Prominent regulations governing the requirement to protect and encrypt data include:
General Data Protection Regulation (Regulation (EU) 2016/679)
Focus: Handling of Personal Information
Scope: Global for data of EU citizens
Repercussions: Severe and penalties of up to 4% of worldwide turnover
The new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.
Data Protection Act (DPA) of 1984 (Amended 1998)
Focus: Handling of Personal Information
Scope: United Kingdom – Applicable to all businesses & government
Repercussions: Data forfeit and criminal and civil penalties
UK Parliament mandate dealing with information about proper disclosure, rights of access to information, transmission and processing, and proper protective measures.
Accountability Act (HIPAA)
Focus: Protection of electronic patient healthcare data and information.
Scope: Global. Applicable to all health industry, pharmaceuticals and support industry.
Repercussions: Criminal and Civil for exposure of data or fraudulent behaviour.
HIPPA addresses the implementation of administrative, physical, and technical safeguards for electronic protected heath information (ePHI).
Bundes-Datenschultz-Gesetz (BDSG)
Focus: Protection of private information
Scope: Germany – Applicable to all businesses & government
Repercussions:Various penalties for misuse.
Germany’s Federal Data Protection Act has been revised several times over the last four decades and exists to protect the collection and dissemination of personal data by public and private organizations. The regulation deals with a broad range of use cases and penalties for misuse.
95/46/EC European Union (EU) Directive
Focus: Protection of private information
Scope: European Union – Applicable to all businesses & government
Repercussions: Not specifically stated.
Personal data can only be processed when three basic conditions are met: 1. The person is informed of the processing (transparency) 2. The processing is for a legitimate purpose 3. The data processed is in proportion to the actual purpose. Brief mention is made directing responsible parties (processors) to take care in securing the data and ensuring confidentiality. Article 17: Security of Processing Member states shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Payment Card Industry Data Security Standard (DSS)
Focus: Protection of payment card data (Credit/Debit Cards) with processing, transmission & storage
Scope: Global. Originally specified by Mastercard and Visa and accepted by other card companies as well.
Repercussions: Significant fines for non-compliance and potential loss of payment card capabilities.
PCI DSS requirements are only applicable if a Primary Account Number (PAN) or specific track data is stored, processed, or transmitted.
Gramm-Leach-Bliley Act (GLBA)
Focus: Protection of private data in the financial services industry.
Scope: USA for banking and financial services.
Repercussions: Significant fines and potential criminal charges.
Sections 505 in Subtitle A and 521 under Subtitle B describe specific agencies and types of organisations mandated with protecting the security and confidentiality of consumer nonpublic personal information (NPI). Organisations include US national and Federal branches of foreign banks, member banks of the Federal Reserve System, credit unions, and any association insured by the Federal Deposit Insurance Corporation (FDIC).
Sarbanes-Oxley Act (SOX)
Focus: Protection of sensitive data related to financial reporting in public companies Provide guidance for public companies in designing and reporting on the controls in place for protecting financial information.
Scope: Global for all businesses.
Repercussions: Civil and criminal for exposure of data or fraudulent behaviour.
DS5.7 Protection of Security Technology: Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily.
DS5.8 Cryptographic Key Management: Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure.
DS5.11 Exchange of Sensitive Data: Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt, and non-repudiation of origin.
DS11.6 Security Requirements for Data Management: Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, organisational security policy, and regulatory requirements.
Basel II Accord
Focus: International standard for operational and financial risk management for banking institutions.
Scope: Global for all banking.
Repercussions: Requirements to reserve greater levels of operating capital, less favourable pricing in financial markets.
There are three pillars of risk management under Basel II. The first pillar is concerned with financial and liquidity risk, describing how banks and financial institutions can prepare for credit, operational, and market-driven risks. The second and third pillars discuss regulator interaction with financial institutions, numerous other types of risk, and responsible disclosure.
Financial Instruments & Exchange Law of 2006
Focus: Protection of sensitive data related to financial reporting in public Enhancement of internal controls over financial reporting data.
Scope: Japan. Banking and Financial services.
Repercussions: Heavy penalties.
Definition of the maximum criminal penalties against various market frauds and expanding the scope of penalties against criminal and fraudulent behaviour is also included in the law.
ISO 27001 Specification
Focus: Demonstrates that your business has systems in place to protect corporate information and data, whether this is online or offline.
Scope: Global
It is a specification for an information security management system (ISMS) and was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
The Markets in Financial Instruments Directive (MiFID) & MiFID II (Extended The MiFID Requirements)
Focus: EU legislation that regulates firms who provide services to clients linked to ‘financial instruments’ (shares, bonds, units in collective investment schemes and derivatives), and the venues where those instruments are traded.
Scope: Framework of the European Union, United Kingdom
As an EU regulation, MiFIR is binding in its entirety and directly applicable, its content becomes law in the UK without the need for domestic legislative intervention. MiFID II is made up of MiFID (2014/65/EU) and the Markets in Financial Instruments Regulation (MiFIR – 600/2014/EU).