Security for Small Business – Regulatory Compliance
As part of an ongoing series, we’re taking a look at security for small business, the tools that are available, and the best practices that keep your business ahead of the curve.
Starting a business is complex; ensuring all of the proper forms are filled and filed can be a tricky, time-consuming endeavor. Maintaining that business can be even more complex when faced with confusing rules and regulations that apply on an industry-specific basis. Many of these regulations hide behind obscure acronyms, making it even more difficult to ensure regulatory compliance within your enterprise.
The cost of failing to comply with industry or government regulations can be high, both in financial terms and in the impact increased scrutiny can have on your productivity and profitability. Understanding which regulations apply to your business takes time, but is fundamental to maintaining a functional, productive business.
The three most commonly-referenced acronyms impacting regulatory compliance for online businesses these days are PCI, HIPAA, and GDPR. Let’s take time to walk through what each one means and how it might apply to your small business.
PCI generally stands for Payment Card Industry and is used as a placeholder for PCI-DSS, the Data Security Standard established by major credit card brands. The PCI Standards place twelve specific requirements on any merchants who accept credit cards for purchases. These requirements are categorized into six rough groups:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
The aim of the PCI Standards is to, fundamentally, protect your customers from identity theft or abuse. These standards place restrictions on how you can host your application, collect customer information, and what you must do once information has been collected. There are agencies that help to independently audit your business for regulatory compliance.
There are also organizations, like Stripe, who are independently PCI compliant and permit your application to defer card and cardholder management to their system. If your small business takes customer card information directly, it needs to be in regulatory compliance with the PCI Standards. You can, and should, use services like Stripe to outsource the effort it takes to comply so your team can focus on the actual business at hand.
HIPAA is the Health Insurance Portability and Accountability Act that was passed in the US in 1996. The first part of the act applies broadly to those providing health care access and coverages. The second part applies specifically to preventing fraud, simplifying documentation, and reforming medical liability.
In general, Title II of HIPAA applies to any business that houses, transmits, or interacts with the private health information of Americans. From a security perspective, regulatory compliance with HIPAA requires:
- Administrative safeguards dictating how you interact with protected data
- Physical safeguards controlling access to protected data
- Technical safeguards controlling access to computer systems and networks that interact with protected data
The aim of HIPAA is to protect patients from having their medical histories inadvertently leaked in the public space. It applies to any business dealing with, collecting, or interfacing to both medical histories and personal health information. Penalties for violations failures include civil fines, so ensuring proper regulatory compliance is critical for any business dealing with health (or just health-adjacent) information.
The General Data Protection Regulation (PDF) is a European regulation regarding data protection for anyone within the EU. It’s primary goal is to harmonize the various data privacy and protection regulations already implemented by various EU member states, making it easier for non-EU entities to do business in Europe.
It should be noted that, while the GDPR was adopted by the EU Parliament in 2016, it will not actually take effect for many businesses until May of 2018.
In general, the GDPR provides for several key privacy provisions:
- Consent -- businesses must receive explicit consent from consumers before collecting their information
- Right to object -- consumers are allowed to prevent businesses from processing their information
- Right to erasure -- consumers can request businesses erase their personal data without delay
- Businesses or data controllers should designate “data protection officers” to monitor the collection and processing of data
- Data breaches must be properly disclosed to the consumers whose data was breached
In addition, the GDPR establishes rules regarding government processing of data (for the sake of national security) along with policies for legal challenges and administrative fines.
While your business might be physically located outside of Europe, the GDPR is still an acronym and set of regulations with which you should be familiar. Any business conducting operations online with customers in Europe must follow the same rules as those physically located there. That said, the strong privacy requirements set in place by the GDPR aim to protect the privacy of your customers; even if they don’t apply to you, they serve as a solid barometer against which to measure the means you use to protect customer data.
One Thing Right Now …
Not every web application will be impacted by the regulations above. HIPAA is industry-specific. GDPR is region-specific. PCI only applies to businesses taking credit cards for purchases. That being said, there are definitely regulations that will apply to your business and what presence it places online.
The one thing you can do right now to move towards proper regulatory compliance is to concretely identify the regulations that apply to your small business. The US Small Business Association curates multiple resources to help you get started. They publish overviews on customer privacy, rules for online marketing and advertising, and details explanations of digital rights and copyright regulations.
The best step forward towards a secure, stable, scalable business is to ensure you understand and are in compliance with all of the pertinent regulations in your industry. Get started by documenting the rules that apply, then work with your team to ensure your digital presence is compliant.
Top image credit: User Tucnay, Creative Commons