Businesses and organizations bear the biggest liability and the greatest monetary damage from identity theft and fraud. If you collect, use, transmit, or store information about your customers or members, you must comply with these laws and regulations.
While not every law or regulation is applicable to every business, every business must meet minimum standards of information security, or face steep fines, penalties and even civil action against them in the event customer, vendor or employee information is leaked, lost or stolen.
InfoSafe is the leading information security compliance and certification program, helping businesses to meet these requirements and best practices in a single overall, easy to implement, and affordable compliance program.
Becoming InfoSafe Certified means your business meets or exceeds the minimum recommended standards and requirements for protecting your customer’s and employee’s personal information against identity theft and fraud. It also shows your commitment to doing business the right way, with a genuine commitment to privacy, safety and trust.
Given that virtually all companies are subject to several law’s requirements and penalties, it is critical that you immediately move toward compliance. Those that choose not to implement the necessary technical and administrative safeguards are placing their customers, employees and themselves at significant risk.
You become InfoSafe Certified by enrolling in the InfoSafe program and working with your InfoSafe team to implement and then maintain the necessary administrative, physical and technical safeguards required for compliance with virtually all major federal, state and industry regulations including:
- Red Flags Rule
- PCI Compliance
- HIPAA / HITECH
- Graham Leach Bliley Act (GLBA)
- State data breach protection laws
InfoSafe Certification signifies a company’s genuine commitment to protecting their customer and employee private information against identity theft and fraud. Consumers can work, play and shop with confidence with businesses that rely on InfoSafe information privacy and security services.
Here is a brief overview of major laws and regulations every business owner must know.
Red Flag Rules
Under the Red Flags Rule, certain businesses and organizations are required to spot and heed the red flags that can often be telltale signs of identity theft. To comply with the new Red Flags Rule you must develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.
Applies to: Anyone who arranges for or extends credit or payment terms, or who provides products or services and bills or invoices the customer.
Penalties, Fines: Up to $3,500 per violation, plus attorneys fees. FTC can seek both monetary civil penalties and injunctive relief for violations. Allows consumers the right to recover actual damages.
The Payment Card Industry (PCI) Data Security Standards (DSS) is a set of comprehensive requirements for protecting card and cardholder information against theft and fraud.
PCI compliance is a multifaceted security standard that includes specific requirements for protection of cardholder data, implementation of a vulnerability management program, regular security testing, access control measures, and maintaining an information security policy.
Applies to: Anyone who accepts, processes, transmits or stores credit/debit card information, including retail, mail/telephone order, and e-Commerce.
Penalties, Fines: Up to $10,000 on first violation for not implementing required safeguards. Visa Fraud Control fines of up to $500,000 per incident for any merchant or service provider that is compromised and not compliant at the time of the incident. Fines and penalties vary depending on the acquiring bank and credit card companies you accept.
Graham Leach Bliley Act (GLBA)
The Graham Leach Bliley Act (aka The Financial Modernization Act of 1999), requires businesses and organizations to protect consumers’ personal financial related information. Provisions of this law require implementation of privacy policies and notices under the FTC’s Privacy Rule, plus formalized security plans and adequate information safeguards under the FTC’s Safeguard Rule. The law also includes provisions for criminal negligence. Since most personal financial information is computerized, proper data security is a major part of GLBA compliance.
GLBA gives authority to eight federal agencies and every state to enforce the privacy and safeguards rules outlined in this law.
Applies to: A broad list of “financial institutions”, loosely defined as anyone in financial services or products in any way, such as banks, insurance agents/firms, securities firms, lenders of any type, loan brokers or servicers, financial planners, accountants, tax preparers, real estate professionals, credit counselors, debt collectors, money transfer agents, and many more.
Penalties, Fines: Up to $100,000 for each violation. Owners and officers personally liable up to $10,000 per violation. Severe civil and criminal penalties for fraud and negligence, including fines and even imprisonment.
Health Insurance Portability and Accountability Act (HIPAA)
Under HIPAA, all organizations that record, maintain, or transmit personal health information are required to ensure that all patient information is kept confidential, secure, and readily available. HIPAA requires patient medical records and other protected health information be kept private and confidential.
Applies to: All types of healthcare related organizations such as doctors, clinics, dentists, psychologists, chiropractors, nursing homes, pharmacies, and more. Also includes health insurance companies and businesses that support healthcare organizations – such as online backup providers, billing agencies and organizations that support Internet based health services.
Penalties, Fines: The penalties for non-compliance range from a minimum of $100 per violation to a maximum of $1.5 million per year. Possible criminal negligence and fraud prosecution, up to 10 years in prison.
Virtually every state has laws requiring businesses to implement proper technical and administrative safeguards to protect customer information against identity theft and fraud.
States are becoming increasingly aggressive at requiring specific practices and safeguards such as having a documented security plan, regular vulnerability risk assessments, updated and monitored computer security systems, data encryption, and most commonly, an incident response plan to notify customers of a breach and to remedy the situation.
Many state laws focus upon “insider threat” from employee misuse of personal information by requiring businesses to develop and implement data protection policies, employee awareness training, ongoing compliance monitoring, and disciplinary standards for willful privacy violations.
State laws are also interstate laws. Businesses with customers in other states must not only comply with their own state laws, they must also comply with state information security and security breach notification laws where any customers reside.
Applies to: Any business or organization, small or large, that gathers, licenses, transmits, or stores any form of personal information about their customers including name, social security number, credit card information, drivers license numbers, account numbers, birth dates, health information, financial information, and more.
Penalties, Fines: $500 to $5,000 fines per customer record lost or stolen – depending on the state. Civil penalties up to $500,000 are applicable in most states for failures to safeguard personal data, properly dispose of such data, and to provide adequate privacy protections. Reckless or negligent disclosure of customer or employee personal information generally results in criminal penalties with severe fines and 1 to 3 years jail time.