With the European Union’s General Data Protection Regulation coming into effect and California enacting its landmark consumer law, 2018 was a watershed year for data privacy regulations. Many industry experts believe this indicates a new trend — regulators are paying attention to the implications of a data-driven world.
For businesses, compliance is one of the most challenging parts of digital transformation. In a recent survey by Deloitte, 1,600 C-level executives identified the changing regulatory environment as the top issue that will have the biggest impact on their organizations in the next five years.
Complying with an alphabet soup of regulations is not only becoming more complex but also more expensive. A Ponemon/Globalscape study estimated the average cost of compliance with data regulations at $5.47 million in 2017, up 43 percent from 2011.
The cost of noncompliance is even steeper. The study put the price of noncompliance for an organization at $14.82 million, a 45 percent increase from six years prior.
For some industries, GDPR and the California Consumer Privacy Act of 2018 will add to an already hefty burden of industry regulations. Here’s a roundup of five industries that must adhere to strict data compliance.
In the Ponemon study, healthcare organizations saw the highest growth in compliance costs, 106 percent. One contributing factor may be the stepped-up enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA applies to entities such as healthcare providers and health insurers, as well as their business associates. HIPAA’s Privacy Rule requires administrative, technical and physical safeguards for protected health information (PHI) that is collected, stored or transmitted in any medium.
The Department of Health and Human Services Office of Civil Rights, which enforces HIPAA, recently announced the largest noncompliance settlement to date: $16 million against health insurer Anthem. This makes 2018 the new record year for HIPAA fines. In total, the penalties have surpassed $100 million so far.
Banking and Finance
According to the Ponemon study, compliance is the most expensive for financial organizations, which pay an average annual of $30.9 million. That’s not surprising. The financial industry has the most complex set of data regulations across all sectors. Among them are:
- The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act — requires safeguards to protect the security and confidentiality of consumers’ personal records
- Payment Card Industry Data Security Standard (PCI-DSS) — protects cardholders’ data as it’s processed, stored and transmitted
- New York Department of Financial Services cybersecurity regulation (23 NYCRR 500) — requires a broad range of entities (including banks, lenders and insurance companies) that are licensed under DFS, regardless of their geographic location, to adopt a robust cybersecurity program
- Sarbanes-Oxley Act (SOX) — enforced by the Securities and Exchange Commission, SOX mandates internal accounting controls and safeguarding of financial data
- National Credit Union Administration (NCUA) — mandates protection of customer records for federally insured credit unions
- Fair and Accurate Credit Transaction Act (FACTA) — requires various controls for preventing identify theft, including for how consumer credit reports are handled
Regulated under the Federal Drug Administration, pharmaceutical and life sciences companies have to pay special attention to the integrity of their data. According to the industry journal R&D, the number of warning letters issued by the FDA regarding data-integrity infractions has doubled between 2015 and 2016.
Title 21 of the FDA Code of Federal Regulations Part 11, known as 21 CFR 11, applies specifically to electronic records. It mandates secure — and auditable — systems for creating, maintaining, modifying, retrieving, archiving and transmitting the records.
In addition to financial institutions, retail businesses are also subject to PCI-DSS. According to Ponemon’s compliance cost survey, business leaders rank this regulation as the most difficult to achieve, behind GDPR, out of 16 categories.
PCI-DSS has numerous rigid standards. Consequently, the audits are tedious. Many merchants focus so much time and energy to be compliant at the time of the audit that they fail to maintain compliance during the rest of the time. In fact, research by Verizon based on actual assessments back in 2013 showed that only 11 percent of retailers managed to be compliant in between assessments.
Publicly funded or government organizations are subject to several data regulations. Examples include:
- Federal Information Security Management Act (FISMA) — provides a comprehensive framework for protecting information against natural and man-made threats
- Family Educational Rights and Privacy Act (FERPA) — mandates student data protection for all educational institutions that receive federal government funding
- Federal Information Processing Standard 140-2 (FIPS 140-2) — provides data-encryption standards for nonmilitary government agencies
Digital transformation is ushering in a new era of digital integration, and that could prove a game changer for regulators. Several federal agencies, including the Federal Trade Commission as well as the U.S. Congress, are constantly discussing new ways of protecting consumers’ information.
Organizations have to be tuned into not only federal but also state activities. Other states are bound to follow trendsetters like California and New York in the next few years. As new efforts come to fruition, more industries will face data compliance challenges.