Contact Us  |  Account Login   
Security Breach Hotline >>  (801) 724-6211
Report information security breaches or possible cases of identity theft or fraud.


Are You Compliant?
Does your business comply with federal, state and other information security regulations?

Learn More
Information Security Laws and Regulations
That Affect Your Business


Overview
Red Flag Rules
PCI Compliance
Gramm Leach Bliley Act (GLBA)
Health Insurance Portability Accountability Act (HIPAA / HITECH)
State Laws



Overview

339,674,601.
That's the number of records stolen from businesses and organizations since 2005 (source: PrivacyRightsClearinghouse).  Estimates show over 55% of people in the U.S. have already had their personal information stolen or lost in one form or another.  Identity theft and fraud has become an epidemic problem.

It's everyone's responsibility to do what they can to fight identity theft and consumer fraud.  But with current laws and regulations requiring the protection of customer information, businesses and organizations now bear the biggest liability and the greatest monetary damage from identity theft and fraud.  

Bottom Line: 

If you collect, use, transmit, or store information about your customers or members, you must comply with these laws and regulations.  And while not every law or regulation is applicable to every business, every business must meet minimum standards of information security, or face steep fines, penalties and even civil action against them in the event customer or employee information is leaked, lost or stolen.

Each of the Information security laws and regulations are different, but all address the implementation of best practices and various requirements for protecting customer information, including technical, physical and administrative safeguards.  You may not need to be compliant with every law, but by implementing overall information security best practices and safeguards, you can be confident you’ll have the safeguards in place to protect your data, and limit your financial risks or liability with these laws.

InfoSafe is the leading information security compliance and certification program, helping businesses to meet these requirements and best practices in a single overall, easy to implement, and affordable compliance program. 

Becoming InfoSafe Certified means your business meets or exceeds the minimum recommended standards and requirements for protecting your customer’s and employee’s personal information against identity theft and fraud.  It also shows your commitment to doing business the right way, with a genuine commitment to privacy, safety and trust.

Here is a brief overview of the major laws and regulations every business owner must be aware of.



Red Flag Rules

Applies to:
  Anyone who arranges for or extends credit or payment terms, or who provides products or services and bills or invoices the customer.

Penalties, Fines:  Up to $3,500 per violation, plus attorneys fees.  FTC can seek both monetary civil penalties and injunctive relief for violations.  Allows consumers the right to recover actual damages.

The expression "red flag" signals "Danger: Be alert to problems ahead."  Under the Red Flags Rule, which first went into effect on January 1, 2008, certain businesses and organizations are required to spot and heed the red flags that often can be the telltale signs of identity theft. To comply with the new Red Flags Rule — enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) — you must develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.  Enforcement of the Red Flags Rule begins for all businesses on November 1st, 2009.

Additional Information:

PCI Compliance

Applies to:
  Anyone who accepts, processes, transmits or stores credit/debit card information, including retail, mail/telephone order, and e-Commerce.

Penalties, Fines:  Up to $10,000 on first violation for not implementing required safeguards. Visa Fraud Control fines of up to $500,000 per incident for any merchant or service provider that is compromised and not compliant at the time of the incident. Fines and penalties vary depending on the acquiring bank and credit card companies you accept.

The Payment Card Industry (PCI) Data Security Standards (DSS) is a set of comprehensive requirements for protecting card and cardholder information against theft and fraud.  It was developed by the founding members of the PCI Security Standards Council, including American Express, Discover, JCB, MasterCard and Visa.

PCI compliance is a multifaceted security standard that includes specific requirements for protection of cardholder data, implementation of a vulnerability management program, regular security testing, access control measures, and the maintaining of an information security policy. 

Additional Information:

Gramm Leach Bliley Act (GLBA)

Applies to:
  A broad list of “financial institutions”, loosely defined as anyone in financial services or products in any way, such as banks, insurance agents/firms, securities firms, lenders of any type, loan brokers or servicers, financial planners, accountants, tax preparers, real estate professionals, credit counselors, debt collectors, money transfer agents, and many more.

Penalties, Fines:  Up to $100,000 for each violation.  Owners and officers personally liable up to $10,000 per violation.  Severe civil and criminal penalties for fraud and negligence, including fines and even imprisonment.

The Gramm Leach Bliley Act, also known as The Financial Modernization Act of 1999, requires businesses and organizations to protect consumers’ personal financial related information. The provisions of this law require the implementation of privacy policies and notices under the FTC’s Privacy Rule, plus formalized security plans and adequate information safeguards under the FTC’s Safeguard Rule.  The law also includes provisions for criminal negligence Since most personal financial information is computerized, proper data security is a major part of GLBA compliance.

GLBA gives authority to eight federal agencies and every state to enforce the privacy and safeguards rules outlined in this law. 

Additional Information:

Health Insurance Portability and Accountability Act (HIPAA / HITECH)

Applies to:
  All types of healthcare related organizations such as doctors, clinics, dentists, psychologists, chiropractors, nursing homes, pharmacies, and more.  Also includes health insurance companies and businesses that support healthcare organizations – such as online backup providers, billing agencies and organizations that support Internet based health services.

Penalties, Fines:  The penalties for non-compliance range from a minimum of $100 per violation to a maximum of $25,000 per year.  Possible criminal negligence and fraud prosecution, up to 10 years in prison.

Under HIPAA / HITECH , all organizations that record, maintain, or transmit personal health information are required to ensure that all patient information is kept confidential, secure, and readily available.  HIPAA / HITECH requires that patient medical records and other protected health information be kept private and confidential.

Recently, under The American Recovery and Reinvestment Act of 2009, changes were made to HIPAA / HITECH  to, among other things; broaden the scope of who must comply, and to significantly increase civil penalties for HIPAA / HITECH  violations, potentially to the tune of $1.5 million per year in fines.  These changes to HIPAA / HITECH  go into effect February 2010.

Additional Information:

State Laws

Applies to:
  Any business or organization, small or large, that gathers, licenses, transmits, or stores any form of personal information about their customers including name, social security number, credit card information, drivers license numbers, account numbers, birth dates, health information, financial information, and more.

Penalties, Fines:  $500 to $5,000 fines per customer record lost or stolen – depending on the state.  Civil penalties up to $500,000 are applicable in most states for failures to safeguard personal data, properly dispose of such data, and to provide adequate privacy protections.  Reckless or negligent disclosure of customer or employee personal information generally results in criminal penalties with severe fines and 1 to 3 years jail time.

Virtually every state now has laws requiring all businesses to implement proper technical and administrative safeguards to protect customer information against identity theft and fraud.  States are becoming increasingly aggressive at requiring specific practices and safeguards such as having a documented security plan, regular vulnerability risk assessments, updated and monitored computer security systems, data encryption, and most commonly, an incident response plan to notify customers of a breach and to remedy the situation.

Many state laws focus upon employee misuse of personal information. This “insider threat” has evolved into one of the greatest risks to ever confront organizations maintaining customer information. The regulations attempt to address this risk by requiring businesses to develop and implement data protection policies, employee awareness training, ongoing compliance monitoring, and disciplinary standards for willful privacy violations.

State laws are also interstate laws.  Businesses with customers in other states must not only comply with their own state laws, they must also comply with state information security and security breach notification laws where their any of their customers reside.  As a practical matter, businesses should comply with the regulations in the most highly-regulated states.

Additional Information:

Summary

Given that virtually all companies are subject to several law’s requirements and penalties, it is critical that you immediately move toward compliance. Those that choose not to implement the necessary technical and administrative safeguards are placing their customers, employees and themselves at significant risk.

You may not need to be compliant with every law, but by implementing overall information security best practices and safeguards, you can be confident you’ll have the proper safeguards in place to protect your data, and limit your financial risks or liability with these laws.

InfoSafe is the leading information security compliance and certification program, helping businesses to meet these requirements and best practices in a single overall, easy to implement, and affordable compliance program. 

Becoming InfoSafe Certified means your business meets or exceeds the minimum recommended standards and requirements for protecting your customer’s and employee’s personal information against identity theft and fraud.  It also shows your commitment to doing business the right way, with a genuine commitment to privacy, safety and trust.

Get Infosafe Certified.