Cybersecurity Compliance - It Starts With The Framework!
It is important to understand that to "get compliant" with a cybersecurity requirement, it is generally more involved than just addressing a checklist.
With that in mind, selecting a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to (1) not be considered negligent with reasonable expectations for security & privacy; (2) comply with applicable laws, regulations and contracts; and (3) implement the proper controls to secure your systems, applications and processes from reasonable threats. This understanding makes it pretty easy to determine the appropriate external framework to align with.
Where Do You Fit In The Mandatory Compliance Puzzle?
A single negligent breach could close your businesses forever, because liability insurance does not cover professional negligence! Below are several examples of how compliance with information security requirements affects common businesses:
HIPAA and PCI DSS Compliance
Example #1: Physical Therapist
Compliance Requirements: HIPAA, PCI DSS & State Breach Laws
Why? This physical therapist office deals with electronic Protected Health Information (ePHI) of clients so it falls under HIPAA. The office also accepts co-payments by credit card so it falls under PCI DSS. Since the state requires a breach notification plan, the office must also adhere to state-specific compliance requirements for data breaches.
PCI DSS and GLBA Compliance
Example #2: Certified Public Accountant (CPA)
Compliance Requirements: GLBA, PCI DSS & State Breach Laws
Why? Like most CPAs, this CPA deals with private financial information of clients, so it falls under GLBA. The CPA works for clients that accept credit cards and has access to their QuickBooks accounts (containing cardholder information), so the CPA must meet PCI DSS requirements. Most states waive state-sponsored breach laws if the company is GLBA compliant, so there are no additional requirements by the state.
GLBA and PCI DSS Compliance in Oregon
Example #3: Lawyer
Compliance Requirements: HIPAA, FACTA, GLBA, PCI DSS & State Breach Laws
Why? This law offices deal with Protected Health Information (PHI) for injury claims so its falls under HIPAA as a Business Associate. Since the office also performs real estate closings and is responsible for private financial information, it falls under both FACTA and GLBA. The office accepts payment by credit card so it falls under PCI DSS. This state waives its breach notification law if the law office is GLBA compliant, so there are no additional requirements by the state.
|PCI DSS Compliance for Level 3 and Level 4 Merchants
Example #4: Coffee Shop
Compliance Requirements: PCI DSS
Why? This coffee shop accepts payment by credit and debit cards so it falls under PCI DSS. This specific state does not have any specific laws for breach notification, so the coffee shop only has to focus on PCI DSS compliance.
State Identity Theft Law Compliance
Example #5: Construction Company
Compliance Requirements: State Breach Laws
Why? The construction company operates in a state that has a law requiring both client and employee Personal Identifying Information (PII) to be protected and for notification in the event of a breach.