IT Legislation and Compliance

For many years, in most industries companies have been able to freely catalog, store, and share digital consumer data with the passion of coin collectors at a convention. In the absence of legislation to regulate data privacy, they have acquired personal details, added them to a consumer’s profile, and sold or swapped them with other companies—filling out their collections with intricate details that helped them identify purchasing habits and preferences. 

Though many businesses have taken great pains to protect their user’s data, others have been less respectful. Even for those businesses that do protect their clients’ or users’ privacy, increasingly successful cybercriminals present an added challenge. Data breaches in some of the world’s largest, most sophisticated companies, including Facebook, Microsoft, First American, and LinkedIn among others, serve as a warning that data is not only valuable, but increasingly vulnerable. 

As a result of this data environment, a few states have begun to implement comprehensive legislation intended to protect consumer data. As of 2023, California, Colorado, Connecticut, Utah and Virginia have all passed data privacy laws intended to protection consumers living in those states. Beyond those expansive local laws, the United States federal government has also implemented a variety of patchwork protections for specific types of consumer data in a few specific industries. These protection include ( but are not limited to): 

• HIPAA – Healthcare records and communications 
• FERPA – Student educational records 
• FCRA – Credit reporting information 
• FTC Act – App and website privacy policies as well as marketing language related to them 

 
In order to address this wide variety of legislation and increasing number of stand-alone provisions, the US House of Representatives is currently working on a significant bill, the American Data and Privacy Protection Act. This is the first comprehensive act of its type to clear the committee phase, and if enacted into law, it will completely change the regulatory landscape for any business that collects personal information from their clients. 

Outside of the US Federal and State legislative environments, other large markets like the European Union and China have already enacted wide-reaching privacy laws that apply to businesses selling to consumers within their borders. As an example, the General Data Protection Regulation (GDPR) gives individual consumers within the EU substantial control over the use of their private data and requires businesses to seek permission to share certain data. 

Industry, state, and international data privacy regulations are just the tip of the iceberg. Many local jurisdictions also have their own data privacy laws. Organizations must be aware of these compliance requirements. But they also need to know about updates to these rules. 

By the end of 2024, about 75% of the population will have its data protected by one or more privacy regulations. 

Businesses need to stay on top of their data privacy compliance requirements. Otherwise, they can suffer. Many standards carry stiff penalties for a data breach. And if security was lacking when it occurred, fines can be even higher. HIPAA, for example, uses a sliding scale. Violators can be fined between $100 to $50,000 per breached record. The more negligent the company is, the higher the fine. 

If this all sounds a bit overwhelming, and you are worried about your business staying in compliance with the changing regulatory landscape, here are a few tips. 

1. Identify the Regulations that Apply to Your Business

Your organization may be subject to a variety of data privacy rules. A few of these levels could include: 

• Industry (healthcare, financial, minors, loans, and other) 
• Where you sell (EU or states with comprehensive policies) 
• State policy 
• City or county policy 
• Federal (e.g. for government contractors) 

Take the time to identify which (if any) of these areas affect your business. 

2. Remain Aware of Changing Data Privacy Regulation 

Don’t get blindsided by a data privacy rule change, be it local, federal, state, or industry. Stay on top of any changes by signing up for updates on the appropriate regulatory website. The official website for the compliance authority should have a field on their website that allows you to sign up for email announcements that would affect the compliance requirements of your business. 

For example, if you are in the healthcare field you can sign up for HIPAA updates at HIPAA.gov. You should do this for each of the regulations that you determine apply to your business. 

As comprehensive state and federal policies rapidly evolve, you will need to try to keep tabs on the policies of the places where you work as well as those where you sell your products and services. Until a comprehensive national policy is implemented, search for news updates every few months to see which states have implemented or are soon to implement new policy. Since the majority of states are at least considering laws to govern data privacy, it seems logical to assume that each year, additional states will be added to our list above. 

Have any pertinent updates sent to more than one person—typically your Security Officer or equal as well as another responsible party. This ensures that you don’t miss an important change. 

3. Review Your Data Security Standards

Companies constantly update their technology. This doesn’t always mean a big enterprise transition; sometimes you may simply add a new server or a new computer to the mix. 

Seemingly insignificant changes to your IT environment can cause you to fall out of compliance. If a new employee’s mobile device is added, but not properly protected, that could be a problem. Even one new cloud tool that an employee decides to use can cause a compliance issue. 

For these reasons, it’s important to do at least one annual review of your data security. Reference what you find with your data privacy compliance requirements to make sure you’re still in the clear. 

4. Audit Your Security Policies and Procedures

In addition to an annual review of your security standards and hardware changes, you should audit your internal policies and procedures. These written documents not only tell employees what’s expected from them, they should also give direction when it comes to data privacy and how to handle a breach. 

Audit your security policies annually. Additionally, audit them whenever there is a data privacy regulation update. You want to ensure that you’re covering any new changes to your requirements. 

5. Update Your Safeguards as Needed 

When you receive a notification that a data privacy update is coming down the line, plan ahead. It’s best to comply before the rule kicks in, if possible. 

When you learn of impending changes, start by reviewing these three areas of your IT security: 

• Technical safeguards – Systems, devices, and software 
• Administrative safeguards – Policies, manuals, and training 
• Physical safeguards – Doors, keypads, and building security 

6. Keep Employees Up-to-Date on Privacy Compliance and Policies 

Employees should be aware of any changes to data privacy policies that impact them. When you receive news about an update, add this to your ongoing training. Good cybersecurity practice requires employers to conduct ongoing cybersecurity training for staff. This keeps anti-breach skills sharp and reminds them of what is expected. 

Include updates about what employees need to know to be properly prepared. Remember to always log the date, the employees educated, and the topic of your training activities. That way, you have documentation if you do suffer a breach at some point. 

7. Outsource Your Compliance Needs to a Managed Service Provider (Optional)

Qualified MSPs can lend you a hand if you find yourself working in a regulated industry or state, or if you do not feel comfortable trying to stay on top of compliance requirements with your current internal resources. Not all MSPs will provide compliance assistance, so you may need to do a bit of research before landing on one with the experience and capability to keep you ahead of the curve.