Keeping up with industry and government email compliance regulations impacting the exchange of sensitive information can be exhausting. So, we’ve put together a list of four big ones you need to know about.
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Information Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH)
- Gramm-Leach-Bliley Act (GLBA)
- General Data Protection Regulation (GDPR)
Security for credit card information stored, processed or transmitted by merchants and associated vendors is regulated by PCI DSS. All cardholder data passing over an open, public network such as the internet, must be protected (encrypted), according to requirement number 4.
PCI DSS helps organizations focus on security, not compliance, by making payment security business-as-usual. By raising security standards and making compliance status quo, monitoring effectiveness of security controls and maintaining a PCI DSS compliant environment is easy.
All credit card processors have adopted the Payment Card Industry Data Security Standard (PCI DSS). The goal of this regulation is to prevent identity theft and protect cardholder data and it applies to any company that processes credit card data. The most recent version of PCI (3.2) was released in April 2016 with a minor update (3.2.1) issued in July 2018 to update migration dates.
PCI DSS 3.2 mainly consists of changes meant to streamline and clarify the regulation, but there are a few updates that fall under the “evolving requirement” category that affects how you handle credit card data as of February 1, 2018.
One of the changes is that there is now a “new requirement for service providers to maintain a documented description of the cryptographic architecture.” Although more documentation is required to stay compliant with the new PCI DSS update, the goal is to protect sensitive client information and ensure safer communications between business processes. This update will also help companies detect bottlenecks in their cryptography functionality, giving them to opportunity to make the appropriate changes.
A more detailed description of the updates can be found here.
Congress passed HIPAA in 1996 and is probably the most well known compliance regulation impacting email The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally recognized regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually identifiable health information or PHI (Protected Health Information).
The key HIPAA impacts on email are:
- Organizations must ensure email messages containing protected health information are sent protected.
- Senders and recipients are properly verified and authenticated.
- Email servers and the messages they contain are protected.
HITECH was passed as part of 2009’s American Recovery and Reinvestment Act, HITECH and is intended to push the healthcare industry toward faster adoption and use of health information technology. Subtitle D of HITECH addresses “the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.”
In 2013, HIPAA/HITECH was expanded by the Department of Health and Human Services with the Omnibus rule, which became effective on September 23, 2013. The reach of HIPAA data privacy and security requirements expanded to include “business associates” of covered entities making them also subject to HIPAA as well as giving HIPAA more power in enforcement.The rule expanded significantly the number and type of organizations covered by re-defining who is a business associate of covered entities. Because civil and criminal penalties may now apply to business associates, these businesses also need to take steps to secure Protected Health Information (PHI).
Business associate agreements
Another important term related to HIPAA is the Business Associate Agreement (BAA), which is a contract required to be established between a HIPAA-covered entity (CE) and a HIPAA business associate (BA). This contract protects PHI in accordance with HIPAA guidelines. Subcontractors who have access to or who store PHI now also need to sign business associate agreements and be able to demonstrate compliance. HIPAA now effectively applies not just to medical providers, but to the entire ecosystem of vendors supporting them. A typical example of CE is a healthcare organization that handles PHI for its patients, and a typical example of a BA is a service provider that securely handles, transmits or processes PHI for a CE. Under the HITECH Act, BAs are responsible for securely handling PHI and can be held accountable for data breaches and penalized for noncompliance.
GLBA is the third major email compliance regulation on our list. GLBA was passed in 1999 with primary goal of protecting the private financial data of consumers. The fancy term for this is “Nonpublic Personal Information” (NPI). Although this act applies mostly to financial institutions, today, many more organizations in a variety of industries maintain NPI for their customers.
The Financial Privacy rule is the key consideration for most organizations. This rule governs the collection, use, and disclosure of private financial data. The process companies must take to safeguard this information is also defined.
The Safeguards Rule instructs organizations to develop security programs in alignment with the amount of NPI data they maintain.
Although the law is technology neutral, the Safeguards Rule instructs the organization to implement policies to encrypt or block email traffic based on the message sender, recipient or content.
GDPR is a new major privacy regulation that went into effect in May 2018. It is a European Union (EU) directive but does impact organizations outside of the EU if those organizations market to and collect information on EU residents.
In a nutshell, when an organization is collecting, processing and/or storing the personal data of any EU resident – regardless of where the organization is located – express permission must be obtained first. This means the individual must have opted in, not only to collect the data, but to process and store it. Data collectors/processors (the organization) must also be clear with the individual about how the data will be used, stored and protected. These individuals must also be given an easy way to withdraw their permission and have it completely deleted from an organization’s database(s). You can learn more about GDPR here.
Article 5 of the GDPR details the principles covered by the regulation. 5.1 lays out the requirements for treating private data of EU citizens:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Take the Steps to Comply
A major facet of meeting the requirements of all these email compliance regulations is ensuring that your email is secure and well protected against hackers, scammers, and those with the intent of committing fraud. Failure to comply with mandated regulations leads to not only financial consequences but can permanently damage your company’s reputation as well as scare clients from coming back. Don’t take chances when it comes to staying compliant. It isn’t worth the risk.