1. National Institute of Standards and Technology’s (NIST) Cybersecurity Framework

In response to a presidential directive, on Oct.22nd the U.S. National Institute of Standards and Technology (NIST) released the latest version of its cybersecurity framework which aims to better secure U.S. companies and government agencies: NIST 800-53 & NIST 800-171. The NIST (National Institute of Standards and Technology) 800 series documents US federal government security policies and procedures. The NIST 800-53 documents and recommends security controls for federal information systems and organizations. The NIST 800-171 is a document titled “Protecting Controlled Unclassified Information in Nonfederal System and Organizations” and provides cybersecurity requirements for protecting sensitive information. This includes protection across IT networks, email servers, data centers, and VPNs.

2. European Union General Protection Regulation (GDPR) 

The EU General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. The GDPR aims to bring a single standard for data protection among all member states in the EU.  The General Data Protections Regulation (GDPR) is a regulation in EU law regarding data protection and privacy for EU and EEA individuals. This regulation aims to give individuals more control over their personal data and what is shared. Whether you’re located in the EU or just have one subscriber or customer in the EU, your company needs to be compliant or you may face heavy fines or criminal charges.

3. Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) exists to protect the security of cardholder data. These controls are mandatory for organizations that process credit card data. The standards are made up of multiple levels, and the extent to which your organization interacts with credit card data will determine what level of PCI compliance your organization needs to achieve. The PCI Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in governance and execution of the Council's work. The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions; their credit can be negatively affected -- there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities

4. California Consumer Privacy Act (CCPA)

In late June, 2018, California passed a consumer privacy act, AB 375, that could have more repercussions on U.S. companies than the European Union's General Data Protection Regulation (GDPR) that went into effect earlier in the Spring of 2018. The California Consumer Privacy Act (CCPA) is a California law that grants California residents a very high level of control of their data, including but not limited to the right to know what personal information is collected about them, whether it’s being sold or shared and grants them the right to deny the sharing or selling of their data. It also gives them access to their personal information and equal service and price even if they exercise their privacy rights. This law will take effect in January 2020.

5. New York State Department of Financial Services (NYDFS) (Title 23 NYCRR 500)

New York State Department of Financial Services (NYDFS) has used its authority under state law to protect consumers and to “ensure the safety and soundness of the institution on behalf of their clients,” to create new regulations around cybersecurity. These apply to any registered entity providing financial services including insurance companies, banks, as well as financial services institutions. The 23 NYCRR 500 is part 500 of the NYDFS’s overall body of regulation. In short, 23 NYCRR 500 requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. Certain regulatory minimum standards have been set to assist organizations in preventing data breaches. The NYDFS Cybersecurity Regulation covers any organization that is regulated by the Department of Financial Services. This includes: Licensed lenders, State-chartered banks, Trust companies, Service contract providers, Private bankers, Mortgage companies, Insurance companies doing business in New York, Non-U.S. banks licensed to operate in New York. Some 23 NYCRR 500 exemptions: The regulation provides an exemption for organizations with: Fewer than 10 employees, Less than $5 million in gross annual revenue for three years, or Less than $10 million in year-end total assets.

6. Health Insurance Portability and Accountability Act/ Health Information Technology for Economic and Clinical Health Act (HIPAA/ HITECH)

Because HITECH legislation results in an expansion in the exchange of electronic protected health information (ePHI), it also widens the scope of privacy and security protections under the Health Insurance Portability and Accountability Act (HIPAA), including increasing legal liability for non-compliance and more enforcement actions. HIPAA/HITECH enforces security to protect Personal Health Information (PHI). Anyone who is collecting, storing or processing personal health information (PHI), including hospitals, medical providers, and insurance companies are required to be HIPAA compliant. The Health Insurance Portability and Accountability Act provides the ability to transfer and continue health insurance coverage for American workers and their families when they change or lose jobs. It mandates industry-wide standards for handling healthcare information and any processes. Lastly, it requires the protection of this health information so that it remains confidential. HIPAA is essentially in place to reduce healthcare fraud, abuse and leaking of sensitive health information.

7. System and Organization Control for Cybersecurity (SOC 2/3)

SOC 2 is an auditing process that ensures service providers like us are securely managing your data in a private and confidential manner. This includes a variety of criteria including MFA, encryption, firewalls, DR, security, access controls, QA, process monitoring, and more.

SOC for Cybersecurity is used by senior management, board of directors, analysts, investors and business partners. To provide intended users with information about an entity’s cybersecurity risk management program for making informed decisions. The audit reports on Enterprise-wide cybersecurity risk management program.

8. Personal Information Protection & Electronic Documents Act (PIPEDA)

The Personal Information Protection & Electronic Documents Act is a Canadian law relating to privacy and governs how private sector organizations can collect, use, and disclose personal information during commercial business.