Overview of Commercial Compliance Requirements and Acts

Since the passing of the Privacy of Information Act of 1974, both the U.S. Government and the private commercial industry have continued to pass laws and enact self-regulation to protect the confidentiality and integrity of personal or financial information housed on electronic information systems.

These compliance laws and regulations combine to protect different types of data – from Personally Identifiable Information (PII1, to Protected Health Information (PHI1, to financial reports such as banking statements, earning statements, balance sheets and account ledgers, and becoming compliant with these regulations is not simply an option. Failure to comply can subject a company or organization to punitive fines, imprisonment or the loss of the right to provide a service, such as processing credit card payments.

Information system professionals are on the front lines of regulatory compliance and are tasked with the responsibility of implementing the controls and countering measures required to protect data and achieve a successful compliance accreditation, and that’s not all – compliance must also provide auditable evidence to validate the controls. Most commercial organizations such as hospitals, financial firms and retail businesses must implement controls, policies and procedures that comply with one or more of the following regulations:

  • Health Insurance Portability and Accountability Act (HIPAA1 of 1996
  • Sarbanes-Oxley Act (SOX1 of 2002
  • Graham-Leach-Bliley Act (GLB1 of 1999
  • Payment Card Industry Data Security Standard (PCI DSS1 of 2004

Health Insurance Portability and Accountability Act (HIPAA1 of 1996

HIPAA was sponsored by Senator Ted Kennedy and was enacted by Congress in 1996 to protect health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS1 provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers.

The HIPAA Privacy Rule and the Security Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate IT security safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections. The Security Rule deals specifically with Electronic Protected Health Information (EPHI1.

Sarbanes-Oxley Act (SOX1 of 2002

The Sarbanes-Oxley Act, also known as the Public Company Accounting Reform and Investor Protection Act, Corporate and Auditing Accountability and Responsibility Act and commonly called Sarbanes-Oxley or SOX, passed on July 30, 2002 and is a United States federal law that sets new or enhanced standards for all U.S. public company boards, management and public accounting firms. SOX contains 11 titles that describe specific mandates and requirements for financial reporting and only applies to publicly traded companies.

With the passing of SOX, the corporate board saw more responsibility to oversee and strengthen corporate accounting controls and reporting methods, or otherwise risk fines or imprisonment. Part of implementing these controls requires public corporations to protect the integrity and confidentiality of corporate information, meaning corporate IT departments must implement IT security controls that ensure access to information is auditable and protected from unauthorized disclosure or modification.

Graham-Leach-Bliley Act (GLB1 of 1999

The Graham-Leach-Bliley Act (GLB1 is a comprehensive federal law affecting financial institutions, requiring them to develop, implement and maintain administrative, technical and physical safeguards to protect the security, integrity and confidentiality of customer information. GLB enforces and controls how financial institutions disclose, store and collect customers’ personal information by outlining a list of financial privacy and safeguard rules that must be implemented by the information owner. Failure to comply may result in fines or imprisonment.

Payment Card Industry Data Security Standard (PCI DSS1 of 2004

Payment card Industry Data Security Standard (PCI DSS1 is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. Created to help payment card industry organizations that process card payments prevent credit card fraud, PCI compliance demands increased controls around data and its exposure to compromise that hold, process or exchange cardholder information from any branded with the logo of one of the card brands.

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling. Regardless of the size of the organization, compliance must be assessed annually.

All of these different acts outline controls that must be implemented to protect the integrity and confidentiality of personal and financial information.  Failure to comply can result in serious consequences.