Skip to main content

Standards and Frameworks

Updated Jan 30, 2024 ·

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that protects patient health information.

  • Applies to healthcare providers, insurers, and related entities
  • Violations can lead to fines or criminal charges

HIPAA includes the Privacy Rule for patient rights and Security Rule for data protection safeguards.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards to protect credit card data during processing, storage, or transmission.

  • Applies to all businesses that handle credit card transactions
  • Requires strong security measures like encryption and access control
  • Non-compliance can result in fines or losing the ability to process payments
info

Failing an internal PCI DSS compliance assessment typically results in audit findings, which are documented issues that need to be addressed to achieve compliance. These findings highlight areas where the bank's security practices do not meet the required standards and must be remediated.

FERPA

The Family Educational Rights and Privacy Act (FERPA), enacted in 1974, is a federal law designed to protect the privacy of student education records in U.S. schools that receive federal funds.

  • Gives parents and eligible students rights to access and correct records
  • Limits who can see or share student information without consent
  • Regulated and enforced by the U.S. Department of Education

GLBA

The Gramm-Leach-Bliley Act (GLBA) enacted in 1999, protects personal financial information held by financial institutions, including banks, securities firms, insurance companies, and other financial service providers in the US.

  • Requires transparency on how customer data is shared
  • A designated person must oversee information security
  • Defines and protects nonpublic personal information of consumers
  • Regulated by Federal Trade Commission (FTC) to enforce adherence

COPPA

The Children's Online Privacy Protection Act (COPPA), enacted in 1998 and revised in 2013, protects the online privacy of children under 13 in the U.S.

  • Requires parental consent before collecting a child’s personal data
  • Gives parents control over what’s collected and shared
  • Enforced by the Federal Trade Commission (FTC)

Privacy Act of 1974

The Privacy Act of 1974 governs how U.S. federal agencies handle personal data.

  • Individuals can access and request corrections to their records
  • Limits sharing of personal data without consent
  • Aims to protect against government misuse of information
  • Regulated by the U.S. Department of Justice and other federal agencies

This law aims to balance the government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy.

EU Data Protection Provisions

The European Union (EU)'s General Data Protection Regulation (GDPR) applies to all organizations processing the personal data of individuals residing in the EU, regardless of the organization's location.

  1. Personal data must be processed lawfully, fairly, and transparently.

  2. Personal data must be collected for specified, explicit, and legitimate purposes.

  3. Personal data must be adequate, relevant, and limited to what is necessary.

  4. Personal data must be accurate, updated as necessary, and corrected without delay.

  5. Personal data should be kept for no longer than necessary for the purposes.

  6. Personal data must be processed securely, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.

GDPR

The General Data Protection Regulation (GDPR) is a strict EU law governing the collection and handling of personal data.

  • Grants rights like access, correction, and deletion of data
  • Companies must protect data and report breaches quickly
  • Penalties can reach €20 million or 4% of global revenue
info

Under GDPR, the data protection officer (DPO) ensures that the company understands its privacy responsibilities and serving as the primary liaison to the supervising authority.

The chief information security officer (CISO) focuses on information security and risk management within the company but does not primarily serve as the liaison for GDPR compliance.