Compliance and the ‘2.0’ effect
In the last 10-15 years, many new regulations have
New regulations are constantly coming into force,
emerged. For example, the Sarbanes-Oxley Act (SOX), the
including many that amend or alter existing regulations, as
Payment Card Industry (PCI) standard and Basel III are just
illustrated in Table 1. The result is a growing understanding
two of the seemingly infinite number of regulations that
that organizations will not be able to keep ahead with
organizations must now address.
the compliance curve simply by staying reactive or by
managing security and compliance in silos.
REGULATION
Date
Requirements/Impact
2013
Intended to manage liquidity risks by requiring global banks to
have mature processes for identification, measurement and
control by implementing faster and more granular data
management systems.
FISMA 2.0
2010
Requires continuous monitoring of information systems as part
of every U.S. federal agency’s information security program;
agency CIOs needed to have implemented software to
continuously monitor the security of their networks by
the end of 2012 government fiscal calendar.
PCI DSS 3.2
2016
The new standard of payment card security programs became
available in April 2016 and organizations must stop using the
previous version, which expired October 2016.
2011
Requires healthcare providers, insurers, clearinghouses and business associates to achieve “meaningful use” of electronic health
records technology. Any healthcare organizations not using the
technology after 2015 are subject to a financial penalty.
BASEL III
HITECH Act
Table 1. Examples of “2.0” regulations and their impact on IT security and compliance
3 I DigiCert, Inc.
Regulatory fragmentation:
When cybersecurity laws go viral
In 2003, the California Security Breach Information Act
(SB-1386) came in to effect. Very early on, the act became
viral and other states quickly passed their own data breach
notification laws.
The European General Data Protection Regulation (GDPR),
effective in May of 2018, has since replaced this directive in
order to coordinate with the current protection laws across
the EU member states.
In Massachusetts, preventative legislation requires companies
or persons who store or use personal information to develop
a written, regularly audited plan to protect that data. This
serves to further complicate compliance requirements for
organizations that operate across state lines.
To achieve compliance with the GDPR and other similar
laws, organizations need to take appropriate technical and
organizational measures against unauthorized and unlawful
processing, loss or destruction of personal data. There is
also an added difficulty in that these laws make it unlawful
to transfer personal data to a country or territory outside
the European Economic Area unless the receiving country
ensures an adequate level of protection for the rights and
freedoms of data subjects when processing the personal
data and transfers such data in accordance with approved
mechanisms.
In the U.S., 47 states, the District of Columbia, Guam, Puerto
Rico and the Virgin Islands have enacted similar legislation,
requiring private, government or educational entities to
notify individuals in the instance of a security breach that
may affect their personal information.
The European Union’s Directive on the Protection of
Personal Information (EU Directive 95/46/EC) is another
example of how legislation can spread virally. In effect, this
directive established a common data protection and privacy
baseline for each EU member state, providing a framework
from which all EU member states must derive their own
internal data protection and privacy laws.
In almost every case, regardless of the nation, compliance
with the European General Data Protection Regulation
requires the use of technical controls, such as encryption,
to protect personal information from theft, loss and
exposure. Similar laws apply in other countries.
COUNTRY
Year
Legislation
ARGENTINA
2000
Personal Data Protection Law (PDPL)
CHILE
1999
Law for the Protection of Private Life
HONG KONG
2012
The Personal Data (Privacy) Bill
JAPAN
2015
The Act on the Protection of Personal Information (APPI)
TAIWAN
2012
The Personal Data Protection Law (PDPL)
SINGAPORE
2012
Personal Data Protection Act
SOUTH KOREA
2011
Personal Information Protection Act (PIPA)
Table 2. Examples of Data Privacy and Protection Laws around the world
4 I DigiCert, Inc.
Please complete the form to gain access to this content
