meet-and-exceed-compliance-standards-with-veriato

Compliance

Exceed Compliance
Standards with Veriato

Whether for data breach notification or data protection, laws and regulations are extending across industries and geographic regions to ensure organizations are striving to secure data collected on consumers, patients, credit card holders and more. Many data protection and breach notification regulations also carry sizeable financial penalties if organizations who collect sensitive data show inadequate safeguards to protect that data or fail to notify affected users when breaches occur. Compliance with these regulations often includes mandated monitoring and auditing of authorized user access to that data. Consumers are fed up with breaches and do not care if the breach resulted from an external attack or a trusted insider – they expect their data to be protected.

PCI DSS

The Payment Card Industry Data Security Standard, effective since September 7, 2006, is a security standard to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the PCI Security Standards Counsel (SSC) which is an independent entity created by the major payment card brands (Visa, MasterCard, American Express, Discover and Japan Credit Bureau.). These payment brands and acquirers enforce PCI DSS compliance and can fine acquiring banks $5,000 to $100,000 per month for PCI compliance violations. PCI DSS Requirement 10 (Track and monitor all access to network resources and cardholder data) in particular mandates that audit trails of user activity around any payment card data be created so that suspicious activity can be traced to a specific user.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 was created to protect Personally Identifiable Information (PII) and other healthcare information maintained by the healthcare and healthcare insurance industries from fraud and theft. Organizations subject to HIPAA compliance oversight must consider many Administrative and Technical safeguards outlined in the Final Rule on Security Standards with regard to how medical personnel handle sensitive information including:

  • Routine and event-based internal audits to identify potential security violations
  • Ensuring that the data within its systems has not been changed or erased in an unauthorized manner

Failure to adhere to HIPAA security specifications can result in fines ranging from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) enacted on May 25, 2018 mandates that personal data collected on EU citizens – even by non-EU entities and in non-EU countries – be protected. Should a breach of this data occur, the data processors are mandated to notify affected individuals within 72 hours and if negligence or failure to comply with protection guidelines are identified, a fee of up to €20 million (approx. $23 million) can be assessed or up to 4% of annual turnover – whichever is greater.

GDPR mandates that personal data collection must only be conducted when legitimate interests to do so are identified. Title 47 includes fraud prevention as one such case:

  • Title 71 goes on to list monitoring for fraud and tax-evasion as reasons for automated decision making by data controllers.
  • Organizations subject to GDPR compliance will need to protect any personal data collected on EU citizens or face heavy financial penalties and provides organizations the authority to monitor and detect for fraudulent access and abuse of that data as part of this protection.

New York Title 23

Title 23 is a section of New York Codes, Rules and Regulations (NYCRR) 500 that covers regulation of organizations operating in the state of New York subject to NY Department of Financial Services oversight. This includes entities regulated by NY Banking Law, Insurance Law and Financial Services Law.

Compliance with NY Title 23 includes that those covered entities protect the financial and other personal data they collect. These entities must also notify any affected individuals within 72 hours of a breach of their data once determining that a breach has occurred. Protections of personal data include maintaining audit trails designed to detect and respond to Cybersecurity Events (§500.06) and implementing measures designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized users (§500.14).

Organizations subject to NY Title 23 can face loss of licenses and financial fines of up to $250,000 fine or 1% of total assets of the organization and 1% of total assets of subsidiaries.

“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”


California Consumer Privacy Act (CCPA)

TThe California Consumer Privacy Act or 2018 is a California state law to enhance the privacy rights of California residents. The law applies to any organization doing business in California that collects consumers' personal data and meets any of the following criteria:

  • Annual gross revenues exceeding $25 million;
  • Possesses the personal information of 50,000 or more consumers, households, or devices; or
  • More than half of its annual revenue earned by selling consumers' personal information.

Under CCPA, companies can be prosecuted or subject to civil suits if victim of a data theft or other data security breach for failure to implement and maintain reasonable security protections of PII including unauthorized access and exfiltration, theft, or other disclosure – whether from external breached or the result of actions of authorized users.

Companies could be required to pay damages ranging from $100 to $750 per affected California resident and incident or ordered to pay actual damages and other relief, whichever is greater. Fines of up to $7,500 for each intentional violation and $2,500 for each unintentional violation can also be levied under California law.

Veriato develops AI driven solutions that provide companies with the ability to collect activity data on all users, and then report policy breaches based on the unique compliance needs of organizations today.

Contact Us