Category Archives: Compliance & Regulation

NIST 800-171: Definition and Tips for Compliance

security cameras on a white wall

Do you or does a company you work with deal with the Federal Government? The National Institute of Standards and Technology (NIST) has some important information regarding your important information. NIST 800-171, interchangeably referred to as NIST SP 800-171, went into full effect December 31, 2017: even if you don’t fall under the jurisdiction of NIST SP 800-171, the core competencies are still good data security guidelines. NIST itself is a non-regulatory Federal agency responsible…

The Average Reading Level of a Privacy Policy

privacy policies of tech companies after gdpr

On May 25th, 2018 the European Union’s General Data Protection Regulation, better known as GDPR, became an enforceable law. The policy was implemented primarily to create greater transparency regarding how companies handle personal data, and to enforce stricter requirements around the use and sharing of that personal data. While the regulation pertains to the personal data of EU citizens, the law and fines for misconduct still apply regardless of whether the person is paying for…

EU NIS Directive (NISD) Holds Surprises for US Online Companies

EU NIS Directive (NISD) Holds Surprises for US Online Companies

Last month, a major data security law went into effect that will impact businesses both in the EU and the US. No, I’m not talking about the General Data Protection Regulation (GDPR), which we’ve mentioned more than a few times on the IOS blog. While more narrowly focused on EU “critical infrastructure”, the NIS Directive or NISD also has some surprising implications for non-EU companies not remotely in the business of running hydroelectric plants or…

[Transcript] Attorney Sara Jodka on the GDPR and HR Data

[Transcript] Attorney Sara Jodka on the GDPR and HR Data

In reviewing the transcript of my interview with Sara Jodka, I realize again how much great information she freely dispensed. Thanks Sara! The employee-employer relationship under the GDPR is a confusing area. It might be helpful to clarify a few points Sara made in our conversation about the legitimate interest exception to consent, and the threshold for Data Protection Impact Assessments (DPIAs). The core problem is that to process personal data under the GDPR you…

[Podcast] Attorney Sara Jodka on the GDPR and HR Data, Part II

[Podcast] Attorney Sara Jodka on the GDPR and HR Data, Part II

In the second part of my interview with Dickinson Wright’s Sara Jodka, we go deeper into some of the consequences of internal employee data. Under the GDPR, companies will likely have to take an additional step before they can process this data: employers will have to perform a Data Protection Impact Assessment (DPIA). As Sara explained in the first podcast, internal employee data is covered by the GDPR — all of the new law’s requirements…

NIST 800-53: Definition and Tips for Compliance

nist 800-53

NIST sets the security standards for agencies and contractors – and given the evolving threat landscape, NIST is influencing data security in the private sector as well. It’s structured as a set of security guidelines, designed to prevent major security issues that are making the headlines nearly every day. The National Institute of Standards and Technology – NIST for short – is a non-regulatory agency of the U.S. Commerce Department, tasked with researching and establishing…

[Podcast] Attorney Sara Jodka on the GDPR and Employee HR Data, Part I

[Podcast] Attorney Sara Jodka on the GDPR and Employee HR Data, Part I

In this first part of my interview with Dickinson Wright attorney Sara Jodka, we start a discussion of how the EU General Data Protection Regulation (GDPR) treats employee data. Surprisingly, this turns out to be a tricky area of the new law. I can sum up my talk with her, which is based heavily on Jodka’s very readable legal article on this overlooked topic, as follows: darnit, employees are people too! It may come as…

Canada’s PIPEDA Breach Notification Regulations Are Finalized!

Canada’s PIPEDA Breach Notification Regulations Are Finalized!

While the US — post-Target, post-Sony, post-OPM, post-Equifax — still doesn’t have a national data security law, things are different north of the border. Canada, like the rest of the word, has a broad consumer data security and privacy law, which is known as the Personal Information Protection and Electronic Documents Act (PIPEDA). For nitpickers, there are also overriding data laws at the provincial level — Alberta and British Columbia’s PIPA — that effectively mirror…

Another GDPR Gotcha: HR and Employee Data

Another GDPR Gotcha: HR and Employee Data

Have I mentioned recently that if you’re following the usual data security standards (NIST, CIS Critical Security Controls, PCI DSS, ISO 27001) or common sense infosec principles (PbD), you shouldn’t have to expend much effort to comply with the General Data Protection Regulation (GDPR)? I still stand by this claim. Sure there are some GDPR requirements, such as the 72-hour breach notification, which will require special technology sauce. There’s also plenty of fine print that…

HIPAA Security Rule Explained

hipaa security rule

The HIPAA Journal estimates that a large data breach ( > 50k records) can cost the organization around $6 million – and that’s before the Office of Civil Rights (OCR) drops their own hammer. Over the last few years, we’ve seen more reports of breaches, an increase of HIPAA investigations, and higher fines across the board – all stemming from violations of the HIPAA security rule. The HIPAA Security Rule sets the minimum standards required…

HIPAA Privacy Rule Explained

hipaa privacy rule hero

It’s an unfortunate (but inevitable) fact of life: Laptops get stolen, and the consequences can be devastating. If those laptops have electronic protected health information (ePHI) on them, they fall under HIPAA regulations and the theft must be reported. Even if the thief doesn’t look at the data, the company can’t prove it: everyone should take precautions to protect themselves against not just fallout from lost data, but from the potential fines that can accrue:…