Rebecca Edwards

26 July 2018

Forget GDPR. Think HIPAA, SOX, PCI, SHIELD and the CCPA.

The introduction of the GDPR in Europe caused a lot of companies to start thinking more seriously about data privacy. It also prompted some American companies to reconsider doing business in Europe, and US-based websites like the Los Angeles Times and the New York Daily News have actually blocked access to EU visitors.

Data protection legislation in the USA, however, has been around for a long time, and more is on the way. In most places that companies do business in America, and for most types of business, the changes will move compliance from a minor issue to a big concern. And not just for companies based in the US. Any company with American customers will need to up their compliance game.

That said, what do you need to be aware of right now in the USA, what’s coming up, and what can you do to be better prepared?

Remember HIPAA, SOX and PCI?

Talk about existing American data protection regulations has been drowned out in recent months by the GDPR conversation, but they’re still important and they have far-reaching consequences for many companies.

The Health Insurance portability and Accountability Act (HIPAA) was introduced in 1996 and provided the first national regulations for the use and disclosure of personal health information (PHI) in the USA. Unsurprisingly, perhaps, the Security Rule of HIPAA requires electronic PHI to be encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”.

The Sarbanes-Oxley Act, or SOX, came into force in 2002 as a direct response to accounting scandals at companies like Enron and WorldCom to protect investors from the fraudulent activities of corporations. The key to complying with SOX is to safeguard any financial data so that its integrity is assured, and many companies encrypt data regardless of where it resides so that they can guarantee such compliance.

The Payment Card Industry Data Security Standard (often abbreviated simply to PCI), launched in 2004 and amalgamated and aligned the existing standards of Visa, MasterCard, American Express, Discover, and JCB. Given the sensitivity of card data, the masking of card numbers and encryption of other details are common practice to meet the standard.

Have you heard about SHIELD and the CCPA?

In one way or another, many companies in the USA need to ensure they comply with HIPAA, SOX or PCI when collecting, storing and analyzing certain kinds of data. Things are about to get more interesting, however, thanks to two new pieces of legislation which are being introduced at a state level, rather than a national level.

The Stop Hacks and Improve Electronic Data Security Act (SHIELD) is currently set to become law in New York from January 1, 2019. Its aim is to minimize data breaches by introducing stricter requirements for cybersecurity and, importantly, the intent is for it to apply to any company which handles the personal data of a resident of the state. The key take-out is that it will require companies to adopt “reasonable safeguards to protect the security, confidentiality and integrity” of private information.

Similarly, on the West coast, the wide-reaching California Consumer Privacy Act (CCPA) comes into play on January 1, 2020. It requires the protection of broad information like job descriptions, IP addresses and web browsing histories (even when no names are attached), as well as more personal information like names and credit card numbers, and it also applies to any company which does business with any Californian resident.

Why masking and encrypting data needs to be the new standard everywhere

A common strand across every regulation mentioned, whether existing or on the way, is the requirement for there to be measures in place to protect information. That could be personal health data or financial information, credit card details or IP addresses, social security numbers or voice recordings. Access to anything that can be used, by itself or in combination with other data, to identify individuals needs to be controlled.

There’s a broader issue here as well, and one which is even more important. Companies doing business in the US are entering an era in which they will need to be compliant with more than one data protection regulation for some of their activities. Expect the smorgasbord of regulations to get bigger too when the residents of other US states start to demand that their privacy is protected as well.

The biggest and best first step companies can take is to bring in measures to protect the privacy of data. Access to production databases needs to be controlled, while backups and copies of databases in other environments like development and testing need to have sensitive data masked.

By making the masking and encrypting of personal data standard practice, rather than an occasional one-off exercise, the worry about whether or not the data privacy requirements of this regulation or that regulation are being followed will disappear.

There are two further benefits as well.

Firstly, data hackers often target environments like development and testing rather than production because security protocols are less stringent. If a data breach does occur, the damage will be limited because the data they’re targeting will be masked.

And secondly, if data masking is the norm rather than the exception, compliance with this element of any data privacy regulation can be demonstrated immediately.

As Gartner recommends in its July 2018 Market Guide for Data Masking: “Security and risk management leaders responsible for data security and compliance should mitigate the risk of data that enables their organizations’ digital business transformation by adopting data masking and complementary technologies, such as format-preserving encryption and tokenization as a key strategy.”