Governments and professional organizations around the world are creating regulatory guidelines to help prevent data breaches and misuse of consumer data. Currently, the most fundamental laws and guidelines include HIPAA, SOC 2, CCPA, and GDPR.
In this article, you will learn about the security basics that you need to follow to remain compliant. You’ll also learn about the penalties of failing to comply and how ETL tools like Xplenty can help you improve your data security to avoid non-compliance.
Table of Contents:
Compliance Rules and Guidelines
Stopping 2020 data security threats requires robust security that prevents enterprise-level ransomware attacks, supply chain cyberattacks, and crypto-jacking cloud-server databases. The danger of general data breaches also remains. New stories about data breaches seem to pop up at least once a week. As recently as March 2020, Marriott confirmed that a data breach had leaked the information of 5.2 million people. The data included at least five million unencrypted passport numbers and eight million credit card numbers.
Learning the compliance rules and guidelines that apply to your industry will lower your risk profile, protect your customers, and avoid the penalties of not being compliant.
The Health Insurance Portability and Accountability Act (HIPAA) includes several privacy and security rules designed to protect the personal information of medical patients. If you're a healthcare provider, an insurance company, or any other vendor that works with the healthcare industry, you must follow administrative, physical, and technical safeguards that help protect data.
Administrative safeguards include:
- Vetting security personnel
- Controlling the levels of access employees have to patient data
- Conducting periodic assessments that can uncover privacy vulnerabilities
Physical safeguards instruct healthcare organizations to limit physical access to areas where patient information gets stored. They also require healthcare groups to create and follow policies related to workstations and mobile devices. For example, a company might set geographic boundaries that stop mobile devices outside of the facility from accessing records.
While HIPAA tells healthcare organizations that they cannot share protected health information (PHI) without a patient’s consent, meeting the guidelines requires much more than simply refusing to share PHI. It also means that companies need technology safeguards that make it very difficult for someone to steal PHI.
For example, end-to-end encryption masks information while transferring it from a database to its destination. Xplenty meets this requirement with field-level encryption. With field-level encryption, data gets encrypted before it enters an Xplenty pipeline. The data doesn’t get decrypted until it reaches the intended destination, such as another healthcare provider’s database or an analytics tool that helps medical researchers discover health trends that can lead to improved diagnostics and patient outcomes
By using Xplenty as an ETL solution, any organization working within the healthcare sector can easily comply with HIPAA standards. Field-level encryption works so well that not even Xplenty’s admins can see the data as it moves from one point to another.
SOC 2 is a standard established by the American Institute of CPAs (AICPA) to help protect the privacy of individuals and organizations that hire CPAs and other accountants. The standard also applies to the data centers, SaaS providers, data analytics providers, and document producers that work with financial institutions.
SOC 2 compliance involves:
- Security to prevent unauthorized personnel from accessing information
- Confidentiality between service providers and clients
- Privacy criteria that cover how organizations collect, retain, use, disclose, and dispose of data
Every SOC 2 report must include a section about security. The other criteria are encouraged, but not required.
Xplenty adheres to SOC 2 standards so financial institutions and CPAs can transfer, transform, and load data without exposing personal information to third parties.
CCPA and GDPR
The California Consumer Privacy Act (CCPA) is an evolving set of rules that give California consumers more control over their personal information. The rights established by CCPA include:
- Adding “do not sell” buttons to websites and apps so consumers can opt-out of having their information sold to a third party
- Giving consumers the ability to tell companies that they must delete their personal information
- Preventing companies from discriminating against consumers based on the personal data they collect
- Informing consumers about how companies will use their information
A similar piece of legislation is the European Union's General Data Protection Regulation (GDPR), which was adopted in 2016. GDPR aims to give EU citizen’s more control over their data, but it takes a slightly different approach than CCPA. Some of GDPR’s key points include:
- Mandatory notifications sent to affected consumers after data breaches
- Requiring companies that use personal data to profile or monitor consumers to hire a data protection office (DPO) in charge of improving following safe practices
- Keeping detailed records of data collection activities
- Giving consumers opportunities to agree or disagree with user contracts
Xplenty helps organizations comply with CCPA and GDPR by quickly encrypting personal data, following strict data security standards, and letting admins set clearance levels that only allow authorized users to access sensitive data. When a customer asks you to delete their information, you can use Xplenty to find and remove the information efficiently. Plus, Xplenty doesn’t force you to learn how to use a lot of security features. It offers a no-code and low-code environment that lets you protect data and comply with CCPA/GDPR without learning to write code.
What Happens When You Fail to Comply?
Failing to comply with security regulations usually means that you have to pay fines, improve your standards, or get sued by affected parties. The penalties often differ depending on whether you knew that you were out of compliance and whether you broke guidelines knowingly.
Non-compliance also puts you at a higher risk of data breaches, which can tarnish your brand’s reputation. When data breaches occur, stock prices fall and customers leave. Some research shows that companies can lose 25% of their market share after a successful cyberattack. Customers don’t want to do business with the company because they worry that they will become targets of identity theft. If they think that you knowingly put their information at risk, it's even worse.
HIPAA lists clear penalties for civil violations, which are handled by the Office of Civil Rights (OCR) and U.S. Department of Health and Human Services (HHS). HIPAA also establishes a framework for penalizing criminal behavior; however, the enforcement of those penalties is left to the Department of Justice (DOJ).
Civil Violation Penalties
OCR usually gives you an opportunity to update your system to their standards so you fall in line with HIPAA. Organizations that do not fix their problems face financial penalties for civil violations.
Unknowingly violating HIPAA rules includes fines from $100 to $50,000 per violation. Repeat violations carry a $25,000 annual maximum penalty.
Reasonable non-compliance that doesn’t come from willful neglect carries a fine of $1,000 to $50,000 per violation. Repeat violations have $100,000 annual maximums.
Willful neglect (when the violation is corrected) has a fine range of $10,000 to $50,000, with a $250,000 annual maximum for repeat violations.
Willful neglect (when violations aren’t corrected) comes with a $50,000 fine per violation with an annual maximum of $1.5 million.
Criminal Violation Penalties
Criminal violations of HIPAA standards can also lead to financial penalties and imprisonment. When you knowingly break HIPAA rules, you face fines up to $50,000 and up to one year in prison.
Violations that involve false pretensions, such as lying to patients about the privacy protection you offer, have maximum penalties of $100,000 and up to five years in prison.
The most severe penalties are reserved for those who break HIPAA laws with the intent to profit or harm someone. If you who intentionally violate the law and plan to profit from the action, you can get fined $250,000 and forced to spend up to 10 years in prison.
While failing to conform to SOC 2 guidelines doesn’t lead to any official penalties, a SOC 2 audit can reveal vulnerabilities that CPAs, financial institutions, and their vendors need to address. If an audit uncovers a vulnerability, then you have a higher risk of data breaches that can tarnish your reputation.
SOC 2 compliance can also help you avoid data breaches that can lead to legal fines, lawsuits, and settlements. For example, data breaches against Yahoo! Inc. between 2012 and 2016 resulted in a class-action lawsuit that cost the company $117 million.
Companies that adjust their technology and customer services to comply with CCPA can avoid fines. If you fail to comply within 30 days, you can get charged civil penalties costing $2,500 per violation and $7,500 per intentional violation.
To make matters worse, CCPA gives consumers the right to sue you when you do not follow their requests. Consumers can seek up to $750 or the actual value of their damages. Imagine the total expenses when 100,000 Californians sue your business and you have to pay the state civil penalties. You could end up losing millions.
GDPR has two fining tiers. The fine depends on how you don’t comply with GDPR.
The first tier costs €10 million or 2% of the company's annual global turnover (whichever is higher). This fine applies to companies that do not:
- Meet the conditions for children’s consent
- Process data without confirming user identities
- Have the required certifications
- Meet the general obligations expected of data processors and controllers
The second tier costs €20 million or 4% of the company’s annual global turnover (whichever is higher). The higher fine applies to companies that do not:
- Follow accepted data processing principles
- Process data for unlawful reasons
- Do not follow the conditions of consent
- Acknowledge the rights of users to control their data
- Transfer data to other countries
Like CCPA, GDPR gives citizens the right to sue you for damages.
How to Comply With Your Industry’s Regulations
Xplenty sets security as a top priority. You can see the commitment to exceptional security standards in the platform’s features. Xplenty security includes SSL/TLS encryption on all websites and microservices; field-level encryption that protects your data as it moves through pipelines; firewalls that block unauthorized access to information, apps, and networks; physical security achieved by choosing a physical infrastructure hosted and managed by Amazon data centers.
These precautions make Xplenty compliant with:
- SOC 2
- Good Practice Guide 13 (GPG13)
- Payment Credit Industry Data Security Standard (PCI-DSS)
- Federal Information Security Management Act of 2002 (FISMA)
- Sarbanes-Oxley Act (SOX)
Data security will become increasingly important as more states, countries, and professional organizations start enforcing stricter rules. Even without government or professional oversight, it makes sense for companies to choose platforms that take security seriously.
Xplenty will make it easier for you to comply with regulations, help protect your brand’s reputation, and keep your customers’ personal information safe from criminals. Schedule a demo so you can see the platform’s security features in action.