Cyber incidents across industries have been increasingly on the rise and as a result, regulators have had their hands full struggling to keep ahead of the growing problem. In the past three years, more than 200 bills, amendments, and legislative proposals have been introduced by Congress to combat cyber security issues facing American industries. Information security, typically viewed as an issue mainly for IT departments, is an issue that needs to be address throughout every department, and regulators have been working hard to make sure that happens.
Most major companies today are subject to a multitude of regulations, at both the state and federal levels. It can be difficult to discern which companies are subjected to which regulations, as some federal and state regulations can apply to one, multiple, or all industries. Companies need to take extra care in realizing which regulations apply to them, as the penalties for non-compliance can be incredibly steep.
One such regulation that touches most, if not all, industries, is the Cyber Security Act of 2015. On December 18, 2016, the President signed into the omnibus appropriations and tax bill that included the Cyber Security Act. Essentially, the act sets a paradigm for how federal departments and agencies, state tribunals and local government agencies, and private companies receive and share information. In regards to private companies, the act provides a safe harbor from civil liability for information-sharing activities; however those activities must be conducted according to the act’s provisions in order for company to qualify for the safe harbor. This act has a complex framework due to the amount of entities it touches, and it’s a step in the right direction in the fight to protect against cyber security attacks.
Certain industries, such as the financial sector and the healthcare industry, have complex webs of federal and state regulations to comply with. It is important to recognize what regulations apply to what companies and regulators are out to make sure companies have policies and procedures in place to protect information security.
The financial services sector is one of the more regulated sectors. The Federal Financial Institution Examination Council (FFIEC) is empowered to prescribe uniform principles, standards and report forms for exams by the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Officer of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. The FFIEC provides guidance on cyber security for financial institutions and they expect their member financial institutions to adhere to guidance and enhance their cyber security frameworks to protect against a wide range of cyber attacks.
The FFIEC is not the only entity with guidelines for financial institutions regarding cyber security. In 2015, the SEC released a guidance update to help advisors create effective cyber security policies and procedures. The Commodities Futures Trading Commission (CFTC) is another entity focused on cyber security and now requires financial entities to conduct five different types of cyber security testing. Additionally, financial institutions are subjected to acts such as the Gramm Leach Bailey Act (GLBA) which allows insurance companies, commercial and investment banks to be within the same company and mandates that companies secure private client information.
There are many more federal and state regulations that financial institutions are subject to and must comply with. These include the Fair Credit Reporting Act, the Right to Financial Privacy Act, the FTC’s Safeguards Rule, as well as many more. All of these acts deal with how financial institutions store, use, receive, and send client information. Federal and state regulators take enforcement of these rules and regulations extremely seriously and non-compliance can lead to very high penalties.
Healthcare is an industry notorious for having to comply with very strict regulations. The healthcare industry sees at least one cyber attack per month and patient data has been lost or compromised at half of all healthcare organizations in the last year. That is an incredible amount of risk that patients face when they need healthcare and the only way to obtain it is to provide their personal information. Healthcare entities have been known to be subject to risks that they have known about for up to three months and nothing has been done to quell that risk.
Healthcare is such an important sector to regulate that it is the only sector explicitly addressed in the above-mentioned Cyber Security Act of 2015. The Act required the Department of Health and Human Services to establish a task force that will submit a report to Congress by December 2016 which will outline the preparedness of both the Department and the industry to respond to cyber attacks. This will ideally snap the healthcare industry into focus when it comes to cyber security and induce more proactive procedures to protect sensitive and regulated information.
While the Cyber Security Act is probably the most recent and prominent regulation for healthcare to comply with, there is a long list of other regulations and acts that require strict compliance. HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) are two of the more prominent regulations that have been causing waves in recent years. Both acts address privacy and security concerns when it comes to patient information and they are being heavily enforced by the Federal Trade Commission (FTC).
The healthcare sector is rife with sensitive information about individuals that needs to be protected and regulations in place need to be complied with in order to keep patients safe from increasing cyber attacks. While these regulations mentioned are the ones currently in the spotlight, there are many, many more and the players in the healthcare industry must be ready to comply with each and every one.
With a growing amount of cyber attacks, it is extremely important for any company understand how to comply with cyber security regulations in order to mitigate risk. Companies should adopt policies and procedures that fit their corporate plan while being in strict compliance with both federal and state regulations. Many cyber attacks and regulatory non-compliance fines can be avoided by taking the time to understand your company’s cyber needs and implementing appropriate security precautions.
By Katie Evans | McCullough Sudan PLLC