Pexels / Pixabay
Every day, the public entrusts sensitive personal information to industries that use cloud-based computing. Whether by visiting a doctor, buying groceries, using an ATM, or other means, people give their data to companies in countless ways.
The responsibility for understanding and enforcing the laws and policies that protect the public’s private information falls on industry leaders, and certain industries are under more scrutiny than others.
Why Business Owners Must Care About Cloud Regulations
The cloud is a relatively new technology, so laws are catching up to implementation. The legal requirements for collecting, storing, and protecting information — in the cloud and elsewhere — vary by industry. The laws can differ at state, federal, and international levels and are subject to frequent changes. To add more confusion, regulations are often inconsistent or contradictory.
Many companies fail to comply or fall out of compliance because the regulations are often verbose, lengthy, hard to read, redundant, and ambiguous. They are laws written for lawyers, not for business owners.
Still, according to the National Institute of Standards and Technology, organizations are fully responsible for all compliance-related issues. The cost of not being compliant is steep: penalty fees, lawsuits, and a bad business reputation.
Companies and service providers are expected to be 100 percent compliant, and they are often required to comply with more than one regulation. It is widely noted that a lack of standard tools exists to assist companies in implementing new software systems.
Regardless, the intentions of these regulations are paramount: They offer greater protection and enhanced security to consumers by administering essential attributes such as confidentiality, integrity, availability, and accountability.
Let’s take a look at a few industries that have strict privacy laws and how leaders can get their businesses compliant — and stay that way.
1. Credit card industry
A report published in late 2017 by Clutch (a B2B research, ratings, and reviews firm) says that at least 60 percent of businesses are not compliant with industry regulations for the cloud storage security of customer payments and banking information. The Payment Card Industry Data Security Standards Council (PCI) calls for compliance by companies that handle cardholder data included on debit, credit, prepaid, ATM, and point-of-sale cards.
Small businesses falling short can increase security by training their employees, adding two-factor authentication, and implementing different forms of data encryption. But that’s just to start. Among its 12 major rules to protect cardholder data, PCI recommends that only authorized users have access to manage cardholder data. Other recommendations include:
· Installing firewalls
· Resetting default password and security parameters
· Updating virus protection
Recommended for You
Webcast, December 18th: Optimizing Customer Engagement with User Intent
· Encrypting transmissions across open, public networks
· Tracking and monitoring all access to network resources and cardholder data
2. Healthcare industry
Few bundles of data and their security matter more to an individual than what’s contained within medical files. HIPAA oversees compliance of the healthcare industry and intends to ensure the security and privacy of protected health information, which includes patient medical records, credit, insurance, employment, other personal data, and any related information that helps to identify an individual.
HIPAA laws aim to hold two groups accountable: First are covered entities, such as healthcare providers, insurers, and clearinghouses — managers of billing services and those who process medical records from other systems. Second, business associates include those who transfer, store, and service protected health information on behalf of covered entities — for example, an IT service or a cloud provider.
Any company adopting a cloud-based healthcare solution cannot become compliant without securely handling and protecting its data. The appropriate security must be implemented for the cloud solution and be built into the underlying cloud service monitoring and management processes. The process becomes expensive and time-consuming if tried alone.
However, choosing a cloud service provider that provides physical, administrative, and technical safeguards can answer questions and satisfy most compliance issues. These providers can ensure data encryption (in transit and at rest) along with encryption key management. They handle mobile device authentication, two-factor authentication, and the proper storage and disposal of data, along with access to personal data by the consumer and/or the data’s owner.
3. Financial institutions
In order to comply with the Financial Services Modernization Act of 1999, financial institutions must communicate to their customers how they share sensitive data. They must inform customers of their right to opt-out if they wish that their personal data not be shared with third parties. Financial institutions must also apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.
The law requires that companies develop a written information security plan that describes their program to protect customer information. Here are a few guidelines about how to stay in compliance:
· Limit access to customer information to employees who have a business reason to see it.
· Control access to sensitive information by requiring employees to use tougher passwords that must be changed on a regular basis.
· Develop policies for appropriate use and protection of laptops, PDAs, cellphones, or other mobile devices.
· Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information.
· Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach — but also know what to do if one occurs.
Although a set of standard tools that decode laws designed to protect data privacy would be welcome across industries, it remains incumbent on business leaders to learn how to enforce the laws with the tools they already possess. Business owners need to be aware of these regulations and know how to keep their cloud-based security measures compliant. No hassle is too burdensome if it means preventing sensitive information from being compromised by pirates.
