Skip to content

SOLUTIONS

Risk and Compliance

The majority of mid-market businesses are under the mistaken belief that, unlike the big corporations, they need not worry about cybersecurity. The statistics, however, show that small and medium businesses are the primary targets for cyber attacks, making up 43 percent of all attacks versus all other entity types.

Not only are cyber attacks a real threat but there are federal, state, and even international regulations that require certain cybersecurity protocols be followed. Whether you like it or not, your company may be subject to cyber compliance laws and ignoring these requirements may cause you to face legal consequences if your company faces a data breach. There is also compliance by industry, changing the cybersecurity landscape to protect consumers, employees, and even government data.

PROTECTION REGULATIONS

Mid-Market Business Compliance

Industry Based Compliance

There are a handful of federal regulations concerning cybersecurity that every company should be aware of. As major breaches start to appear regularly in the news cycle, however, the federal government is keen to add cybersecurity laws to address the changes in the cyber landscape.

Cybersecurity Maturity Model Certification 2.0 (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a certification handled by the CMMC Accreditation Board (CMMC-AB). They work directly with the Department of Defense (DoD) to accredit organizations. The goal of CMMC is to protect sensitive data created or possessed by the government or another organization on the government’s behalf.

 

 

This data is referred to as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This applies to any defense contractors or other vendors who work with or wish to do work with the Department of Defense (DoD).

Non-Compliance with these regulations can result in the immediate disqualification of request for proposals (RFPs).

Some of the regulations are as follows:

  • Vulnerability Assessments
  • Penetration Testing
  • Network Monitoring
  • Employee Training
  • Cybersecurity Risk Assessments
  • Incident Response Planning
  • Policy documentation
  • Implementation of Security Controls

At Alliant Cybersecurity, we are a Registered Provider Organization (RPO), certified to assist businesses in CMMC 2.0 compliance readiness.

 

Level 1: 17 Controls

Annual Self-Assessments

Level 2: 110 Controls

Triannual Third-Party Assessments

Level 3: 110+ Controls

Triannual Government Assessments

Health Insurance Probability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is known for the establishment of rules for protecting the privacy of patient health information. HIPAA also has a security component specifically designed to protect the creation, use, transfer, and maintenance of electronic personal health information.

The HIPAA Security Rule establishes several safeguards to protect the confidentiality of electronic personal health records. The general requirements are the following:

  • Ensure confidentiality of all electronically protected health information created, received, maintained, or transmitted
  • Protect against any reasonably anticipated threat or hazard to the security or integrity of such information
  • Protect against any reasonably anticipated uses or disclosures of such information that is not permitted
  • Ensure compliance among covered entity’s workforce

Covered entities include health plan providers, health care clearinghouses, and health care providers such as doctors, dentists, pharmacists, etc. Business associates that are working with covered entities also must abide by HIPAA. For instance CPA’s or lawyers who receive protected health information may be subject to the HIPAA security rule.

While HIPAA allows for some leeway in how companies ensure security, there are specific administrative standards and requirements entities must follow.

First, covered entities must conduct a risk analysis to assess potential risks and vulnerabilities to their network that could be exploited to expose protected health information. They are also required to implement security measures that sufficient reduce the risks and vulnerabilities.

The HIPAA security rule also addresses the fact that a large majority of cyber attacks come via social engineering. The “Sanction Policy” addresses this by requiring that there be appropriate sanctions against employees who fail to comply with the security policies of covered entities.

Finally, organizations bound by HIPAA must implement procedures to regularly review network security.

Data Privacy and Protection Regulations

People care about privacy. Your employees, clients, and business partners have a right to understand what information you may have collected on them over the course of your business relationship. This includes simple pieces of information like names, email addresses, and phone numbers, as well as personally identifiable information (PII) such as social security numbers, financial records and more. Failure to disclose a privacy policy can have serious penalties.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) is an extension of the California Consumer Privacy Act (CCPA) that enhances privacy rights and consumer protection for residents of California. The CPRA enforcement date is set for January 1, 2023.

The intentions of the act are to provide California residents with the right to:

  • Update privacy policies with newly required information
  • Designate methods for submitting data access requests
  • Avoid requesting opt-in consent for 12 months after a California resident opts out
  • “Right to say no to sale of personal information” link on the organization’s website
  • Implement processes to obtain consent from parents or guardians of minors under the age of 13 and the affirmative consent of minors between 13 and 16 years for data sharing purposes

The CPRA will impact any business that satisfies at least one of the following thresholds:

  • Annual gross revenue over $25 million
  • Possesses the personal information of 50,000 or more consumers, households, or devices
  • Earns more than half of its annual revenue from selling consumers’ personal data
Penalties for Non-Compliance:
  • Civil cause of action of $100 to $750 per California resident and incident, or actual damages, whichever is greater
  • A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, established security requirements for financial institutions. Financial institutions includes the following:

  • Tax return preparers
  • Debt collectors
  • Banks
  • Real estate settlement services providers and appraisers
  • Loan brokers
  • Certain financial or investment advisers

GLBA established mandatory regulations to protect the personal data of consumers. This includes creating a policy to protect nonpublic personal information and personally identifiable information. There are three components that GLBA codifies in furtherance of this end.

  • Financial Privacy Rule – This rule requires that when a consumer establishes a relationship with a financial institution that the institution provide notice explaining the information collected on the consumer, who the information is shared with, how the information is used, and what protections are in place for the information.
  • Safeguards Rule – This requires a written information security plan that selects at least one employee to manage safeguards; describes a risk analysis plan for each department that handles sensitive data; develop, monitor, and test the information security system and; Update safeguards as needed.
  • Pretexting protection – This rule requires financial institutions to create safeguards to prevent social engineering attacks such as phishing attacks. This may come in the form of training employees to know how to spot and avoid phishing attacks.

General Data Protection Regulation (GDPR)

The term ‘world wide web’ has never been truer. Everything we do online has a connection to another part of the world but there are few data protection regulations that reach across borders. The most significant of international data protection laws is the General Data Protection Regulation (GDPR) of the European Union. 

The GDPR not only subjects entities in the EU to its rules but also subjects entities that are using or processing the personal information of EU citizens. This means a company in America that has data of a citizen in the EU potentially would have to comply with the GDPR or face a significant fine.

Personal data that is protected by the GDPR includes any personal identifier such as:

  • Name
  • Location Data
  • Online alias/persona
  • Identification Number
  • Physical, physiological, genetic, economic, or cultural identifiers

The GDPR gives EU citizens more control over this type of data. Companies processing and controlling this data are required to design and implement safeguards to keep personal information safe which includes things such as pseudonymization and encryption. EU citizens must also be notified of why their data is being processed and they have discretion to revoke their consent at any time.

Alliant Cybersecurity Advantage

Alliant Cybersecurity will publish an initial report in the next 24-72 hours with our findings on: Why, Who, what, where, when, and how this attack happened. Our team will also assist you with:

  • Selecting tools to secure and strengthen your infrastructure
  • Assist in mediating with law enforcement agencies and insurance providers
  • Training for your workforce to avoid future attacks

Get the Alliant advantage today! Contact us for general consultation or reach out to us on our hotline number for a cyber-emergency.