Latest News

The margin for error in business is razor-thin when it comes to compliance and data security. Especially in light of the many compliance systems — FINRA, HIPAA, PCI-DSS, CMMC, and more — it's more important than ever that you confidently manage your compliance practices.

The fact is that as technology changes so do the regulations that govern it. Whether you have to stay compliant with PCI, HIPAA, or another set of strict regulations, you need the right technology and support to keep up with changing regulations.

CyberUnlocked can help.

We’re often asked how we meet our cybersecurity and data privacy compliance obligations. While some customers see compliance and regulation as a burden to the business, the fact is that meeting local compliance regulations is a good way to kill two birds with one stone – you both reduce your organisation’s cybersecurity risks, while also avoiding hefty fines and charges resulting from non-compliance.

What Are The Compliance Obligations That I Need To Meet?

The compliance systems you’re subject to will depend on the country (and even state) in which you operate, as well as which industry you’re a part of. 

Compliance In Australia

For businesses in Australia, the potential reputational and financial risks associated with cybersecurity and data breach incidents are very real. Regulators closely monitor data protection and privacy law compliance on a global basis, as do tech-savvy customers. 

That’s why cybersecurity is no longer just an IT issue — it must be proactively managed by organisations and their boards across all aspects of a business’ operations. It involves all parts of a business: people, processes and technology. 

In February 2018 the mandatory data breach notification regime was introduced in Australia as part of the Privacy Act 1988 (Cth), making businesses publicly accountable for “eligible data breaches” where the access, disclosure, or loss of data is likely to result in “serious harm” to the relevant individuals.

In Australia, while there is no specific cybersecurity compliance that must be met, the government’s cybersecurity experts have identified eight fundamental mitigation strategies designed to help limit an organisation’s exposure to the vast majority of cyber threats, known as “The Essential Eight.”

The Essential Eight Maturity Model is a set of prioritised mitigation strategies developed by the Australian Cyber Security Centre to assist businesses in addressing and eliminating cybersecurity vulnerabilities. These strategies are drawn from the Strategies to Mitigate Cyber Security Incidents, the main ones being the Essential Eight.

In a nutshell, it’s a rather simple rubric that you can follow to make sure that all your bases are covered when it comes to cybersecurity. In addition to listing the technical aspects of cybersecurity that you should address and verify, it also provides a system by which to rate your adherence to the system.

Meant to help businesses better track how well they are following the Essential Eight Maturity Model, these levels are clearly defined in line with each of the Eight strategies. The maturity level definitions are as follows:

1. Maturity Level One: Partly aligned with the intent of mitigation strategy.
2. Maturity Level Two: Mostly aligned with the intent of mitigation strategy.
3. Maturity Level Three: Fully aligned with the intent of mitigation strategy. 

The eight strategies included in this rubric are a subset of the Australian Cybersecurity Centre’s 37 Strategies to Mitigate Cybersecurity Incidents and form a strong baseline of protection.

As a Network Partner of the Australian Cybersecurity Centre, CyberUnlocked has the expertise and know-how to get organisations to meet the ACSC’s mitigation  strategies. All our cybersecurity packages are designed to meet the Essential Eight mitigation strategies.

Compliance In The United States

In the US, compliance is much more complicated. There is no single overarching regulation, so it depends on where you operate, and in what field. 

Industry-Specific Compliance

• Healthcare: The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 and amended by High Tech Act 2013. It applies to the operations of members and vendors in the healthcare industry, in order to maintain the security of Protected Health Information (PHI).  HIPAA becomes more complicated because it changes on a state-by-state basis. That means that you have specific breach notification regulations, depending on which state you operate in.
• Financial Services: The Gramm-Leach-Bliley Act (GLBA) of 1999 was an attempt to update and modernise the financial industry. It was brought into effect during the Obama administration. GLBA requires financial institutions offering consumers loan services, financial or investment advice, and/or insurance, to fully explain their information-sharing practices to their customers. Firms must allow their customers the option to "opt-out" if they do not want their sensitive information shared.
• Defence Contractors: Introduced in November 2020, The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared within the supply chain. CMMC builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 1300 901 835 of the latter). The DoD has implemented a basic set of cybersecurity controls through DoD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit CUI. These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 1300 901 835, "Protecting Controlled Unclassified Information in Non-federal Information Systems and Organisations". U.S. DoD contractors or their subcontractors who collect, store, or transmit Covered Defense Information (CDI) or CUI must comply with NIST regulation 1300 901 835 and DFARS 1300 901 835. 

General Business & Other Compliance Systems

• Data Privacy In Business: The Federal Trade Commission Act (FTCA) of 1914 is one of the oldest legislations in the country. It is primarily concerned with ensuring businesses do not misrepresent their privacy and data security. The FTC wields very broad power and oversees business across the country.  For an example of how serious FTCA issues can be, consider that, in 2019, Facebook paid $5 billion to the FTC for failing to achieve an acceptable level of accountability and transparency.  Education: The Family Educational Rights and Privacy Act (FERPA) of 1974 regulates the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
• Children’s Privacy: The Children's Online Privacy Protection Act (COPPA) of 1998 imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
• Financial Transactions: The Payment Card Industry Data Security Standard (PCI-DSS) applies to your business if you handle cardholder information for debit, credit, ATM, e-purse, POS, and prepaid cards. PCI requires card issuers and holders to retain an audit trail history for a time period that’s consistent with its effective use and legal regulations. It’s necessary to undergo PCI compliance auditing to ensure your customers' data is protected during credit or debit card transactions.  If your business is non-compliant, banks and credit card institutions can impose fines anywhere from $5,000 to $500,000. Bank fines are based on the research they perform to remediate your non-compliance. Credit card institutions impose fines as a punishment for non-compliance, and they may enforce a timeline of increasing fines.
• Security Standards: Founded in 1901, The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. NIST provides invaluable guidelines for maintaining adequate cybersecurity standards. While NIST regulations were once used to oversee the DoD contracting sector, they have recently been replaced with CMMC. However, NIST cybersecurity standards remain a reference for many businesses in a range of industries. In addition to other resources, NIST's Cybersecurity Framework consists of standards and practices to promote the protection of critical IT infrastructure.

State Specific Compliance Systems

• California: The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. This privacy act dictates consumer rights and company responsibilities in relation to collected consumer data.  The law, AB 375, allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. The law also allows consumers to sue companies if the privacy guidelines are violated. It’s important to note that consumers can take legal action, even if no breach has occurred.
• Illinois: The Biometric Information Privacy Act (BIPA), enacted on October 3, 2008. guards against the unlawful collection and storing of biometric information. Noncompliance fines can be steep — Facebook settled for $650 million as a result of alleged violations of BIPA.
• New York: In effect since March 21, 2020, the New York SHIELD Act is designed to make sure that organisations do their due diligence to protect the private data they access that belongs to residents of New York state. This means implementing a range of cybersecurity safeguards, and, in the event of a failure, facing severe non-compliance fines.

Privacy & Compliance Trends Around The World

• GDPR: The General Data Protection Regulation (GDPR) is an internet privacy law that affects all internet business worldwide. All businesses, small or large, and even entrepreneurs who do business on the Internet with consumers located in the European Union need to be aware of how the law affects them. It doesn't matter if your company is inside the EU, or anywhere else in the world. If you do business with anyone in the countries covered by GDPR, you must comply with it.
• Privacy As A Right: As the world has become more and more digitised, countries around the world have begun to see digital information privacy as a basic human right. Personally identifiable information (PII) — any data that could potentially identify a specific individual — is gaining protection via similar laws and legislation in virtually all developed countries worldwide.
• Compliance In The Workplace: As compliance has become an expected part of business processes, related roles in the workplace have become more common. You can expect to see “Data Protection Officer” positions become a regular part of the business world as data compliance regulations continue to evolve.
• Compliance As Competition: Maintaining compliance and security isn’t just a matter of avoiding fines and consequences — doing so actually adds value to an organisation as well. As consumers become more knowledgeable about the importance of their data privacy, they will seek out companies that have better track records in terms of data security and compliance.
  
  

The Raising Stakes Of Noncompliance

As the worldwide data privacy culture develops, penalties for noncompliance are becoming more severe:

• In Singapore and Brazil, monetary fines are scaled according to the infringer’s revenue.
• In Switzerland and South Africa, those held responsible for data breaches can face criminal sanctions, in addition to conventional fines and consequences. 

The Future Of Cybersecurity & Compliance

As both technology and data privacy compliance systems evolve, it’s important to look ahead and consider what steps you will need to take to keep up:

• Data Inventory Management: You have to make sure you know where data is stored, where it is accessed from, and who has access to it. Each and every part of this chain could trigger legal obligations.  Take inventory of your servers, data centres, vendors, and staff members based on their permissions and access levels. This reduces the data that can be stolen in a breach.
• Data Centralisation: Separate data in separate departments can be difficult to manage while maintaining compliance. It’s smarter to centralise your data, eliminate redundancies, and reduce your storage requirements (and associated costs).
  
  

Common Compliance Mistakes You Need To Avoid

• Don’t Over-promise: It can be easy to over-promise when developing your privacy notice. If you say you’ll comply with every single system, then you have to. Failure to comply with a given system that you promised you would leaves you open to an audit by the FTC.
• Avoid Inconsistency: Don’t make the mistake of constantly changing the way you assess and manage your cybersecurity.  A given organisation may start with daily penetration tests, then move to vulnerability scanning, and so on. While this may be effective, it doesn’t look good to regulators. They want to see systematic improvements with processes and practices that are consistent across the entire organisation.
• Maintain Detailed Documentation: As mentioned above, be careful about what you include in your privacy notice. Anything you do include needs to be documented and demonstrated in your organisation so that you can provide it for regulators when requested.
• “Check-Box” Compliance: Many organisations make the mistake of thinking compliance can be simplified into a basic checklist. They perform a risk assessment, focus on any identified areas, and then assume they are compliant.  It’s wiser to approach compliance from a “zero-trust” mindset — assume nothing is compliant until it can be confirmed otherwise. This comprehensive model for compliance management will yield much better results.
• Overlooking Your Supply Chain: Don’t forget about your supply chain — all your vendors and business associates that access your client data are subject to the same compliance systems that you are. For example, Business Associate Agreements (BAAs) are an important part of HIPAA compliance for your practice. These contracts should clearly outline a Business Associate's responsibilities regarding your PHI and can pose a serious liability risk if the BAA isn't negotiated effectively. Any outside entity or individual that is charged with receiving, maintaining, creating, or transmitting PHI is considered a Business Associate and needs to have a BAA of their own in place with your practice. 

Why Should You Partner With CyberUnlocked For Compliance And Cybersecurity Support?

The CyberUnlocked team offers expertise in industry regulations in Australia, New Zealand, the United States and Europe.

As your security risk assessment partner, we'll assist in your compliance efforts with industry regulations like HIPAA, CMMC, PCI DSS, GDPR, and more. We will help you avoid hefty fines and charges due to non-compliance.

Our comprehensive compliance reporting program involves reviewing your internal and external IT infrastructure to detect potential risks and creating a summary of the findings, followed by the development of a mitigation strategy.

We take a holistic view of your IT, digital and cloud assets across the company. Our Cybersecurity Assessment service looks at all your assets, providing you with much-needed visibility into the state of your security and compliance.

How Do Our Compliance Support Services Work?

As your partner in compliance, we work with you to not only to develop a plan of action but also to implement it. We follow a risk-based approach to compliance management, with service features including:

• Multi-stakeholder improvement and training to ensure everyone involved understands how to maintain compliance in their work.
• We help you develop, update and implement consistent cybersecurity policies.
• We help you write your privacy notices, ensuring you do not overextend your organisation, as well as that you follow through on your commitments.
• We ensure all levels of your hierarchy understand compliance, from the receptionist to the C-Suite.
• We implement a reasonably flexible third-party risk-management program, which includes your supply chain and vendors. 

With our help, you’ll develop and follow a robust Incident Response Plan:

• We ensure external firms (legal, forensic cybersecurity, and more) are available when you need them.
• We help you document the incident for future reference.
• We help you determine to what extent you are required to disclose a breach.

CyberUnlocked Will Help You Manage Your Compliance

As you can see, failing to manage compliance is damaging and expensive. That’s why you shouldn’t bother trying to oversee your compliance personally. You’re too important in your actual role in your business to split focus and risk overlooking something.

Let CyberUnlocked take care of it for you. Don’t put your compliance at risk — CyberUnlocked’s team of compliance experts are available to manage it for you.