Compliance

There are many regulations and compliance in effect that relate to protection of sensitive and confidential or private data. Some of these regulations are focused on protecting information for specific industries and some are focused on how information disclosure takes place. These regulations and compliance factor data loss incidences and in general privacy attributes.

Of all the regulations and compliance, the main concern is towards protection of data when its stored, during transmission and when it moves along networks. Some of these regulations make specific recommendations of technologies that need to be used to get the compliance. However, for all these regulations as long as there is proper encryption, most of their requirements are satisfied. If you identify the data that needs protection and locating the information that is in transit and then implementing proper encryption, you can significantly improve your security compliance requirements which cover all the regulations.

Galaxkey is perfect product to cover all the encryption needs – data in store and transmission. The following section lists all the compliance and regulations world over. Each compliance and regulation is region specific and are dictated by the law of the land.

Most of the data fall in either of the following categories

  • Financial or Banking data
    • All data that include your personal financial information
    • Credit card information
    • Bank account numbers
    • Financial data of public companies
    • Insurance details
    • Credit ratings
    • Invoices
  • Private Individual data
    • Social security numbers
    • Individual addresses
    • Personally identifiable data that could be used potentially for identity theft
    • KYC data
  • Military and Government data
    • All data specific to government programs more specific related to policies
    • All military data pertaining to national security
  • Business sensitive data
    • Trade secrets
    • Research
    • Business intelligence data
    • Management Reports
    • Corporate business information for IT configurations
  • Personal health data
    • Confidential patient information
    • Patient address details
    • Patient reports and records

In almost all countries the above categories have strict regulatory compliances which incur heavy penalties on failure. The regulations are targeted to

  • Data at rest – Network storage, file storage, desktop machines, mobile phones and any device that is capable of holding information. This also includes data in archive.
  • Data in transmission – Any data being sent via internet or any medium where electronic transmission takes place.

Following are some of the prominent regulations world over that govern the need to have encryption of data in both rest and transmission. Galaxkey provides an ideal solution to help industry comply with the regulations.

General Data Protection Regulation (Regulation (EU) 2016/679)

Focus: Handling of Personal Information
Scope: Global for data of EU citizens
Repercussions: Severe and penalties of up to 4% of worldwide turnover

The new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.

DATA PROTECTION ACT (DPA) OF 1984 (AMENDED 1998)

Focus: Handling of Personal Information
Scope: United Kingdom – Applicable to all businesses & government
Repercussions: Data forfeit and criminal and civil penalties

UK Parliament mandate dealing with information about proper disclosure, rights of access to information, transmission and processing, and proper protective measures.

ACCOUNTABILITY ACT (HIPAA)

Focus: Protection of electronic patient healthcare data and information.
Scope: Global. Applicable to all health industry, pharmaceuticals and support industry.
Repercussions: Criminal and Civil for exposure of data or fraudulent behaviour.

HIPPA addresses the implementation of administrative, physical, and technical safeguards for electronic protected heath information (ePHI).

BUNDES-DATENSCHUTZ-GESETZ (BDSG)

Focus: Protection of private information
Scope: Germany – Applicable to all businesses & government
Repercussions:Various penalties for misuse.

Germany’s Federal Data Protection Act has been revised several times over the last four decades and exists to protect the collection and dissemination of personal data by public and private organizations. The regulation deals with a broad range of use cases and penalties for misuse.

95/46/EC EUROPEAN UNION (EU) DIRECTIVE

Focus: Protection of private information
Scope: European Union – Applicable to all businesses & government
Repercussions: Not specifically stated.

Personal data can only be processed when three basic conditions are met: 1. The person is informed of the processing (transparency) 2. The processing is for a legitimate purpose 3. The data processed is in proportion to the actual purpose. Brief mention is made directing responsible parties (processors) to take care in securing the data and ensuring confidentiality. Article 17: Security of Processing Member states shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (DSS)

Focus: Protection of payment card data (Credit/Debit Cards) with processing, transmission & storage
Scope: Global. Originally specified by Mastercard and Visa and accepted by other card companies as well.
Repercussions: Significant fines for non-compliance and potential loss of payment card capabilities.

PCI DSS requirements are only applicable if a Primary Account Number (PAN) or specific track data is stored, processed, or transmitted.

GRAMM-LEACH-BLILEY ACT (GLBA)

Focus: Protection of private data in the financial services industry.
Scope: USA for banking and financial services.
Repercussions: Significant fines and potential criminal charges.

Sections 505 in Subtitle A and 521 under Subtitle B describe specific agencies and types of organisations mandated with protecting the security and confidentiality of consumer nonpublic personal information (NPI). Organisations include US national and Federal branches of foreign banks, member banks of the Federal Reserve System, credit unions, and any association insured by the Federal Deposit Insurance Corporation (FDIC).

SARBANES-OXLEY ACT (SOX)

Focus: Protection of sensitive data related to financial reporting in public companies Provide guidance for public companies in designing and reporting on the controls in place for protecting financial information.
Scope: Global for all businesses.
Repercussions: Civil and criminal for exposure of data or fraudulent behaviour.

DS5.7 Protection of Security Technology: Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily.
DS5.8 Cryptographic Key Management: Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure.
DS5.11 Exchange of Sensitive Data: Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt, and non-repudiation of origin.
DS11.6 Security Requirements for Data Management: Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, organisational security policy, and regulatory requirements.

BASEL II ACCORD

Focus: International standard for operational and financial risk management for banking institutions.
Scope: Global for all banking.
Repercussions: Requirements to reserve greater levels of operating capital, less favourable pricing in financial markets.

There are three pillars of risk management under Basel II. The first pillar is concerned with financial and liquidity risk, describing how banks and financial institutions can prepare for credit, operational, and market-driven risks. The second and third pillars discuss regulator interaction with financial institutions, numerous other types of risk, and responsible disclosure.

Financial Instruments and Exchange Law of 2006

Focus: Protection of sensitive data related to financial reporting in public Enhancement of internal controls over financial reporting data.
Scope: Japan. Banking and Financial services.
Repercussions: Heavy penalties.

Definition of the maximum criminal penalties against various market frauds and expanding the scope of penalties against criminal and fraudulent behaviour is also included in the law.