companies to make sure that they are following industry standard regulations i.e., the correct set of rules and regulations to make sure that the data is protected in a better way. It is also important to have proper compliance management because nowadays companies have access to a large pool of data hence making it very important for them to follow certain compliances hence companies spend a lot in hiring lawyers etc to make sure that they are compliant. Some of the common compliances are CCPA, FERPA, CMMC, etc. If the said compliance in their sectors is not followed, they might be subject to large files such as:^[1]:

1. The penalty for non-compliance with HIPAA can range from $100 to $50000 per individual violation.
2. The penalty for non-compliance with the PCI DSS ranges from $5000 to $10000 per month till the time the compliance is achieved.
3. The GDPR has a maximum violation of €20 million or 4% of the annual turnover, whichever is higher.

And if the company still does not follow, the compliance fines tend to multiply.

Let’s talk about the type of data subject to cyber security compliance, it includes^[2]:

1. PII data: It includes the date of birth, first/last name, address, Social Security number, mother's maiden name, etc.
2. Financial information: it includes credit card numbers, expiration date, CVV, bank account details, PINs, credit history, account summary, etc.
3. PHI data: it includes medical history, insurance, record, appointment history, prescriptions record, hospital, admission record, etc.

Other types of information include race, religion, marital status, biometric data, email address, username, passwords, etc.

It is important to have a better compliance team to save the company from data breaches, protect the reputation, protect from fines, maintain customer trust, etc. According to the compliance management lifecycle, the following are the pillars of compliance^[2]:

1. Attack surface monitoring: It includes looking for vulnerabilities in the system or bugs that might open back doors.
2. Risk prioritization: Once the vulnerabilities are known, it should be prioritized on the basis of the impact that they might have on the data.
3. Remediate risk: Once the prioritization is complete immediate steps should be taken to fix the issue or minimize the effect.
4. Report compliance efforts: It means documenting the efforts that were taken to minimize or fix the issue in order to keep the seniors and auditors in the loop.

GDPR edit

General Data Protection Regulation (GDPR) is a comprehensive privacy and security law in the world. It was drafted and implemented by the European Union on May 25, 2018. It aims to protect the data of EU citizens by imposing obligations and organizations anywhere in the world collecting the data of citizens of the EU. Violating the terms of GDPR regulations can lead to fines of up to 20 million euros.  

According to the NYTimes, google was fined 50 million euros for not properly disclosing to users how data is collected across its services like its own search engines like Google and its services like Maps and YouTube. This penalty is considered one of the largest under the EU privacy law i.e., GDPR. There are some GDPR compliance checklists that must be followed by every US company dealing with European citizens' data.

• Conducting information audit for EU personal data.
• Inform the customers about the reason behind the processing of their data.
• Assess the data processing activities and improve the protection
• Data controllers should make sure that they have a data processing agreement with the vendors.
• A designated data protection officer should be appointed especially by the larger organization.
• Non-EU organizations are required to appoint a representative based in one of the EU member states.
• Duties should be known during the event of data breach.
• Organizations should comply with cross-border transfer laws.

Top GDPR fines till date

• Meta

It was fined a total of 405 million euros for violating children privacy through the publication of email addresses and phone numbers.

• Clearview AI Inc.

A fine of 20 million euro was imposed on an AI company in America for collecting selfies and utilizing them to expand its database of approximately 10 billion faces. The company used to then sold its identity verification services to various industries, including law enforcement.

• Google

Google was fined by AEDP, a Spain’s data protection agency a 10 million euro after the search engine giant was found to be passing the personal data of EU citizens who were requesting erasure of their data to the Lumen Project. The AEDP found that the content removal form Google provided to data subjects for exercising their right to be forgotten was confusing.

After discovery of the search engine giant was giving the Lumen Project access to the personal information of EU individuals who were requesting their data be erased, AEDP, Spain's data protection body, penalized Google 10 million euros. The AEDP discovered that Google's form for material removal, which individuals used to exercise their right to be forgotten, was unclear.

• Rewe

Rewe, a supermarket chain was imposed a fine a 8 million euro for breaching the GDPR in the year 2022.

• HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPPA) was enacted in 1996. This act enables nationwide standards to protect an individual’s medical and personal health information. The items covered under HIPPA include but are not limited to healthcare providers, health plans, clearinghouses, and their business associates. The business associated can be the organization that executes the jobs that involve disclosing protected health information (PHI).^[3]

As a part of HIPAA compliance there are different sections like breach notification rule, security and privacy rules which companies need to follow in order to enable patients to get access of their data. As according to the HIPAA guidelines companies have about 45 days to process the data from the day the patient submitted the request. This request can be both in regards to data access or data deletion and applies to both existing and new patients of a certain health system. Once the 45 days are passed and the data is not processed, the companies are held liable and can be sued.^[4]The HIPAA also give a clear distinction of what data is classified as a PHI or a unsecured PHI. Along with this they also talk about how those data can be stored electronically and used by IT-Healthcare companies and does outline the laws for the same in addition to the traditional healthcare sector that was limited to offline market.. Healthcare organizations must therefore take the necessary steps to adhere to HIPAA rules, including frequent risk assessments, the implementation of suitable security controls, employee training on HIPAA policies and procedures, and timely response to any PHI breaches.^[5]

The following are some of the key requirements for HIPAA Compliance:

1. Privacy Rule: The HIPAA Privacy Rule establishes federal requirements for safeguarding the privacy of people's health information, including the demand that covered businesses seek patients' written consent before revealing their data.
2. Security Rule: According to the HIPAA Security Rule, covered organizations must put in place administrative, physical, and technical measures to protect the availability, confidentiality, and integrity of electronic protected health information (ePHI).
3. Breach Notification Rule: The HIPAA Breach Notification Rule mandates that, in the event of an unprotected ePHI breach, covered entities notify impacted people, the Secretary of Health and Human Services, and, in some circumstances, the media.^[6]
4. Enforcement Rule: Procedures for investigations, hearings, and the enforcement of civil monetary penalties for HIPAA rule infractions are established under the HIPAA Enforcement Rule.
5. Omnibus Rule: The HIPAA Omnibus Rule significantly altered the HIPAA rules, extending liability to business partners of covered businesses, stiffening fines for non-compliance, and enhancing people's access rights to their health information.

SOC 2 Compliance edit

As organizations continue to rely on technology to run their operations, the need for robust security measures becomes paramount. SOC 2 compliance has become one of the most important criteria for service providers and vendors to have controls in place to protect their customers' data.  We take a closer look at the five Trust Service Principles of SOC 2 and the benefits of achieving compliance. This principle focuses on protecting data from unauthorized access, disclosure, and destruction. Controls based on this principle include access control, encryption, and auditing of security events. availability: This principle focuses on ensuring that the system can be operated and used as agreed with the customer. Management based on this principle includes plans for redundancy, backup, and disaster recovery.

This principle focuses on ensuring that system processing is complete, accurate, timely and authorized. Controls based on this principle include input validation, data reconciliation, and error handling. This principle focuses on ensuring sensitive data is protected from unauthorized access or disclosure. Controls based on this principle include access control, encryption, and data classification. This principle focuses on ensuring that personal information is collected, used, stored, and disclosed in accordance with the organization's privacy policy and relevant laws and regulations. Controls based on this principle include data minimization, consent management, and data subject rights.

SOC 2 compliance demonstrates an organization's commitment to security and privacy and can enhance reputation and credibility with customers and partners. SOC 2 compliances can give companies a competitive advantage over competitors who may not have gone through the same rigorous review process. crisis management: SOC 2 compliance helps organizations identify and remediate potential security risks and vulnerabilities, thereby improving their overall security posture. SOC 2 compliance helps organizations meet the security and privacy requirements of industry-specific regulations such as HIPAA and PCI DSS. Being SOC 2 compliant can increase customer confidence in your organization's data protection capabilities, which can lead to increased customer loyalty and retention.

Now that we have reviewed what cybersecurity compliance is, it is important to understand how to get started in making a Cybersecurity Compliance Program within your organization. Every cybersecurity compliance program is specific to an organization due to its versatility and depth it covers. However, the steps below should be a great starting point for any organization to begin developing its compliance program and gain the benefits to meet regulatory compliance requirements.

1. Assemble a Designated Compliance Team: The main power behind cybersecurity compliance is your IT staff, however when a comprehensive compliance program is put into place, a compliance team must be formed. For a business to have a strong cybersecurity posture and support compliance procedures, all departments must collaborate.
2. Make a Risk Analysis Process: You should adhere to the four fundamental phases of the risk analysis process in order to identify and evaluate risks. These include determining which information systems, assets, or networks have access to data, determining the risk level associated with each type of data, applying a formula to analyze the risk, and establishing tolerance by selecting whether to reduce, transfer, reject, or accept any identified hazards.
3. Enable Controls to Mitigate or Transfer Risk: Setting up security measures to reduce or transfer cybersecurity threats is the next stage. These measures include encryption, network firewalls, password restrictions, staff training, incident response plans, access control, and patch management schedules, among other technological and physical measures.
4. Create and Implement Policies: Document any policies or instructions that IT teams, staff, and other stakeholders need to follow controls have been put in place. These regulations will also be helpful for future internal and external audits.
5. Monitor and Respond Quickly: Maintain a constant eye on your compliance program as new laws or revised versions of old ones are passed. A compliance program's objective is to recognize and manage risks and stop cyber threats before they result in a significant data breach. Additionally, it's crucial to have business procedures in place that let you respond rapidly to threats.

^{[3][4][7][8][6][9][10][5][11][2][1][12][13]}

1. ↑ ^{a b} Kost, Edward. 2022. What is Compliance Management in Cybersecurity? Oct 10. https://www.upguard.com/blog/what-is-compliance-management.
2. ↑ ^{a b c d} CompTIA. n.d. What Is Cybersecurity Compliance? https://www.comptia.org/content/articles/what-is-cybersecurity-compliance.
3. ↑ ^{a b} National Institute of Standards and Technology (NIST). (2020). Cybersecurity Framework. https://www.nist.gov/cyberframework
4. ↑ ^{a b} European Union Agency for Cybersecurity (ENISA). (2020). Cybersecurity Act. https://www.enisa.europa.eu/policy-and-law/cybersecurity-act
5. ↑ ^{a b} U.S. Department of Health & Human Services. (n.d.). HIPAA for Professionals. Retrieved April 24, 2023, from https://www.hhs.gov/hipaa/for-professionals/index.html
6. ↑ ^{a b} Federal Trade Commission. (2019). FTC Takes Action Against CafePress for Data Breach Cover-Up. https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover
7. ↑ Payment Card Industry Security Standards Council. (2020). Payment Card Industry Data Security Standard. https://listings.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement?return=%2Fassessors_and_solutions%2Fpoint_to_point_encryption_solutions/
8. ↑ Marriott International. (2019). Marriott International Announces Data Breach Settlement. https://www.cbsnews.com/news/marriott-data-breach-class-action-lawsuits-seek-billions-with-more-to-come/
9. ↑ Maersk says global IT breakdown caused by cyber attack. (2017). https://www.reuters.com/article/us-cyber-attack-maersk-idUSKBN19I1NO
10. ↑ Target Corporation. (2018). Target Data Breach Settlement. https://topclassactions.com/lawsuit-settlements/closed-settlements/target-data-breach-class-action-settlement/
11. ↑ Health Information and Management Systems Society. (n.d.). HIPAA Resources. Retrieved April 24, 2023, from https://www.himss.org/news/himss-comments-hipaa-proposed-regulation-highlights-importance-alignment-and-access
12. ↑ GDPR. (2023, January). General Data Protection Regulation. Retrieved from gdpr-info.edu: https://gdpr-info.eu/
13. ↑ McCarthy, N. (2023, January 31). The Biggest GDPR Fines of 2022. Retrieved from EQS Group: https://www.eqs.com/compliance-blog/biggest-gdpr-fines/