Category: Compliance

What is Regulatory Compliance?

A Brief Definition of Regulatory Compliance
While regulatory compliance is a broad topic, the definition is quite simple – it’s all about making sure an organization is following the rules for its industry. With regulatory compliance, you are required by an outside authority to perform certain obligations or comply with regulations, and there are consequences for not doing so.
Regulatory compliance should not be confused with corporate or internal compliance, as the mandate between an internal and external policy may differ significantly. Essentially, being compliant can save a company from potential legal entanglements.
Why Is Regulatory Compliance Important?
Today, concerns surrounding privacy and IT security are of top importance with regulatory compliance. Especially over the last five years, people are catching on to how often privacy is being abused. While compliance regulations have existed for many years now, they weren’t created with privacy in mind — it’s only recently where we see a merging with IT security.
If you’re fully compliant, it represents a big step in the right direction for data protection. However, compliance should be viewed as a minimum standard — an organization should strive to reach higher.
What does this mean? It means doing the right things and having sound controls. If you’re doing those things, the compliance should come naturally.
If you think about SOX (Sarbanes-Oxley), one of the earlier compliance acts, at the end of the day you’re required to understand the risks, and you need to have controls and processes to address those risks to prevent a financial mistake. It means you need to understand your environment, its associated risks and the controls to mitigate risks. SOX was one of the first regulatory compliance acts in which risk was the main driver — and mitigating risk (especially from a privacy perspective) is prominent in many recent regulatory compliance acts.
The recent General Data Protection Regulation (GDPR), for instance, was developed with risk in mind and focuses on the need to understand the risks of processing certain types of information.
Once you have your risks and compliance methodologies in place, you can leverage them to not only comply with one regulation but comply with many. Besides, compliance can be used as a stepping stone for your organization as a whole. Further, if there’s a new regulatory compliance law coming up in the future, you may already be compliant.
On the other hand, if you’re not compliant, the costs can be damaging. There may be fines, reputational risks, impacts to stock price or revenue, or a loss of customers. Over and above that, there are industry risks to consider. If you’re not compliant with PCI regulations for credit card processing, for example, your ability to process transactions may go away.
The risk of continuing to do business may even be at stake.
Compliance Challenges
There are numerous challenges companies face in order to remain compliant, but the primary obstacles impact finance, HR, and IT.
It’s unfortunate, but the biggest challenge for compliance is that it can be expensive. Let’s face it: many organizations are running lean as it is, and now they’re faced with an edict of “You shall manage risk.” Then, organizations must decide whether to outsource or dedicate internal resources to compliance. From a human resources standpoint, it can be time-consuming. In some companies, these developments may require the introduction of compliance-centric positions such as Regulatory Compliance Officer or Manager.
For the IT department, the never-ending stream of new technologies creates considerable compliance complications. As employees continue to incorporate their own devices in today’s BYOD (bring your own device) landscape, we must understand that those endpoints store sensitive, compliance-relevant company data. Compounding the issue is the massive growth of IoT — meaning even more endpoints and interconnected devices (which may or may not be secure) on an organization’s network.
Keeping up with updates, patching software quickly, and staying on top of vulnerabilities are all requirements for maintaining compliance.
Endpoint management is a crucial component of regulatory compliance.
Regulatory Compliance Examples 
One of the most prominent examples of regulatory compliance, especially today, is HIPAA. Through ongoing regulations, HIPAA compliance is a living entity that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.

If your organization has anything to do with the healthcare industry, you’ll want to check out our HIPAA compliance checklist.
The Sarbanes-Oxley or SOX Act of 2002 mentioned above was created to oversee corporate fraud from a financial perspective. Along with protecting whistleblowers, SOX banned company loans to executives, and holds CEOs personally accountable for financial missteps.
The Dodd-Frank Wall Street Reform and Consumer Protection Act was created to reorganize and improve financial regulation and also created the Consumer Financial Protection Bureau. It may be one of the most complex pieces of legislation written.
Two new regulatory compliance acts to look out for, especially pertaining to privacy, are the California Consumer Privacy Act and the New York State Personal Privacy Protection Law. The California act, which takes effect in 2020, “gives consumers sweeping control over their personal data. It grants them the right to know what information companies like Facebook and Google are collecting, why they are collecting it, and who they are sharing it with. The New York law “protects you from the random collection of personal information by state agencies. The law enables you to access and/or correct information on file which pertains to you. It also regulates disclosure of personal information to persons authorized by law to have access for official use.”

How Can I Learn More?
As 2020 approaches, protecting privacy is going to be more critical than ever and will be a critical element for regulatory compliance.
Privacy laws give organizations parameters to work within and help ensure accountability. However, in the face of resource constraints and rapidly evolving threats, IT is often caught in the crossfire in choosing where efforts should be focused.
If you need a path for harmonious co-existence between working within the law and advancing technology, we’re here to help.
Watch our IT on Trial — Guilty Until Proven Innocent? webinar to learn legal and ethical considerations for data privacy, the value legal frameworks provide to technological advancement, and get predictions about the direction and increasing importance of privacy laws.
This article is for informational purposes only.  The information in this article is not legal advice, is not to be acted on as such, is not intended to substitute for professional legal advice, may not be current, and is subject to change without notice.  You should contact a licensed lawyer in your area to assist you in legal and regulatory matters.  Absolute expressly disclaims all liability with respect to actions taken or not taken by a reader based on any or all of the information and commentary in this article. 
©2019 Absolute Software Corporation.  All rights reserved.  ABSOLUTE and the ABSOLUTE logo are trademarks of Absolute Software Corporation.   Other names or logos mentioned herein may be the trademarks of their respective owners.

The Biggest Challenges of Encryption

Encryption is a staple security control for most organizations. In a recent Ponemon study, enterprise use of encryption hit an all-time high this year with 45 percent of organizations now having a comprehensive encryption policy in place. Conversely, just 13 percent of organizations have no encryption capabilities. What is the biggest challenge organizations face in implementing their encryption policy? Simply having visibility into their data and knowing which needs to be protected.
What is Encryption?
According to Techopedia, Encryption is the process of algorithmically transforming information to make it unreadable for unauthorized users. The encoded data may only be decrypted or made readable with a key and while it can be used to protect data at rest, it’s most often used during the transfer of information. In 2018, encrypted traffic reached 72 percent of all network traffic – a 20 percent increase over the year prior.
Encryption means data is only readable by senders and receivers, not third parties who may be trying to get their hands on it. In the age of big data, where organizations collect and share information at unprecedented rates, encryption is a critically important tool.
Adoption Driver: Compliance
Along with the need to protect against rising data breaches, another primary driver behind increasing encryption use is compliance. Data protection laws – including GDPR, CCPA, PIPEDA – require organizations to prove that encryption was in place at the time of a security incident or face some hefty fines – to the tune of $3.86 million dollars which is the average cost of a data breach now.
GDPR repeatedly highlights encryption as an ‘appropriate technical and organizational measure of personal data security.’ Under GDPR, organizations must notify regulators and impacted individuals of a data breach within 72 hours of the incident unless the data in question was sufficiently encrypted.
Having encryption in place can save your organization from potentially disastrous reputational damage. More than the cost of the fines, reputational damage caused by losing the trust in the eyes of customers and the public can ultimately be the factor that destroys an organization’s success.
The Human Element
Encryption isn’t without its challenges however and a big one is the very people who use it. Users are often the weak link in your security chain – another new study found employee mistakes continue to be the most significant threat to data security. Encryption may be mathematically guaranteed but it can also be complicated to implement and confusing for users. This often leads to employees disabling it or insecurely sharing decrypt keys which makes the entire program void.
Device Complexity Creates False Sense of Security
Encryption is a powerful tool but it’s still just one ingredient in your overall security mix. It is most often paired with other endpoint security solutions such as patch management, antivirus and antimalware along with firewalls, SIEM solutions and many others. All have their place, but the rising number of solutions deployed on any given device contributes to significant complexity making monitoring them a challenge. Tools don’t always integrate or work well together and/or controls easily become misconfigured.
The high volume of security tools often provides a false sense of security because broken tools can leave big gaps in an organization’s defenses. Instead, IT and security teams need to be able to better understand what’s happening on their devices and respond to suspicious events to reduce security failures. Adding more and more security controls to the endpoint may perpetuate the risk.
It’s imperative that encryption and any other fundamental security tools are working at all times, as intended in order to have visibility and control over devices that contain data or network access.
To learn more about how security tools degrade and how you can analyze the tools you already have to identify blind spots or opportunities to strengthen your defenses, listen to the recent webinar we did with Forrester analyst, Renee Murphy titled The State of Endpoint Security in 2019.

The Role of Dematerialization in Data Privacy

In the constant push for bigger, better, faster, it’s normal to see products and services evolve to meet shifting customer expectations. What’s different about today though, is how customers themselves are changing. Everyone has a growing digital footprint, regardless of whether or not they want one. What does this mean for personal data privacy?
The Dematerialization of Society
Look around your home today and compare it with a home in the 1980s or 90s. What’s missing? An answering machine, Rolodex, calendar, alarm clock, road maps, vinyl records, VHS tapes, cassettes, CDs, and DVDs, the list goes on. Each of those material goods has been replaced by our smartphones. Digital has “dematerialized” our world —even our money has been digitized, for the most part. It’s safe to say we’re much less dependent on physical stuff.
Digital has also dematerialized people. A person is a person because of the data that exists about them — our digital selves. We have become a collection of individual pieces of data made up of Personally Identifiable Information or PII.
Personal Privacy in a Dematerialized World
When all of our personal data is digital, privacy becomes a much bigger issue, with many more stakeholders. With all the progress society has made during our digital transformation, we have somehow managed to sacrifice our personal privacy along the way.
We shifted from moving physical material that makes up a person’s identity around in space to moving bits and bytes around in the cloud — and somehow this shift made the data seem less valuable for a while.
For more on the three general attitudes people have on data protection, read
Data Privacy in Our Digital World.
New and Updated Regulations to Protect Our Digital Selves
There have been too many stories in the news about organizations and institutions for all the wrong reasons — negligence and loss of personal data, cybersecurity breaches, inadvertent misuse of data by a third party, and so on.
As a result, governments around the world are stepping up to the challenge of protecting the privacy of the individual with strict regulations (backed by law) that govern the use and misuse of digital data, and shift power back to the individual.
Sweeping regulations, such as the EU General Data Protection Regulation (GDPR), are prompting regulators around the world to implement compatible standards and, in some cases, start levying their own fines.
Most recently, the California Consumer Privacy Act (CCPA) as well as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) were introduced. Both have been heavily influenced by GDPR and give people more control over the personal information that is being collected about them.

The C-Suite Has an Ethical Responsibility to Protect PII
There are several reasons why organizations should do everything in their power to protect PII. Firstly, it’s the law. Data breaches can be bad for business both in terms of regulatory fines and loss of business due to class-action suits. Not to mention the subsequent reputation damage.
Secondly — and more importantly —there’s an ethical responsibility: it’s the right thing to do. And the public expects organizational leaders to take charge — 76% of those surveyed in the 2019 Edelman Trust Barometer believe that CEOs should take the lead on change, rather than waiting for the government to impose it.
The C-suite has a responsibility to take an active role in ensuring data security and privacy controls are in place — failure to do so puts innocent people at risk and could potentially be the digital world equivalent of reckless endangerment.
In my next post on C-suite responsibility, I’ll discuss the different data privacy considerations that too often go overlooked. In the meantime, if you’d like to learn more, get our new eBook, 3 Overlooked Data Privacy Considerations. 

Global Data Privacy Laws in 2019

As our personal information becomes digitized and organizations push to collect more and more of it, data privacy has become a critical issue. Regulations are needed to protect the growing volume of data and a majority of nations’ governments are responding with a multitude of global data privacy laws.
The Road to Regulation
According to a new, interactive map by the United Nations Conference on Trade and Development (UNCTAD), 58 percent of the 194 UNCTAD member countries report having data protection and/or privacy legislation on the books and another 10 percent have draft legislation in the works. Unfortunately, 21 percent of countries have no legislation or anything in process.
A global map of cyberlaws, the Global Cyberlaw Tracker monitors the state of e-commerce legislation including laws over e-transactions, consumer protection, data protection/privacy, and cybercrime. It’s a helpful tool for organizations as they work to safeguard the personal information of citizens around the globe. However, it’s also a good illustration of the significant challenge organizations face in data protection compliance.
To further complicate matters for the companies that do business with Americans, there is no federal data privacy law in the United States. Instead, companies are left to interpret and comply with a growing patchwork of individual state laws — a movement now gaining momentum thanks to the California Consumer Privacy Act (CCPA) of 2018.
Read: Will CCPA Pave the Way to a Federal Data Privacy Law?
Is GDPR the Future of Global Data Privacy Laws?
To avoid having to comply with 50 different state laws, big tech companies are calling for a unified law similar to the European Union’s GDPR, though more so in concept than in scope. Most data privacy activists champion the regulation, however many organizations are cautious about what they ask for. GDPR is considered the world’s most stringent data protection law. Since going into effect in May of last year, nearly 60,000 data breaches have been reported but only 91 fines have been imposed to-date. According to one report by international law firm DLA Piper, the three biggest offenders so far are the Netherlands, Germany, and the United Kingdom.
Keeping up with the evolving regulatory landscape requires constant attention – just like monitoring sensitive data that is always on the move. While the world’s lawmakers scramble to keep up with escalating data privacy issues, costly fines and the court of public opinion is already underway. It’s important to understand what data you collect, where it’s shared, and how it’s protected. While many data privacy regulations are still being developed, implementing measures to align with larger privacy frameworks like GDPR can ensure your organization’s data is protected and you’re prepared for forthcoming regulations.
For more information on the global state of data privacy, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to or full Cybersecurity Insights video series on YouTube.
global data privacy laws
Video Transcript:
Hello again! Josh here from Absolute. In our last episode, we saw how the digital world has made data privacy a top priority. In this episode, we’ll look at some of the laws designed to protect data privacy.
The most obvious place to start is with the General Data Protection Regulation (GDPR) which is fashioned as a statement of rights, including:
-The right to rectify
-The right to be forgotten
-And the right to civil action
Rectify simply means when someone requests a change details of her digital self, you must find every place her data could be so that you can rectify the information and comply with GDPR.
The right to be forgotten is also key, a person’s digital identity to be purged; in legal jargon this is called the ‘right to erasure’.
Once again, we need to find it, which means we need to probe every endpoint to discover where the data is so that we can remove it.
Finally, the GDPR guarantees the right to sue for damages when personal data is misused or left unprotected.
Okay… well, now we have to demonstrate safeguards are active, up-to-date, and working effectively,
It’s the only way to prove your innocence and avoid a fine, which can be as high as 4% of your organization’s annual revenue.
Fumbling on data privacy is a costly mistake.
What about outside Europe?
In the US, we find laws like HIPAA (for health information) and S-P and S-ID statutes for personal financial information, enforced by the SEC. But no national privacy standard.
In the meantime, we need to follow state laws like CCPA in California. Some have called CCPA, ‘GDPR-lite’. But that’s only for the penalty amounts. CCPA imposes more restrictions, demands faster reporting and tighter controls than GDPR. If it’s true as they say, ‘As California goes, so goes the country’, then we can expect the US to end up with more stringent standards than the EU.
Then, we come to PIPEDA, Canada’s newly refreshed hammer for privacy. Not only is reporting unauthorized access required (like GDPR), but even if the safeguards – anti-virus, encryption, security agents – have broken, regardless if the attacker was successful.
Wait! You have to prove your security posture was airtight when incident happened, not just if data was stolen? Yep, that’s what we’re sayin'(eh)!
Data Privacy is today’s great challenge for IT and security teams, and with 35% of sensitive data on out-of-sight on endpoints, there has never been a stronger need for persistent endpoint visibility and control.
Next time we will explore the steps you can take to ensure data remains private. Be sure to subscribe and drop your comments below, I’ll see you then.

Will CCPA Pave the Way to a Federal Data Privacy Law?

If GDPR is the unification of data privacy laws across Europe, could the California Consumer Privacy Act of 2018 (CCPA) serve the same role in the U.S.? While many privacy advocates hope it does, there’s no question that there is still much work to be done on CCPA before the new California law truly paves the way to a federal data privacy law.
What is CCPA?
CCPA was signed into law on June 28, 2018 and will go into effect January 1, 2020. Under California law, citizens can propose new laws and can incite a vote if they have enough signatures. That’s how CCPA was brought into play – and very quickly made into a reality. As it stands, the law currently provides California residents with four basic data privacy rights:

The right to know which personal information a business is collecting about them, where it’s being sourced, what it’s being used for, whether it’s being disclosed/sold and if so, to whom
The right to opt out of allowing a business to sell their personal information to third parties
The right to have a business delete their personal information, with a few exceptions
The right to receive equal service and pricing from a business even if they exercise their privacy rights

Read our blog post about Data Privacy
Unlike GDPR, CCPA comes with a narrower scope to whom the data privacy requirements apply. CCPA impacts any company that does business in the state and meets one of the following criteria:

annual gross revenues over $25 million
receives/discloses the personal information of 50,000 or more CA residents
derives 50 percent or more of their annual revenues from selling CA residents information

Violation comes with a civil penalty of up to $7,500 per incident and gives consumers the ability to seek damages either individually or collectively.
CCPA in 2019
Starting in January 2019, the Attorney General (AG) of California has been holding forums across the state to gather comments from the interested public. The input gathered during this rulemaking process — which is set to end on March 8 — will then be considered as legislators draft CCPA rules in the coming months. The first draft of CCPA regulations is expected to be published this fall whereby another public comment period will be scheduled.
CCPA is by no means final, yet already several copycat laws are popping up across the country —Massachusetts, Rhode Island, Washington and New York have all introduced their own state laws too. Other state AGs have said they will take California’s lead on data privacy. Separately, a couple of data privacy bills have been introduced – one back in December by a group of 15 Senators and another by Florida Senator Marc Rubio last month.

The evolving patchwork of U.S. data privacy laws begs the question – when will federal lawmakers finally step in and address consumer privacy rights as was done in the EU with GDPR? Tech giants Cisco, Apple, Facebook and Google recently joined forces calling for this. CCPA and others like it are building awareness and driving momentum for the effort.
Regardless, it’s increasingly important to pay close attention to the legislative landscape as compliance fees continue to climb. Perhaps equally as important though, companies should be taking a stand on data privacy because it’s morally, ethically and legally the right thing to do. It also makes good business sense. Consumers want to do business with companies they trust. In California at least, they are the ones driving data privacy into law.
If you would like more information on how you can be sure your organization is doing what it can to protect the data in its care, download our new eBook 3 Overlooked Data Privacy Considerations.

Data Privacy in a Digital World

Data privacy is top of mind these days – for good reason. The number of exposed online records has doubled since last year, reaching a total of 446.5 million. International regulations such as the EU’s General Data Protection Regulations (GDPR), the California Consumer Privacy Act (CCPA) in the U.S., and the Personal Information Privacy Act (PIPEDA) in Canada have helped to provide standards for governance over our information, but it is not always simple.
We Are Our Data
When all our personal data is digital, privacy becomes a much bigger issue, with many more stakeholders. With all the progress society has made during our digital transformation, we somehow managed to sacrifice our data privacy along the way. We shifted from moving physical material that makes up a person’s identity around in space to moving bits and bytes of data around in the cloud — and somehow this shift made the data seem less valuable…for a while.
When it comes to data protection, most people fall into one of three categories:

Just stay offline.
My data will be used/misused and it’s no big deal.
Wait a second – that data is who I am!

Despite your opinion however, there have been too many stories about organizations mishandling data recently including negligence and loss of personal data, cybersecurity breaches, inadvertent misuse of data by a third party, and on the list goes on.
A Responsibility to Protect PII
There are several reasons why organizations should do everything in their power to protect Personally Identifiable Information (PII). Firstly, it’s the law. Data breaches can be bad for business both in terms of regulatory fines and loss of business due to class-action suits. Not to mention the subsequent reputation damage.

Secondly — and more importantly — there’s an ethical responsibility: it’s the right thing to do. And the public expects organizational leaders to take charge — 76% of those surveyed in the 2019 Edelman Trust Barometer believe that CEOs should take the lead on change, rather than waiting for a government to impose it.
The C-suite has a responsibility to take an active role in ensuring that data security and privacy controls are in place. Failure to do so puts innocent people at risk and could be likened to the digital world’s version of reckless endangerment.
3 Simple Aspects of Data Privacy
Data Residency. Your organization is full of sensitive data and, unfortunately, employees unwittingly put it at risk all the time.  An organization is responsible for understanding where the data it collects and stores resides, especially if it is stored in another country. However, your data sits out there on more endpoints than you think, not to mention what happens when one of those devices goes missing.
You need the equivalent of Google for your endpoint data — a lexicographical crawler for PII that can alert you to any unauthorized data hiding out there on endpoint devices. Unless you have that, you simply won’t be able to track all the places where the data resides.
Orchestration of Controls. There is no shortage of security controls, whether they be native in the operating system or come as third-party applications like antivirus, antimalware, encryption, or other endpoint detection and response (EDR) solutions. These controls help ensure that the place where data resides is secure.
The problem is in ensuring that the third-party controls remain in place and functioning at all times. Native controls can help with this, giving organizations the ability to pull information from the controls and push actions to the device if they are not operating as they should, or if the user of the device is acting suspiciously.
Continuous Monitoring. Annual auditing is only valid on the day the audit takes place. Can you be sure on any day in between audits that data is not residing in the wrong place and, if it is, that security controls are in place to protect it? Without continuous monitoring, you’ll never be able to keep track of all the data copies that exist on all your devices. This can leave you in hot water when the regulators come knocking.
Data privacy affects all of us. As the speed at which the world operates in digital increases, we can expect everyone to take a greater interest in their personal data. The organizations that act now to build data privacy into their company’s mission statement will be the ones that retain customer trust.
For more information on data privacy in our digital world, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:
Welcome back! Josh here from Absolute. If you’ve been on planet Earth the last couple of years, you know one topic in Information Security is grabbing everyone’s attention: Data Privacy
Look around at a home of 2019 and compare it with a home of 1980s or even the 90s. Take notice of what’s likely missing…

Answering machines
Alarm clock
Vinyl records, VHS tapes, cassettes, CDs or DVDs

Each (and there are many more) have been replaced by a smartphone. Digital has dematerialized our world. The things people need are no longer dependent on physical stuff but are satisfied by digital technology.
What this have to do with data privacy?
Well, digital has also dematerialized people. We live in a digital reality. Who we are has become a collection of individual pieces of data; we call it Personally Identifiable Information or PII.
People have always been conscientious about their personal privacy, but now that we’ve been dematerialized, personal privacy takes a new shape. Each person’s right to privacy is more easily overthrown, because we’re not moving physical material around in space, but manipulating bits and bytes that compose a person.
One school of thought says, ‘Just stay offline.’
Another way of thinking says, ‘Hey, my data will be used (or misused), it’s no big deal.’
While others contend this by saying, ‘Wait! That’s my data and that is who I am!’
For starters, just saying ‘stay offline’ isn’t reasonable for a 21st century person: the digital world is where things happen. That’s why we call it The Digital Transformation. Business, government, school, research, and even friend-to-friend interactions, all happen in the digital town square.
For those saying ‘No big deal’, would you say that if you were being harassed or stalked by someone in the physical world? And even if you don’t care about how your data is used, other people do… and they want assurances that their privacy is always secure.
You can see why data privacy is all the rage right now. And it’s not just social media data scraping to create ‘fake news’; we see credit bureaus, city governments, and even hospitals, schools and universities all fail to safeguard individual privacy.
Data privacy goes to the heart of what we value as a society, which demands that we do our best work to protect those digital persons in our care.
Be sure to subscribe and put your comments below. I’ll see you next time, and we’re gonna take a deeper dive into the laws that are designed to protect personal privacy.

Avoid Security Breaches in Healthcare with Data Visibility

Security breaches in healthcare are rampant. Just one month into 2019 and the Office for Civil Rights (OCR) already has plenty of new Health Insurance Portability and Accountability Act (HIPAA) compliance violations to investigate. The well-known ‘wall of shame’ data breach portal shows that in January alone more than 350,000 individuals have had their protected health information (PHI) compromised by a data breach. The reported causes of these healthcare security breaches are:  hacking, theft of lost/stolen devices, unauthorized access/disclosure, and improper disposal.
The Cost of a Healthcare Data Breach
Healthcare IT security continues to be a growing issue. Not only has the number of victims increased, so has the cost to those involved. According to Ponemon Institute, healthcare data breach costs are the highest of any industry at $408 per record. In 2018, we saw the largest fine ever handed out by the OCR since they began enforcing HIPAA compliance when health insurer Anthem Inc. was ordered to pay $16 million in October.
Read The Cost of a Data Breach in Healthcare
Why is healthcare hit so hard? Healthcare is data and all of it – personal, familial and financial information – is highly valued by cyber criminals. Add to that the organizations themselves are typically large, distributed, and often encumbered by legacy systems and/or inadequate security budgets, making them an easy target in too many cases.

Faced with these and other challenges, it is increasingly important that healthcare organizations make the most of their security investments. But that doesn’t that mean layering on every new tool is the right answer —for strong security or for compliance. Many organizations wrongly assume that deploying a host of security technologies inevitably ensures compliance when, in reality, the safer bet is to start with the data and knowing where it resides.
The Burden of Proof for HIPAA Compliance
To be HIPAA compliant, the Department of Health and Human Services (HHS) requires that covered entities specify “technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals,” through either encryption and/or destruction. It falls to healthcare organizations to supply proof of data encryption or proof of destruction in order to avoid being liable for non-compliance.

The challenge is that you can’t secure (in this case encrypt) or validate for devices you can’t see. Visibility into the health and efficacy of your endpoints is a key element in remaining HIPAA compliant. Identifying all of your endpoints —even those that are inactive — also happens to be the starting point to a solid security program too.
Devices are re-imaged, users disable apps, registry files become corrupted, and devices leave the protection of the network. All of these ‘dark’ devices remain outside the control of IT, posing a significant threat to data security and HIPAA compliance. Moreover, in the event of a security incident, these devices may no longer have the technology needed to prevent the incident from escalating to a full-scale data breach.
Would you be able to validate your data security at the exact moment of an incident? Quantify the extent of your organization’s dark endpoint problem by starting with this free assessment. And, if you would like more information on effective steps to protect your healthcare data, watch this webinar with Absolute and SANS Institute, 7 Steps to Protecting Data in the Era of Digital Care.

Will 2019 Be the Year of GDPR Fines?

Is 2019 the year we will feel the full impact of GDPR? Chances are good the answer to that question is a resounding “yes!”
GDPR went into effect May 25, 2018 and, as of yet, no sizable fines have been levied for data privacy missteps in the protection of personally identifiable information (PII) of EU citizens. Despite light action in actual enforcement to date, there is plenty of evidence to suggest regulators have been very busy with all of the details that will inevitably lead up to the big penalties the regulation has become known for.
Last year, data privacy groups filed the first complaints under GDPR against Facebook and Google. Since then, nearly every European data protection agency (DPAs) reports a significant increase in both data privacy complaints and breach notifications. The newly formed European Data Protection Board (EDPB) is tasked with enforcing GDPR and says well over 40,000 complaints have so far been lodged across the EU.
As the number of complaints continues to rise, DPAs are staffing up to investigate and handle resulting enforcement action. The Irish Data Protection Commission (DPC) for example, has grown from less than 30 employees in 2014 to 130 employees in 2018, with further expansion planned for 2019. Many of the world’s largest tech companies have their EU headquarters in Ireland, including Facebook, Twitter, Microsoft and LinkedIn and, therefore, fall under the purview of the DPC.
All DPAs aren’t exclusively focused on hand-slapping however. Some have been consulting with businesses on how to better protect their data. And, in December, the EDPB issued guidelines for how to comply with the geographic scope currently outlined in Article 3 of GDPR which could be interpreted as anyone who processes EU citizen data must comply, regardless of where the business is located.
Monitor and Secure PII
What can you do to address GDPR compliance and ensure you won’t be making headlines for the wrong reasons in 2019 and beyond? Because you can’t secure what you can’t see, the first step is to maintain uncompromised visibility and control over all of your endpoints, whether they are on or off your corporate network.
To help you determine where your PII is located (as defined by any of the 31 European countries subject to GDPR) by device ID and username, Absolute today introduced a new GDPR Compliance Report that is now part of the Absolute Platform.
In addition to where your data is located, the report also shows you whether or not that data has been encrypted and when – required pieces of information for compliance. The report generates a GDPR aggregate match score which is a sum of all matches for compliance with rules that have been built in to the system as well as any custom rules you’d like to add.
Watch this video, Strengthen Your GDPR Compliance with Absolute for a quick overview of how Absolute helps you identify EU-specific PII data residing on all of your endpoint devices, and the importance of having the ability to take immediate action to remotely remediate the risk.

What is HIPAA Compliance and Why is it Important to Healthcare Security?

If you are involved with the healthcare industry, you’ve probably heard of HIPAA, the Health Insurance Portability and Accountability Act. Regulations and best practices surrounding HIPAA can be confusing, but it’s critical that anyone connected to the healthcare industry understand at least the basics.
So we’re here to break things down for you.
First, and perhaps most important, is to answer one of the most commonly asked questions:
What is HIPAA compliance?
HIPPA Compliance Definition
Through ongoing regulations, HIPAA compliance is a living entity that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information. HIPAA compliance requirements are discussed near the end of this post.
Before we continue, three more acronyms need to be highlighted which figure prominently in the definition:

PHI = Protected Health Information
HHS = Department of Health and Human Services
OCR = Office for Civil Rights

HIPAA’s regulatory standards were created to establish the legal use and disclosure of protected health information (PHI). The Department of Health and Human Services (HHS) regulates compliance, and the Office for Civil Rights (OCR) enforces compliance.
The OCR also provides ongoing guidance on developments affecting health care and is responsible for investigating HIPAA violations.
Need a HIPAA compliance checklist? Absolute’s got you covered! 
Decoding PHI
While HHS and OCR are self-explanatory, PHI requires further explanation.
Protected Health Information (PHI) is the combination of one’s identifying information — such as your name or address) — and any health-related data collected from a healthcare practitioner or facility, such as your medical record, any conversations with providers, or billing/insurance information.
PHI is anything that contains both your Personally Identifiable Information (PII) and your health information.
For example, if we know that Sheldon Cooper is diagnosed with obsessive-compulsive disorder, that’s PHI. Why? Because it contains PII — Sheldon Cooper, and also health information — obsessive-compulsive disorder. Sheldon’s PHI would, therefore, be protected by HIPAA.
One more definition: ePHI, electronic protected health information, is when PHI is transmitted, stored, or accessed electronically. ePHI falls under the HIPAA Security Rule, a HIPAA regulation addendum which came into effect to address the rapid changes in medical technology and how health records are stored.
Why HIPAA is Important
There are countless reasons why HIPAA is important, but the key takeaways are these: it aims to ensure privacy and confidentiality; it allows patients access to their healthcare data; and also reduces fraudulent activity and improves data systems. It all boils down to data security.
For healthcare organizations, HIPAA provides a framework that safeguards who has access to and who can view specific health data while restricting to whom that information can be shared with. Any organization dealing with PHI must also have physical, network, and process security measures in place to be compliant.
Even subcontractors and any other related business associates must be compliant.
HIPAA is there to protect individuals and to ensure everyone has full access to a copy of their personal medical records. It is ultimately a civil rights issue. It mandates data protection for anyone who creates, stores, transmits or uses individually identifiable health information.
All healthcare entities and companies which handle, store, maintain, or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law.
By adhering to HIPAA laws, providers can save millions of dollars annually just by properly managing security risks.
David Harlow, an attorney, and consultant specializing in healthcare data and digital health matters, states that HIPAA should be seen as the minimum standard regarding privacy and security standards and protections. “Simply complying with HIPAA is not enough,” he said. “There are more stringent state laws (which vary, state to state) and some industry best practices which are more protective of patient data.”
What are HIPAA Guidelines
With HIPAA, there’s a lot of information to digest when it comes to the guidelines providers must follow to be compliant. What’s most important — and what we will be focusing on — is to clarify what HIPAA violations are, as well as to define what it means to be HIPAA compliant.
For specific guidelines, we recommend the official HIPAA site — a useful resource from the U.S. Department of Health & Human Services.
HIPAA Violations
A HIPAA violation occurs when there is a breach of an organization’s compliance program in which the integrity of PHI or ePHI is compromised.
It’s important to note that data breaches are not the same as HIPAA violations. A data breach can also be a HIPAA violation, but only when that breach is caused by a breakdown in the HIPAA compliance program or by a specific violation of an organization’s HIPAA policies.
For example, a data breach would be if a laptop belonging to an organizations’ doctor is stolen and that laptop contains unencrypted access to medical records. If that organization did not have a policy which stated laptops couldn’t be taken offsite then it would also be a HIPAA violation.
According to Harlow, publisher of HealthBlawg, enforcement of violations is likely more limited to cases in which there has been a data breach. In his definition, a data breach is when PHI is released to or obtained by a third party without the patient’s authorization, other than for purposes of treatment, payment or healthcare operations.
“We can learn from cases where the OCR has entered into settlement agreements with Covered Entities (practitioners) or Business Associates (third parties) that have experienced data breaches,” he said. “The settlement agreements are made public, together with case summaries. From my perspective, it is critical that the regulated community understand and appreciate that the weakest link is the often the human link.”
One data breach we can all learn from is the Anthem Insurance Company hack, which relied on an unsuspecting employee clicking on a link in a phishing email.
“Staff must be trained and tested, and systems and failsafes must be put into place,” said Harlow. “Hundreds of millions of dollars of remediation costs, class action settlement payments and fines were paid out by Anthem as a result of that click.”
He advises that the government does not discriminate when enforcing the rules, as they will fine the small entities along with the large companies. Perhaps not in millions of dollars, but significant sums nonetheless.
To further break down the takeaways from healthcare security breaches, you’ll find some great lessons here from Josh Mayfield, Absolute’s Director of Security Strategy.
Finally, it’s critical to point out that if you’ve been breached, you need to report the breach in a timely manner. In 2017, OCR brought about its first HIPAA settlement for a violation of the Breach Notification Rule levying a $475,000 fine against Presence Health for failure to properly follow the rule.
Common HIPAA violations include:

Stolen smartphones, laptops or USB devices
Cyber hack or attack, including malware incidents and ransomware attacks
Business associate breach
Electronic health record (EHR) breach
Office break-in
Sending PHI to the wrong patient/contact
Discussing PHI outside of the office
Social media posts

HIPAA Compliance Requirements
This compliance list represents a baseline for processes that businesses should be following:

Remediation Plans
Policies, Procedures, Employee Training
Business Associate Management
Incident Management

While all of these are important, Harlow recommends focusing on the need to address the privacy and security of PHI holistically, through continuous review and improvement of systems, policies and procedures, training and implementation.
“This is not a ‘set it and forget it’ sort of compliance exercise,” he said. “I would also emphasize that the HIPAA rules are written as flexible standards that are to be implemented based on the size and nature of the covered entity or business associate.” For instance, Amazon’s compliance program for its HIPAA-compliant cloud services will not be the same as the compliance program implemented by a multi-specialty physician practice.
At the end of the day, complying with HIPAA regulations may seem tedious, but in today’s threat landscape we all need to practice proper security hygiene anyway to protect ourselves.
The ramifications of not doing so are too severe to ignore.
We’ve covered plenty of ground, but to learn even more about achieving HIPAA compliance and how Absolute can help your business, download our white paper here.

HIPAA Compliance Checklist for 2019

HIPAA was adopted in 1996 and since then, Covered Entities (CEs) have been required to protect individuals’ personal health information or face hefty fines for non-compliance. The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA; the fines they have issued have grown exponentially in recent years.
Anthem, one of the nation’s largest health benefits companies, paid a record $16 million in 2018 for a data breach that exposed the electronic protected health information (ePHI) of 79 million individuals. The next largest settlement was $5.5 million paid by Memorial Healthcare Systems in 2017 for the inappropriate access of PHI of 115,143 individuals.
With increasingly severe HIPAA non-compliance fines on the line, healthcare organizations must exercise extreme diligence in the protection of PHI. But it isn’t an easy task. Compliance requires that CEs adhere to two primary rules: the HIPAA Privacy Rule, which details which data must be protected, and the HIPAA Security Rule which establishes how that data is protected.
The Privacy Rule defines identifiable health information as demographic data that relates to:

an individual’s past, present, or future physical or mental health or condition
the provision of healthcare to the individual
the past, present, or future payments for the provision of healthcare to the individual

The Security Rule outlines three categories of safeguards – administrative safeguards, physical safeguards and technical safeguards – to help you ensure data is protected and standards are followed accordingly.
Achieving and maintaining HIPAA compliance requires both thoughtful security and ongoing initiative. While there is some irony in providing a compliance checklist when we often hear ‘compliance is much more than checking a box,’ there are program elements that can – and should – be checked off. When marked complete, your level of confidence in your organization’s HIPAA adherence will increase.

The below 7 areas have been excerpted from the OCR’s recommended essential elements of an effective HIPAA compliance program.
Complete the following assessments / audits and be able to provide all appropriate documentation that they have been conducted for the past 6 years.
[ ] Security Risk Assessment
[ ] Privacy Assessment
[ ] HITECH Subtitle D Audit
[ ] Security Standards Audit
[ ] Asset and Device Audit
[ ] Physical Site Audit
Educate staff.
[ ] Have all staff members undergone annual HIPAA training, and do you have documentation to prove that they have completed annual training?
[ ] Is there a staff member designated as the HIPAA compliance, privacy and/or security officer?
[ ] Have all staff members received security awareness training and do you have documentation to prove they have completed it?
[ ] Do you provide periodic reminders to reinforce security awareness training?
Conduct risk analyses to assess whether encryption of electronic protected health information (ePHI) is appropriate and provide documentation on the decision-making process.
[ ] If encryption is not appropriate, have you implemented alternative and equivalent measures to ensure the confidentiality, integrity, and availability of ePHI?
[ ] Have you implemented controls to guard against unauthorized accessing of ePHI during electronic transmission?
Implement identity management and access controls.
[ ] Have you assigned unique usernames/numbers to all individuals who require access to ePHI?
[ ] Is access to ePHI restricted to individuals that require access to perform essential work duties?
[ ] Have you implemented policies and procedures for assessing whether employees’ access to ePHI is appropriate?
[ ] Have you developed policies and procedures for terminating access to ePHI and recovering all electronic devices when an employee leaves an organization or their role changes?
[ ] Does your system automatically logout a user after a period of inactivity?
Create and monitor ePHI access logs.
[ ] Routinely monitor logs to identify unauthorized accessing of ePHI.
[ ] Implement controls to ensure ePHI may not be altered or destroyed in an unauthorized manner.
Develop policies and procedures for the secure disposal of PHI.
[ ] Develop policies and procedures for rendering PHI unreadable, indecipherable and incapable of being reconstructed.
[ ] Develop policies and procedures for permanently erasing ePHI on electronic devices when they are no longer required.
[ ] Ensure all devices that store PHI are stored securely until they are disposed of in a secure fashion.
Define a clear process for security incidents and data breaches.
[ ] Ensure you have the ability to track and manage all incident investigations.
[ ] Be able to provide the required reporting of minor or meaningful breaches/incidents.
[ ] Implement a procedure by which employees may anonymously report a privacy/security incident or potential HIPAA violation.
Successfully completing this checklist does not guarantee your organization is HIPAA compliant – nor does it ensure that your organization will avoid potential data breaches. However, it will get you off to a very good start. For more information on implementing a successful program, download our whitepaper: Achieving HIPAA Compliance: Your Guide to Avoiding HIPAA and HITECH Penalties.