By Tim Torian, Torian Group, Inc.
This is a checklist of areas where legal compliance impacts technology. It is intended to bring awareness to areas you may not be aware of as a business owner or manager.
Businesses who handle sensitive personal information are expected to keep that information confidential.
Companies who take credit cards are subject to PCI, FACTA and Red Flag compliance.
Your bank may require that you fill out a PCI compliance form, and test your firewall regularly. Any software you use should store credit card data in an encrypted form, or not store it at all. The goal is to protect people’s credit card data. If you do have a data breach, you are required to notify those that might be affected.
HIPAA – Anyone who stores health records, or works with a company and has potential access to the health records is expected to follow guidelines to insure the security of the “protected” health information. The rules are extensive, and are aimed at insuring that you have an ongoing working security plan for your IT systems. You are required to have a staff person designated as being responsible for security and compliance. HIPAA requirements include: knowing where data is stored, who has access, what could compromise security, how this will be prevented/detected, and what your emergency response plan is.
Companies who keep information about who visits their website are required to disclose what information they track, and what they do with it.
You need to be clear with your employees and contractors about what is allowed, and who owns any information they handle.
Include a computer use policy in your Employee handbook or procedures. This should address at least the following:
What staff can and cannot do with their computers, tablets, and company provided phones.
Security compliance requirements, including standards for passwords, and for devices used for remote access. Mobile devices with email or remote access should also be required to have a login or PIN.
Who owns employee generated information – specifically company email messages and company provided phones. Also address who owns company information stored on personally owned devices.
When is an employee representing the company, and what guidelines should be followed. This includes Social Media, company email, and posting on blogs and forums.
What happens when policies are violated, and who enforces it.
There are many good examples you can use as guidelines – contact us.
If you are a publicly traded company, there are additional requirements about keeping important documents, including email.
You are required to be able to produce certain information if you are in a lawsuit.
Have a document retention policy, including how long you retain email. Make sure your IT and filing systems match the policy, so you have the documents if needed.
There are limits on how you can advertise
You must follow rules about sending out mass email which are designed to prevent unsolicited email – SPAM. Emails must include a way to unsubscribe, and have contact information, including a physical address.
Some websites are also subject to accessibility requirements. Websites which provide information not appropriate to children are subject to specific restrictions.
Your web and email marketing are subject to the same rules preventing fraud and misrepresentation as other types of marketing.
Many security regulations share a common theme – they define good practices without getting too specific about the technology. They wisely realize that technology changes quickly, and what is secure today is obsolete tomorrow. You will need a security policy and a security plan, along with clearly identified business roles with accountability for IT security.
The Security policy should not be technology specific. It should define the need for security, and establish the needed business processes and roles needed to establish and maintain IT security. It also should define what topics should be covered by a security plan, and the desired business results.
The security plan includes a statement or inventory of current security systems, identifies gaps between where you are and where you should be, and establishes a plan for getting there. It also establishes the process for maintaining good security, including regular reviews. It addresses the procedures and processes for responding to a security incident should there be one. The security plan will change as needed to address changes in the business and in technology.
There are a lot of packaged “Security Policies” for HIPAA and other compliance requirements. Many have good templates. They cannot substitute for a going through the needed thinking and analysis to determine what is right for your business.