It has now been one year since the EU’s General Data Protection Regulation (GDPR) entered our lives. And in the United States, the California Consumer Privacy Act (CCPA) will be one-year-old on June 28, 2019.
Although these two regulations have made big headlines recently, our economic landscape is filled with a mosaic of more specific rules around data across multiple industries such as finance, healthcare, retail etc. These can be wide reaching such as GDPR or more industry specific such as PCI DSS. Sometimes, looking at something from a distance can help to consolidate your view.
In this first blog article about data security regulations by industry, we take a birds-eye view of some of the better-known compliance regulations around data and security for the financial services industry. Upcoming articles will deal with data security regulations for healthcare, retail and eCommerce.
Disclaimer: This article is meant for introductory guidance only and summarizes the most commonly-cited data security regulations for the finance industry. It does neither claim to be an exhaustive list of all currently-applicable data security regulations across the globe, nor does it claim to provide legal/ compliance advice. For a full assessment of your organization’s regulatory context, please consult with a legal/ compliance professional.
Below are some of the data security compliance regulations that you may or may not have come across. This list is a taster of some of the more data-centric aspects of the regulations.
The financial sector must be the most rigorously-regulated industry of them all. In terms of regulations, the finance sector holds a ‘full house’ of compliance cards.
The 23 NYCRR 500 cybersecurity regulation is part of the regulatory body, New York State Department of Financial Services (NYDFS). It was enacted to protect consumer data privacy used in financial services.
This law includes 23 sections about the requirements for the implementation of an effective cybersecurity program. With this regulation, financial institutions must evaluate their risks in terms of cybersecurity to prevent data breaches.
It is similar in some ways to PCI-DSS which also applies to financial use of consumer data. The jurisdiction of 23 NYCRR 500 is New York. The regulation requires that organizations covered can demonstrate they have taken “reasonable care” to prevent data breaches.
Related Post: NYDFS Cybersecurity Regulation: What is 23 NYCRR 500?
To ensure credit card payment security, the Payment Card Industry Security Standards Council (PCI SSC) has defined a set of compliance requirements to safeguard credit card transactions and consumer personal and financial data under the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS compliance is more than just satisfying a list of guidelines – it is a proven way to protect you and your customer’s data from outside attacks.
This regulation covers any company that has a financial element, e.g. online and offline merchants. The regulation is managed by the Security Standards Council. It was originally developed in 2006 by a consortium of financial sector players, Mastercard, Visa, Discover, American Express and JCB. In its original guise, PCI-DSS covered online payments; in 2018 phone-based payments were added.
There are four different levels, based on transaction size that can be adhered to. Fines can be up to $500,000.
The six pillars covered by PCI-DSS are:
If your organizations needs to become PCI compliant or assess its current compliance level with the PDI DSS, you may want to engage an independent firm to conduct a PCI compliance audit.
During a PCI DSS Compliance engagement, certified security consultants review information systems, policies and procedures, along with security controls and systems in place and network security architectures focusing on alignment of your organization with controls outlined in the PCI DSS.
Upon completion of the audit, your organization will have received an assessment of the effectiveness of their organizational security controls regarding PCI data security requirements.
The GLBA is a U.S. federal law that focuses on ensuring financial institutions communicate, clearly, how they are protecting customer data.
The key rule in the GLBA is the “Safeguards Rule” enforced through the Federal Trade Commission (FTC). The rule covers risk assessment and also includes having a written security plan based on the results of the assessment. The scope of the rule covers many business types, not just traditional financial sector companies.
Practical Tipp: If your organization transacts in a significant way around financial products or services, you will likely need to comply.
The SOX law was enacted in 2002. The remit of the law is to protect the public and shareholders against fraudulent financial activity.
All public companies must comply with SOX. The key areas which impact data security are around the way that electronic records are stored. SOX does not mandate the use of encryption for record protection, but it does encourage it.
The Japanese PIPA Act is overseen by the Personal Information Protection Commission (PIPC) which is a Japanese supervisory authority. The act took effect on 30 May 2017. PIPA has some similarities to the EU’s GDPR but also varies.
PIPA focuses on the use of personal information for business but has no express provision around jurisdiction. It does set out a comprehensive classification of personal data including the idea of “Personal Identifier Codes”.
PSD2 is an EU directive that places emphasis on the transfer of data during end-to-end payments. It looks at the ways that transparency and customer rights can be applied during these data sharing.
The regulation calls for a “defense-in-depth” approach. This includes two-factor authentication and network segmentation.
This accord goes back to 1992 with various amendments through Basel I-III. It is managed by The Basel Committee on Banking Supervision (BCBS).
Basel III sets out measurements around financial risk and management. In doing so, it builds a security profile of a secure critical infrastructure (CI) for banking. To secure this CI the institution needs to have robust policies and mechanisms in place.
Covered under data risk are operational security such as proper protection of information and protecting the access of confidential data.
The cybersecurity landscape and how we use data is ever-changing. In turn, the regulations that help us to create secure and privacy-enhanced use of data change with it.
This can mean a lot of work for companies who fall under the remit of often not one but several regulatory frameworks. Keeping ahead of the requirements is a challenge. Mapping requirements between regulations can help to prevent duplication of work.
Ultimately, having a secure environment will mean you tick many of the compliance boxes as well as creating a great service for your customers.
Do you need help assessing your various compliance obligations?
Hitachi Systems Security has developed a comprehensive suite of compliance assessment suited to your needs and regulatory context.