Business Compliance: A Guide to Acronyms
No matter what industry you’re in, business compliance acronyms are all around us. And they can fill your days with both confusion and regulation. We call it compliance alphabet soup. It’s time to make a little bit more sense of all those acronyms and what they mean for your business.
GDPR (General Data Protection Regulation):
The last couple of years, the GDPR business compliance acronym has gotten a lot of play.
While this regulation only applies to the European Union, we are seeing its effects state-side. Mainly because it requires businesses that interact with EU citizens to comply, regardless of location.
The goal of GDPR is to create greater data privacy and protect from breaches. If there is even the slightest likelihood that someone from the EU will be visiting your site, make sure that you comply with GDPR regulations.
HIPAA (Health Insurance Portability and Accountability Act of 1996):
This law was enacted in 1996, but many medical practices are still not HIPAA compliant. Most non-compliance companies believe they are too small to be touched.
Even if you aren’t directly in the medical industry, pay attention! Any organization that works with a medical practice has responsibility in HIPAA compliance through associate agreements. These agreements apply to IT companies, law practices, accounting firms, and others that might have access to patient data.
Bottom line, all patient data must be protected, encrypted, and safe. You also need to have a specific HIPAA-compliance plan, breach response plans, and data recovery methodology.
HIPAA has gained notoriety with larger scale medical breaches in recent years, with big penalties. The largest fine currently on record is $16 million. Small companies are also being hit with violations costing about $1.5 million each.
HITECH (Health Information Technology and Clinical Health Act):
HITECH entered the picture in 2009 and brought teeth to HIPAA violations. This regulation specifically covers the electronic transmission of health information. It’s meant to improve patient care through better doctor coordination, sharing of information, and strong data security of electronic health records. In practice, all those privacy forms you sign whenever you go to the doctor really do have an important purpose.
I-9 (Employment Eligibility Verification):
This is the form that new hires must fill out to verify that they are eligible to work within the US. While this piece of paper may get lost among the sea of new hire paperwork, it should never be overlooked.
Even if you’ve been correctly employing the I-9 form for years, you may want to go back and check for updates. Some updates will have no impact. But to be truly in compliance, you’ll sometimes need to have every employee update their I-9 information.
CCPA (California Consumer Privacy Act)
This law went into effect January of 2020. The basic premise of the act is to give California residents greater knowledge of how their personal information is to be used. It also allows them to know who it’s being sold to and gives them the right to deny the sale of their data. The law applies to companies who do business in California and meet one of these three qualifications:
- Have annual revenue of $25 million or more.
- Receive or disclose the personal information of more than 50,000 California residents annually.
- Make 50% or more of their income from the sale of California residents information.
If you use email for business, chances are you’ve heard of this. The law was enacted in 2003 and spells out the definition of commercial email as any electronic mail where the main purpose is commercial advertisement or promotion.
If you send commerical email you must adhere to strict guidelines around those emails. Some of these guidelines include not using deceptive subject lines or misleading headers, identifying the email as an ad, including your business address and an opt-out option.
While the law is fairly straightforward, for every violation, companies could be fined over $43,000. So the penalty for non-compliancce can be significant.
PCI DSS (Payment Card Industry Data Security Standard):
Do you collect credit card information within your business? Any payment data collected and stored must be PCI compliant. To ensure compliance:
- Employ strong security standards, like firewalls, anti-virus protection, and regular updates that protect your network as a whole
- Encrypt all credit card information transmitted across open networks
- Maintain strong data access controls to ensure that rogue people don’t gain access to your information
These are just a few of the business compliance acronyms you may encounter in your daily job. Keeping it all straight is not an easy task and we don’t want you to get lost in the compliance alphabet soup.
Innergi can help you comply with the vast majority of these and will be able to put a clear plan of action in place to increase your cybersecurity footprint. Call us at 321-275-5580 or send us a message here.