Information security is a critical concern for organizations of all sizes. For small to medium-sized businesses (SMBs) and non-profit organizations (NPOs), navigating the complexities of regulatory compliance can be particularly challenging. In the United States, there are several well-known federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA), but organizations also need to be aware of state and local laws that impact their operations.
Federal Regulations: HIPAA and Beyond
One of the most well-known federal regulations affecting information security is HIPAA, which establishes national standards for the protection of electronic protected health information (ePHI) and applies to health care providers, health plans, and health care clearinghouses. HIPAA requires covered entities to maintain the confidentiality, integrity, and availability of ePHI, and to implement safeguards against unauthorized access or disclosure (Source: HHS, https://www.hhs.gov/hipaa/for-professionals/security/index.html).
In addition to HIPAA, businesses may need to comply with other federal regulations depending on their industry, such as the Gramm-Leach-Bliley Act (GLBA) for financial institutions, the Federal Information Security Management Act (FISMA) for federal agencies, or the Sarbanes-Oxley Act (SOX) for public companies.
But What About State and Local Laws?
SMBs and NPOs also need to be aware of state and local laws that govern the protection of sensitive information. These laws may apply to a broader range of businesses and non-profit organizations and typically focus on the safeguarding of personal information.
For example, North Carolina has the Identity Theft Protection Act (NCITPA), which requires businesses to implement and maintain reasonable security procedures and practices to protect personal information (Source: NC General Assembly, https://www.ncleg.net/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html). The law also requires businesses to notify affected individuals in the event of a security breach involving their personal information.
In New Jersey, the New Jersey Disclosure and Accountability Transparency Act (NJ DaTA) establishes certain requirements for disclosure and processing of personally identifiable information (Source: NJ Legislature, https://www.njleg.state.nj.us/bill-search/2022/A505). This includes the requirement for organizations to establish an operational program which must include administrative, technical, and physical safeguards and be designed to prevent unauthorized access, use, or disclosure of personal information. They are even establishing an Office of Data Protection and Responsible Use in the Division of Consumer Affairs for oversight.
It’s not just technical safeguards that have to be in place, it’s operational ones too. And it’s not just healthcare providers or financial institutions – if you are a place of business or a non-profit organization operating in the State at all, this applies to you.
What Your Organization Needs to Do
To ensure your organization stays compliant with federal, state, and local regulations while safeguarding sensitive information, consider the following high-level recommendations (note – this list is not exhaustive, is not legal advice, and it is not a substitute for comprehensive consultation with an infosec or legal expert):
- Assess your risk: Conduct a comprehensive risk assessment to identify potential threats, vulnerabilities, and the types of sensitive information your organization processes, stores, or transmits. This will help determine which regulations apply to your business.
- Develop a written information security program and set of policies: Create a documented plan outlining the administrative, technical, and physical safeguards your organization will implement to protect sensitive information. Ensure the program is regularly reviewed and updated as needed. Also, see my article on written policies here: https://scratchberry.com/dont-make-this-mistake-you-need-written-policies/
- Train employees: Provide ongoing information security training for all employees, ensuring they are aware of relevant regulations, company policies, and best practices for handling sensitive information.
- Monitor and audit: Regularly monitor and audit your information security program’s effectiveness, including reviewing access controls, vulnerability scans, and incident response plans. Make adjustments as necessary to address identified weaknesses.
- Implement Technical Controls: Things like Email Threat Protection, strong encryption methods for storing and transmitting sensitive information, Cross-Platform Detection and Response, a great backup solution, and more will greatly reduce the risk of unauthorized access or disclosure.
- Engage with experts: Consult with legal counsel and information security professionals to ensure your organization stays up-to-date on the latest regulations and best practices in information security. Consider using a different information security consultant than your regular IT support provider due to the inherent conflict of interest that exists when the person auditing your information security is the same person responsible for remediating the issues found from such an audit.
By taking these proactive steps, your organization will be better equipped to meet regulatory requirements and protect the sensitive information of both your business and your clients.