Information Technology and Ethics/Why compliance management?

Compliance Management
Compliance management is a process that enables companies to make sure that they are following industry standard regulations i.e., the correct set of rules and regulations to make sure that the data is protected in a better way. It is also important to have proper compliance management because nowadays companies have access to a large pool of data hence making it very important for them to follow certain compliances hence companies spend a lot in hiring lawyers etc to make sure that they are compliant. Some of the common compliances are CCPA, FERPA, CMMC, etc. If the said compliance in their sectors is not followed, they might be subject to large files such as: : And if the company still does not follow, the compliance fines tend to multiply. Let’s talk about the type of data subject to cyber security compliance, it includes : Other types of information include race, religion, marital status, biometric data, email address, username, passwords, etc. It is important to have a better compliance team to save the company from data breaches, protect the reputation, protect from fines, maintain customer trust, etc. According to the compliance management lifecycle, the following are the pillars of compliance : Examples:
 * 1) The penalty for non-compliance with HIPAA can range from $100 to $50000 per individual violation.
 * 2) The penalty for non-compliance with the PCI DSS ranges from $5000 to $10000 per month till the time the compliance is achieved.
 * 3) The GDPR has a maximum violation of €20 million or 4% of the annual turnover, whichever is higher.
 * 1) PII data: It includes the date of birth, first/last name, address, Social Security number, mother's maiden name, etc.
 * 2) Financial information: it includes credit card numbers, expiration date, CVV, bank account details, PINs, credit history, account summary, etc.
 * 3) PHI data: it includes medical history, insurance, record, appointment history, prescriptions record, hospital, admission record, etc.
 * 1) Attack surface monitoring: It includes looking for vulnerabilities in the system or bugs that might open back doors.
 * 2) Risk prioritization: Once the vulnerabilities are known, it should be prioritized on the basis of the impact that they might have on the data.
 * 3) Remediate risk: Once the prioritization is complete immediate steps should be taken to fix the issue or minimize the effect.
 * 4) Report compliance efforts: It means documenting the efforts that were taken to minimize or fix the issue in order to keep the seniors and auditors in the loop.

The protected health information (PHI) of 2,743 people was made public by a software attack on Anchorage Community Mental Health Services (ACMHS) in 2012. The breach happened because ACMHS didn't apply the required security changes and fixes, which left their systems open to attack. According to a study by the U.S. Department of Health and Human Services (HHS), ACMHS broke HIPAA Security Rules by failing to put in place sufficient security measures and perform regular updates.

In 2012, (ACMHS) Anchorage Community Mental Health Services database was attacked leaking protected health information (PHI) of 2,743 individuals. This breach was due to failure of ACMHS to apply required security updates and patches, making its systems vulnerable. An investigation held by the U.S. Department of Health and Human Services (HHS) revealed that ACMHS had neglected to implement security measures and perform updates, violating HIPAA Security Rules.

ACMHS got a $150,000 fine and had to make a plan to fix the problem. As part of this plan, a full risk review and the creation of a risk management strategy were both done to stop future leaks. The event shows how important it is to follow strict hacking rules and the serious effects of not following HIPAA rules.

GDPR
General Data Protection Regulation (GDPR) is a comprehensive privacy and security law in the world. It was drafted and implemented by the European Union on May 25, 2018. It aims to protect the data of EU citizens by imposing obligations and organizations anywhere in the world collecting the data of citizens of the EU. Violating the terms of GDPR regulations can lead to fines of up to 20 million euros. The General Data Protection Regulation (GDPR) was enacted by the European Union in 2018. It regulates data protection and aims to enhance data privacy as well as strengthening data security. It also relies on different principles, such as confidentiality, accountability, and lawfulness. GDPR is applicable to businesses that handle the personal data of EU citizens. A plethora of measures are implemented. The first one is performing Data Protection Impact Assessments (DPIAs). The next measure taken is Designating Data Protection Officers (DPOs) to monitor compliance. Organizational and technical precautions are integrated to guarantee the security and privacy of personal data with DPOs. It is mandatory for organizations to acquire consent before handling any data processing. It is very important that businesses obtain the explicit consent of individuals before gathering and processing their personal data is one of the key principles of the GDPR. Any company that operates within the EU or EEA, and any business that has recourse to the personal data of individuals within the EU or tracks the behavior of an individual within the EU, is bound by the GDPR. Organizations must also offer comprehensive privacy notices, and accommodate for individuals to exercise their personal data rights. This includes the right to access, modify, or delete their data. Penalties for non-compliance to the GDPR may include fines as much as €20 million or 4% of international annual turnover, usually whichever is larger.

According to the NYTimes, google was fined 50 million euros for not properly disclosing to users how data is collected across its services like its own search engines like Google and its services like Maps and YouTube. This penalty is considered one of the largest under the EU privacy law i.e., GDPR. There are some GDPR compliance checklists that must be followed by every US company dealing with European citizens' data.

Top GDPR fines till date:
 * Conducting information audit for EU personal data.
 * Inform the customers about the reason behind the processing of their data.
 * Assess the data processing activities and improve the protection
 * Data controllers should make sure that they have a data processing agreement with the vendors.
 * A designated data protection officer should be appointed especially by the larger organization.
 * Non-EU organizations are required to appoint a representative based in one of the EU member states.
 * Duties should be known during the event of data breach.
 * Organizations should comply with cross-border transfer laws.


 * Meta

It was fined a total of 405 million euros for violating children privacy through the publication of email addresses and phone numbers.


 * Clearview AI Inc.

A fine of 20 million euro was imposed on an AI company in America for collecting selfies and utilizing them to expand its database of approximately 10 billion faces. The company used to then sold its identity verification services to various industries, including law enforcement.


 * Google

Google was fined by AEDP, a Spain’s data protection agency a 10 million euro after the search engine giant was found to be passing the personal data of EU citizens who were requesting erasure of their data to the Lumen Project. The AEDP found that the content removal form Google provided to data subjects for exercising their right to be forgotten was confusing.

After discovery of the search engine giant was giving the Lumen Project access to the personal information of EU individuals who were requesting their data be erased, AEDP, Spain's data protection body, penalized Google 10 million euros. The AEDP discovered that Google's form for material removal, which individuals used to exercise their right to be forgotten, was unclear.


 * Rewe

Rewe, a supermarket chain was imposed a fine a 8 million euro for breaching the GDPR in the year 2022.


 * COPPA

COPPA is an acronym for the Children’s Online Privacy and Protection Act. It was enacted in 1998. This act focuses on protecting the personal information of kids who are 12 years old and younger. Personal information in question includes, but is not limited to, the name of the child, the address of the home that the child lives in, images of the child, phone number, and more. COPPA protects this information in a variety of different ways. One of the ways COPPA does this is requires a parent or guardian to consent to the collection of information of their children. This is to ensure that parents and guardians are aware of what a company is collecting regarding their child. To add on to this, it is worth mentioning that teachers and schools can be a substitute for the parent’s and guardian’s consent if, “the tool is used for an educational purpose.” Another way that COPPA does this is by requiring companies to, “have a ‘clear and comprehensive’ privacy policy.” By having, “‘a clear comprehensive’ privacy policy,” parents and guardians of the child will have a strong understanding of what information the company is collecting, but also how it could possibly affect them. Additionally, COPPA requires all companies who collect personal information regarding a child to keep this information confidential and secure. Like any personal information, this can be used to identify someone and be used for malicious purposes. Keeping a child’s information confidential and secure ensures that a threat actor doesn’t gain access to this information, thus protecting the child from unauthorized third parties.

Recent COPPA Violations


 * Microsoft
 * One company that has violated COPPA recently is Microsoft. This case was between the United States Government and Microsoft. Microsoft violated this act through using its Xbox gaming system in order to collect, “personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.” The case was closed with a settlement between Microsoft and the Federal Trade Commission (FTC) by having Microsoft pay twenty million USD to the FTC.
 * Epic Games
 * Another company that recently violated COPPA is Epic Games. Epic Games was found guilty of violating COPPA in 2022. This violation focused on one of Epic Games products, Fortnite, a free-to-play video game. The game consisted of various in-game purchases, such as cosmetic items and in-game currency, that a user can buy using money. The FTC stated that Epic was in violation of COPPA for various reasons. The first being that they failed, “to notify parents, [in order to] obtain, [the parents’] consent.” Due to Epic Games not obtaining parental consent at the time, they were able to collect children's’ information and when a parent wanted to request for the collected information to be deleted from Epic’s systems, they had, “to jump through unreasonable hoops, and sometimes failed to honor such requests.” Another violation that the FTC stated is that Epic Games had default settings that could harm children. This was in reference to, “text and voice communications for users.” Epic had these settings enabled by default in such a way where users who didn’t change the default settings would be forced to communicate with strangers that they may play with online. This caused kids to face various consequences of this such threats and harassment from strangers online. On top of this, the FTC also stated that Epic Games, “used dark patterns to trick users into making unwanted purchases,” and also allowed kids to make various unauthorized purchases without parental consent. These dark patterns are referred to the various methods that epic games used to target anyone in order to get them to make an unintentional in-game purchase. Additionally, anyone, “who disputed wrongful charges with their credit card companies,” would not only lose access to the purchased content but also any authorized purchases and their account. This case was ended by a settlement in which Epic Games not only had to pay 245 million USD to the FTC but also had to provide an opportunity for those affected by the violations to receive a refund for their purchases.


 * CCPA

The California Consumer Privacy Act (CCPA) was enacted in 2018. This act allows consumers to have more authority over the individual data that businesses collect about them. Furthermore, the CCPA regulations offer instructions on how to put the law into effect. Officially, this policy includes the “right to know about the personal information a business collects about them, and how it is used and shared.” Additionally, it includes the “right to delete personal information collected from them, the right to opt-out of the sale or sharing of their personal information,” and lastly, “the right to non-discrimination for exercising their CCPA rights”. Although, it’s also important to note that there are some exceptions to the ‘right to delete’ portion of this act. For instance, if a business has legal obligations to hold onto sensitive data, this portion may not apply. Moreover, in 2023, on January 1st, the CCPA was amended to include further privacy protections. These protections include the right to rectify incorrect personal information, as well as the right to restrict the utilization and disclosure of sensitive personal data.
 * HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPPA) was enacted in 1996. This act enables nationwide standards to protect an individual’s medical and personal health information. The items covered under HIPPA include but are not limited to healthcare providers, health plans, clearinghouses, and their business associates. The business associated can be the organization that executes the jobs that involve disclosing protected health information (PHI).

As a part of HIPAA compliance there are different sections like breach notification rule, security and privacy rules which companies need to follow in order to enable patients to get access of their data. As according to the HIPAA guidelines companies have about 45 days to process the data from the day the patient submitted the request. This request can be both in regards to data access or data deletion and applies to both existing and new patients of a certain health system. Once the 45 days are passed and the data is not processed, the companies are held liable and can be sued. The HIPAA also give a clear distinction of what data is classified as a PHI or a unsecured PHI. Along with this they also talk about how those data can be stored electronically and used by IT-Healthcare companies and does outline the laws for the same in addition to the traditional healthcare sector that was limited to offline market.. Healthcare organizations must therefore take the necessary steps to adhere to HIPAA rules, including frequent risk assessments, the implementation of suitable security controls, employee training on HIPAA policies and procedures, and timely response to any PHI breaches.

The following are some of the key requirements for HIPAA Compliance:


 * 1) Privacy Rule: The HIPAA Privacy Rule establishes federal requirements for safeguarding the privacy of people's health information, including the demand that covered businesses seek patients' written consent before revealing their data.
 * 2) Security Rule: According to the HIPAA Security Rule, covered organizations must put in place administrative, physical, and technical measures to protect the availability, confidentiality, and integrity of electronic protected health information (ePHI).
 * 3) Breach Notification Rule: The HIPAA Breach Notification Rule mandates that, in the event of an unprotected ePHI breach, covered entities notify impacted people, the Secretary of Health and Human Services, and, in some circumstances, the media.
 * 4) Enforcement Rule: Procedures for investigations, hearings, and the enforcement of civil monetary penalties for HIPAA rule infractions are established under the HIPAA Enforcement Rule.
 * 5) Omnibus Rule: The HIPAA Omnibus Rule significantly altered the HIPAA rules, extending liability to business partners of covered businesses, stiffening fines for non-compliance, and enhancing people's access rights to their health information.


 * SOC 2 Compliance

As organizations continue to rely on technology to run their operations, the need for robust security measures becomes paramount. SOC 2 compliance has become one of the most important criteria for service providers and vendors to have controls in place to protect their customers' data. We take a closer look at the five Trust Service Principles of SOC 2 and the benefits of achieving compliance. This principle focuses on protecting data from unauthorized access, disclosure, and destruction. Controls based on this principle include access control, encryption, and auditing of security events. availability: This principle focuses on ensuring that the system can be operated and used as agreed with the customer. Management based on this principle includes plans for redundancy, backup, and disaster recovery.

This principle focuses on ensuring that system processing is complete, accurate, timely and authorized. Controls based on this principle include input validation, data reconciliation, and error handling. This principle focuses on ensuring sensitive data is protected from unauthorized access or disclosure. Controls based on this principle include access control, encryption, and data classification. This principle focuses on ensuring that personal information is collected, used, stored, and disclosed in accordance with the organization's privacy policy and relevant laws and regulations. Controls based on this principle include data minimization, consent management, and data subject rights.

SOC 2 compliance demonstrates an organization's commitment to security and privacy and can enhance reputation and credibility with customers and partners. SOC 2 compliances can give companies a competitive advantage over competitors who may not have gone through the same rigorous review process. crisis management: SOC 2 compliance helps organizations identify and remediate potential security risks and vulnerabilities, thereby improving their overall security posture. SOC 2 compliance helps organizations meet the security and privacy requirements of industry-specific regulations such as HIPAA and PCI DSS. Being SOC 2 compliant can increase customer confidence in your organization's data protection capabilities, which can lead to increased customer loyalty and retention.

Data Security Strategies in Compliance Management
From a broad perspective on regulatory compliance, we now shift our focus to the specifics of data security. It's essential to see how these frameworks are applied in practice to protect sensitive information. This section explores the foundational mechanisms and technologies critical to compliance management. Data protection is central to compliance management, crucial for organizational control, and automation requirements in various industries. By examining specific strategies like encryption, access control, and continuous monitoring, we aim to demonstrate how organizations can meet regulatory expectations to effectively safeguard critical data.

Security Infrastructure and Technologies

Encryption: Primarily used to protect data on the move and at rest, employing algorithms that encrypt data, accessible only to individuals with decryption keys.

Firewalls and Intrusion Detection Systems (IDS): Firewalls serve as barriers between an organization's secure internal networks and potentially unsafe external networks. IDS systems monitor network traffic to detect and respond to suspicious activities.

Data Masking and Tokenization: These techniques ensure that sensitive data remains anonymous or obscured in environments like testing or analytics, enhancing security while maintaining functionality.

Access Controls and Authentication

Role-based Access Control (RBAC): This security methodology restricts access to information based on individuals' roles within an organization, ensuring access is limited to necessary information for their duties.

Multi-factor Authentication (MFA): Enhances security by requiring multiple verification forms from users before access to systems or data is granted, significantly reducing unauthorized access risks.

Monitoring and Auditing

Continuous Monitoring: Involves the constant observation of system activities to quickly identify and mitigate potential security threats.

Regular Audits: Essential for evaluating the effectiveness of security measures and identifying potential improvements to enhance data protection.

Policies and Training

Data Security Policies: Organizations create and enforce policies that dictate data handling, sharing, and protection. These policies are regularly updated to address new threats and compliance requirements.

Employee Training Programs: Employees receive regular training on data security importance and specific protocols to protect sensitive information, ensuring widespread compliance.

Incident Management and Recovery

Incident Response Plans: Detailed plans that outline immediate actions, mitigation strategies, and notification procedures for efficiently managing data breaches or security incidents.

Backup and Disaster Recovery: Regular backups and comprehensive disaster recovery plans ensure data recovery and operational continuity in case of data loss or system failures.

Third-party and Vendor Management

Vendor Security Assessments: Conducts thorough security assessments of vendors and third parties handling sensitive data to ensure compliance with data protection standards.

If the Company has no cyber compliance, how to get started?
Now that we have reviewed what cybersecurity compliance is, it is important to understand how to get started in making a Cybersecurity Compliance Program within your organization. Every cybersecurity compliance program is specific to an organization due to its versatility and depth it covers. However, the steps below should be a great starting point for any organization to begin developing its compliance program and gain the benefits to meet regulatory compliance requirements.


 * 1) Assemble a Designated Compliance Team: The main power behind cybersecurity compliance is your IT staff, however when a comprehensive compliance program is put into place, a compliance team must be formed. For a business to have a strong cybersecurity posture and support compliance procedures, all departments must collaborate.
 * 2) Make a Risk Analysis Process: You should adhere to the four fundamental phases of the risk analysis process in order to identify and evaluate risks. These include determining which information systems, assets, or networks have access to data, determining the risk level associated with each type of data, applying a formula to analyze the risk, and establishing tolerance by selecting whether to reduce, transfer, reject, or accept any identified hazards.
 * 3) Enable Controls to Mitigate or Transfer Risk: Setting up security measures to reduce or transfer cybersecurity threats is the next stage. These measures include encryption, network firewalls, password restrictions, staff training, incident response plans, access control, and patch management schedules, among other technological and physical measures.
 * 4) Create and Implement Policies: Document any policies or instructions that IT teams, staff, and other stakeholders need to follow controls have been put in place. These regulations will also be helpful for future internal and external audits.
 * 5) Monitor and Respond Quickly: Maintain a constant eye on your compliance program as new laws or revised versions of old ones are passed. A compliance program's objective is to recognize and manage risks and stop cyber threats before they result in a significant data breach. Additionally, it's crucial to have business procedures in place that let you respond rapidly to threats.

Industry-Specific Compliance Challenges:
The healthcare sector faces stringent compliance requirements due to the sensitive nature of patient data and the criticality of healthcare services. Organizations in this industry must adhere to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. HIPAA mandates strict standards for protecting patient privacy and securing electronic health records (EHRs). Additionally, healthcare organizations must comply with regulations specific to medical device manufacturing, pharmaceuticals, and clinical trials, such as the Food and Drug Administration (FDA) regulations in the U.S. Compliance challenges in healthcare include ensuring the security of EHR systems, safeguarding patient confidentiality, and navigating complex data sharing agreements while maintaining compliance with HIPAA and other industry-specific regulations. The manufacturing sector faces unique compliance challenges related to product safety, environmental regulations, and supply chain management. Manufacturers must comply with regulations such as the Occupational Safety and Health Administration (OSHA) standards for workplace safety, the Environmental Protection Agency (EPA) regulations for waste management and emissions control, and industry-specific standards such as the International Traffic in Arms Regulations (ITAR) for defense-related manufacturing. Compliance challenges in manufacturing include ensuring product quality and safety, minimizing environmental impact, and managing regulatory requirements across global supply chains. The technology sector operates in a rapidly evolving landscape characterized by innovation, disruption, and intense competition. Technology companies must navigate a complex web of regulations that vary depending on their products, services, and geographical locations. Key regulations affecting the technology industry include the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the U.S., and industry-specific standards such as the International Organization for Standardization (ISO) 27001 for information security management. Compliance challenges in the technology industry include managing vast amounts of customer data, addressing privacy concerns, and ensuring the security of cloud-based services and Internet of Things (IoT) devices. The finance industry operates within a highly regulated environment to ensure the integrity and stability of financial markets and protect consumer interests. Financial institutions, including banks, insurance companies, and investment firms, must comply with regulations such as the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS). These regulations govern various aspects of financial operations, including data privacy, anti-money laundering (AML), fraud prevention.
 * Healthcare Industry:
 * Manufacturing Industry:
 * Technology Industry:
 * Finance Industry: