The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is a federal law that protects sensitive health information of patients from being disclosed without their permission.

1. Privacy – What is protected, who can share it and who can use it
2. Security
3. Notification

Credit card companies require Payment Card Industry Data Security Standards (PCI DSS) to help ensure that credit card transactions are as secure as possible and protect cardholder data. This standard applies to anyone who processes, stores, or transmits cardholder data. Does your business accept credit cards? Then the PCI DSS Security Standard applies to your business.

The PCI DSS Security Standard is broken into six major steps:

1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) cybersecurity standards is important for any company that stores or processes Controlled Unclassified Information (CUI) for the US Government.  This would include groups that receive federal grants, contractors or organizations that provide services to government agencies.

It provides a secure set of cybersecurity standards and processes for securing sensitive information.  It is a self-assessment that must be maintained at all times using vulnerability scans, documentation, training, patch management and more. 

The NIST 800-171 standard is broken into 14 major areas of control, including Access Control,  Incident Response, Physical Protection and more.

First going into effect in May 2018, the General Data Protection Regulation (GDPR) is designed to protect the personal data of all citizens in the European Union (EU).  Any company that does business with citizens and residents of the EU needs to follow this standard. Due to its principle of “extra-territorial effect,” GPDR is not limited to European businesses only.  Also the California Consumer Privacy Act (CCPA) is the US equivalent of the GDPR. 

GPDR is broken down into seven principles:

1. Lawfulness, Fairness and Transparency
2. Purpose Limitation
3. Data Minimization
4. Accuracy
5. Storage Limitations
6. Integrity and Confidentiality
7. Accountability

In today’s digital landscape, Cyber Insurance has gone from a luxury to a necessity.  In 2022, over 80% of cyber insurance claims were from ransomware.  More than 25% of all claims were denied due to exclusions in the policies.  Basically, if you did not do everything you were required in your policy, you were denied.  When you try to renew your cyber insurance, you are more likely to be denied than ever before, and if you do get it, it is likely to be much more expensive.  In 2022, the cyber insurance market was $8 billion.  It is expected to be over $20 billion by 2025. 

But wait, you have an IT company, and they are watching out for your company, right?  Well, in the last year, we have found that almost 60% of companies receiving a cyber insurance audit had holes in their cyber security.  This is from a combination of reasons, such as an IT company not providing the required services, not understanding the necessary cyber security needs, etc.  Do not become just another statistic.