No matter what industry you work in, cybersecurity is essential to protect sensitive company and consumer information.
Different industries have specific cybersecurity regulations they are required to meet depending on the type of data they use and store. This post will serve as a brief overview of some of the main US cybersecurity regulations by industry.
Perhaps the best-known cybersecurity compliance standard is the Health Insurance Portability and Accountability Act, or HIPAA. HIPAA establishes the cybersecurity standards for all healthcare organizations and insurers, as well as third-party service providers.
This standard enforces protection for all personal health information provided by patients to their medical providers, digitally and in all other forms. HIPAA compliance services provided by experienced IT experts familiar with these regulations can help businesses achieve full compliance and protect their data.
CMMC is the cybersecurity standard that applies to sensitive information obtained by all contractors who provide services to the Department of Defense. These requirements have been set up in the Defense Federal Acquisition Regulation Supplement, also known as DFARS, and Procedures Guidance and Information, or PGI.
The purpose of DFARS is to outline all cybersecurity standards that third-party contractors are required to meet and follow before they do business with the Department of Defense in order to keep sensitive defense information protected.
In 2020, the Cybersecurity Maturity Model Certification (CMMC) was announced. It builds on the framework set up by previous DFARS requirements and will eventually replace this standard, becoming the new standard for protecting controlled unclassified information (CUI).
These federally mandated guidelines are very strict, requiring companies to undergo a 110-point assessment, complete a plan of action, report their scores, prepare for potential audits, and ensure that subcontractors and other organizations in the supply chain are CMMC compliant as well. Because of that, many Department of Defense contractors are turning to work with companies who specialize in IT services for DoD contractors so they can stay on top of the latest changes and stay eligible for DoD contracts.
Law Firm Compliance
Law firms are a prime target for cyber attacks because they often store sensitive information, such as personal data and financial records, on behalf of their clients. Last year 25% of law firms reported being the victim of a successful data breach.
The American Bar Association’s Model Rules of Professional Conduct require lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Law firms are also subject to state regulations which vary from state to state. For example in California, law firms have to make sure they comply with the California Consumer Privacy Act (CCPA).
The National Institute of Standards and Technology (NIST), a non-regulatory agency, provides a complete set of guidelines for cybersecurity regulations for US federal agencies. NIST is responsible for setting the standards that organizations must meet to be compliant with federal cybersecurity laws. Complying with the NIST Cybersecurity Framework is not required for law firms but is considered best practice.
PCI DSS Compliance
Although data security requirements in the retail sector are not federally regulated, the Payment Card Industry Security Council’s Data Security Standard (PCI DSS) is set and maintained by major credit card companies.
This standard applies to all organizations that process card payments or hold any payment card data, and it involves answering questions regarding passwords and authentication, how data is transmitted, how customer information is shared, etc., as well as passing a PCI security scan.
All retailers that make credit card transactions fall under PCI DSS. If a company fails to comply with these regulations, they can be fined between $5,000 to $100,000 by their credit card company per month, and they may be subject to losing their merchant’s account with their banking institution.
Consumer Data Compliance
Out of 50 U.S states, 47 have currently enacted cybersecurity compliance standards that require organizations to notify states about any security breaches that may have compromised consumer data.
For example, if a company stores sensitive data (including customers’ social security numbers and payment information) and a breach occurs, the organization must notify all affected people. The Federal Trade Commission (FTC) can also penalize organizations who fail to protect consumer information adequately.
In states with applicable regulations, these data laws apply to all companies that use or store customer data, specifically personal identifying information (PII) such as social security numbers, driver’s license numbers, financial account numbers, etc. There are several data regulations in Colorado that limit how PII can be used and stored.
Cybersecurity compliance regulations for insurance varies from state to state. However, we are seeing much more interest in adding more regulations to this sector recently, signaling that it could become an even more highly regulated field in the future. In fact, New York’s State Department of Financial Services (DFS) has recently proposed new cybersecurity regulations for financial organizations and insurance companies.
In the energy sector, the Federal Energy Regulatory Commission (FERC) has the authority to establish cyber regulations for electric utility companies and operators. These standards are created by a nonprofit authority called the North American Electric Reliability Corporation or NERC. These regulations are known as the Critical Infrastructure Protection (CIP) Standards.
Expert IT Compliance Services
Failure to comply with established regulations can lead to expensive fines, legal action, data breaches, and reputational loss—no matter your industry. Luckily, you have cybersecurity and IT compliance experts on your side to ensure you remain fully compliant, even when standards change or new solutions become available.
To learn more about cybersecurity regulations and compliance and what your company can do to ensure you are always meeting the necessary standards, contact TrinWare today.meet with one of our cybersecurity & compliance experts