Compliance 101

Overview

No matter the company size or industry, all organizations have laws and regulations they must comply with.  Compliance is the “action of complying with a command.” It is the steps to ensure that your organization follows all applicable laws, regulations, standards, and practices that apply to your organization and industry.  The laws, regulations, and guidelines established by third-party bodies exist to protect the organization’s employee and consumer data.

A good compliance program reduces your exposure to risks and liability, which goes a long way in building trust for your brand in the market, and that is a HUGE differentiator!

Why is compliance important and necessary?

Enforcing compliance helps protect your company from regulatory rule violations.  Violations can result in hefty fines and lawsuits.  Therefore it is in a company’s best interest to make the compliance effort a focus and continuous process.  The need to comply can also come from your customers, your company’s size or location, or your industry.  A set of regulatory compliance guidelines exist per industry.  For example, specific guidelines exist for a company in the food industry that would not be suitable or applicable to a Software As A Service (SaaS) company.

At TrustCloud, our primary focus is on the security and privacy regulatory compliance space, which has grown rapidly in the last couple of years.  The rapid expansion and proliferation of cloud computing have moved the need for data security to the top.  Businesses of all sizes have adopted cloud services to help improve their services and for cost savings.  As such, the regulatory bodies have responded by increasing the volume of laws, regulations, and standards for security and privacy.  Some examples of security and privacy compliance guidelines include, but are not limited to:

• International Organization for Standardization (ISO) Standards
• Payment Card Industry Data Security Standard (PCI DSS)
• National Institute of Standards and Technology (NIST)
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• European Union General Data Protection Regulation (EU GDPR)
• California Consumer Privacy Act (CCPA)
• Sarbanes-Oxley Act (SOX)
• Service Organization Control (SOC)

Below, we will cover each of these in a bit more detail.

Common compliance laws, regulations, and standards

• GDPR – For any organizations that process EU residents’ data.  GDPR has specific requirements for data collection, processing, and destruction.  The fines are huge!  A company can be fined as much as 4% of its annual revenue.
• CCPA – For any organization that processes 50,000 or more California residents’ personal data and makes over $25 million in revenue.  CCPA focuses on the consumer’s rights to their data.  Hefty fines are also in store for failures to comply with CCPA.
• HIPAA – For organizations storing, transmitting, or processing Electronic Personal Health Information (ePHI).  HIPAA mandates how healthcare organizations should protect ePHi against threats, security breaches, and improper use of health data.  Fines can be steep and can cost up to $50,000 per violation.
• SOX – For any public company and focuses on how the organization records and stores information and how long critical records are stored
• PCI-DSS – For organizations dealing with credit/payment card processing, storage, or transmission.  PCI requirements focus on building a secure network, implementing access controls for the cardholder data, and regularly testing the security system through a vulnerability management program.  Fines can go to $100,000 per month for noncompliance.
• SOC 2 – For any service organization storing and transmitting consumer data—SOC 2 focuses on how an organization manages and secures customer data.
• ISO Series – ISO is a set of guidelines for organizations looking to protect their data (financial, employee, IP, and customer data).
• NIST Series – NIST is a set of frameworks for any organization looking to improve their mitigation risks activities.

Compliance for small and medium-sized businesses (SMB) vs. enterprise

Regulatory compliance is a big focus for organizations today; regardless of the company’s size, it is a huge and expensive effort!  Today SMBs are just as concerned with compliance as enterprises.  More than ever, we see an increase in new laws in the regulatory space, penalties, and an increased focus on SMBs.  The impact of this targeted focus on SMB is the reputational damage that can result from noncompliance.

Therefore, SMBs, more than ever, are faced with the challenges of dedicating already limited and lean resources to compliance efforts.

The good news is that SMBs do not have to meet the same level of requirements an enterprise has.  The concept of maturity is relevant in implementing a compliance program that works for the SMB organization.  A maturity level concept can allow an SMB to work its way toward maturity.  As the organization grows, more resources can be assigned to compliance efforts and move from Level 1 (basic maturity) to Level 3 (highest maturity).

For example, to comply with a requirement for a ‘secure email platform,’ according to the maturity level, a solution can look like this:

• Level 1 – A free consumer-class solution such as gmail.com is used and relies on the default security
• Level 2 – A business-class cloud solution, such as Office 365, is used and relies on the default security
• Level 3 – in addition to having a business-class solution, a backup of the solution is present, including additional top-tier services such as multi-factor authentication, email encryption, anti-phishing capabilities, and Data Loss Prevention

There are a lot of nuances with maturity level, but they can help provide SMBs an easier path to meeting the requirements and leave the higher maturity level to the big guys.

Luckily, many compliance management tools in the marketplace help SMBs understand the requirements and design a program that can meet immediate needs.

Limitation of compliance

While the compliance laws, regulations, and standards provide a good starting point, it is essential to understand that achieving compliance doesn’t mean your organization is 100 percent secure.  We have expanded on this topic in this article.

This is compliance in a nutshell!  In the below articles under Compliance 101, we will dive deeper into the compliance world to provide you with the knowledge to be successful in your compliance journey.