Compliance is a Team Project

With all the rules and regulations surrounding the compliance alphabet soup in play today, it will take more than one person to bring your company in line. We’ve laid out the multiple roles needed to up your compliance game, especially when it comes to HIPAA, PCI, and GDPR.

IT Team

Your first line of defense against compliance failures is the technology in use and the team you have to maintain it. Consult with your IT team to discuss:

• Email Encryption: How are emails and files that go in and out of your office protected to avoid nefarious hands and revealing identifying information?
• Data Encryption: How do you collect and retain credit card information? Are there any gaps where that information could be stored or released in an identifiable way?
• Firewall: Are you protecting your company data and communications using a screen door that is easily opened by hackers, or are you using a multi-level security system preventing intrusions?
• Backups: How often, when and where is your precious company information backed up? Can you test your backups to prove that they’re effective? Is your current backup plan compliant with regards to customer data?
• Data Availability and Storage: Who has access to your data? Only certain individuals in your company should be able to access all data, like financial records or payment information. How are you restricting access on your network or within line of business applications to ensure safety?
• Physical Access: Who can actually access computer systems and servers? Do you train your staff to lock their systems every time they leave their desks? Are you using privacy filters on appropriate screens to avoid wandering eyes?

Internal Compliance Officer

While this may not need to be a full-time role within your organization, you should have a compliance champion on staff. Your IT company can absolutely set you up for success, but they are not around to police your staff every hour of the workday.

The Compliance Officer is responsible for ensuring that your staff follows important compliance policies, maintains vigilance surrounding compliance, keeps documentation up to date, and works with authorities if necessary. Specifically, they:

• Watch for employees falling into bad habits, like leaving computers unlocked or sending credit card data willy-nilly throughout the organization.
• Conduct/coordinate online or in-person training to keep compliance top of mind. We recommend quarterly training, at least, in addition to proper education as soon as a new employee comes on board.
• Maintain all the documentation required for compliance, like backup plans and communication standards.
• Liaison with federal and state regulators, as necessary to prevent or mitigate an issue (with the support of your IT Team and legal team).

All Employees

You can have the best technology, the most intense compliance officer, and still completely fail at successful compliance if your employees are not onboard. At the end of the day, it comes down to successful employee implementation and clear communication. In order to get employee buy-in, here is what we recommend:

• Gather everyone together: When you first make tweaks to your company’s security protocols to ensure compliance, explain why to your team. If they suddenly all need to remember 16-character passwords, replace those passwords every 90 days and have 5-minute time outs on their systems; they’d appreciate learning it’s not because you’re paranoid. You can utilize your IT Team to conduct this meeting.
• Send regular reminders: It’s simple to fall into what’s “easier” rather than compliant. Consider sending a weekly or monthly compliance tip to all of your staff to keep it top of mind.
• Conduct ongoing trainings: These trainings should be mandatory, involve your IT team, and vary enough to stay interesting. Quarterly should be sufficient unless some regulation change calls for additional meetings.
• Multi-departmental planning: Different teams have different uses for data. For example, what makes the salesperson tick may make it impossible for accounting to operate within compliance. When it comes to collecting information that must be compliant, every department must be involved in process development to create smooth operation within rules and regulations.

Compliance is not a one-man game. It involves the whole company and IT team engagement to really be successful. Next blog, we’ll cover the processes necessary to build a compliance-friendly environment.

In 2018, the European Union enacted a new directive to protect its citizens from having their personal information stolen or sold known as GDPR or General Data Protection Regulation. This legislation protects EU citizens, but in reality, it is a global law at this point. Any businesses in the world that mishandle the personal information of an EU citizen, including something as simple as improperly tracking a cookie on your website, could be fined for non-compliance. Those fines are not cheap. A company failing to comply with the regulation could be subject to a 4 percent forfeiture of its annual revenue. In its first year, there were 95,000 complaints from Data Protection Authorities all over the EU. It’s here to stay, so should you care? 

Of the 95,000 complaints received, telemarketing, promotional e-mails, and video surveillance were the top culprits. So far, three fines were issued by DPAs for GDPR violations. The largest fine issued was in the sum of €50,000,000 for lack of consent to processing personal data. Compliance is no joke and it can be tricky to implement. 50% of all businesses still have not migrated into the world of GDPR compliance, though they know it could end in litigation. This carries over for American companies that either employ EU citizens or service them. Even though your business is in the states, you can still get fined from across the pond.  

The main idea behind GDPR is protecting citizens and consumer rights. Not only are businesses held responsible for storing people’s information, but they are also held accountable if any misuse occurs to that information. If data is hacked, that business is obligated to report it within 72 hours of the breach and give a detailed account of the data that was stolen. In addition, under GDPR, citizens can request to have their information taken out of data storage, and a business must comply.  

Currently, social media networks and automated email services are the heaviest hit by GDPR. Facebook has seen a steady decline in European consumers. Also, it has cracked down on how people can use FB ads when targeting certain audiences. Email marketing has seen an increase of opt-outs and tighter spam regulations, changing the marketing game for many companies.  

In order to become compliant with GDPR, you will need to first appoint someone as your DPO, or data protection officer. This person will be the point of contact and GDPR expert. They’ll need to be able to handle IT services as well as monitor all the data handling processes in your company. Then, of course, they’ll need to be able to consistently monitor any area that may be impacted by GDPR and ensure they’re within compliance. It is highly recommended that the DPO goes through thorough training on the subject so they know exactly what to look for when it comes to staying compliant. 

GDPR is great at protecting citizens, and most professionals believe it’s only a matter of time before the United States adopts similar regulations. It’s always better to be prepared, so perhaps it’s time to look into GDPR compliance. 

Even though ransomware attacks decreased in 2018, they remain a major threat in the cybersecurity landscape. So much so, that ransomware was recently featured on 60 Minutes. The story primarily covers three major instances of ransomware, two that affected municipalities, and a third that targeted a hospital. 

All three were attacked in a way that encrypted every single one of their files and also encrypted some of the files within their backups, sending the organizations back to operating on pen and paper. Two, despite FBI recommendations, ended up paying the ransom to restore their data quickly, while the third decided not to pay the ransom and went about remediation on their own.  

The hospital was hit with a $55,000 bill, while one municipality (Leeds, AL) was able to negotiate the payment down to $8,000. These ransom sums may not appear astronomically high, but that’s exactly how the hackers keep going. If they requested millions in ransom, no one would pay. An amount in the solid five-figures, though, feels doable for most organizations to get their precious data restored. The third entity (Atlanta, GA) suffered millions of dollars in losses and time in efforts to recover. Some of their data could never be recovered. 

The story presented a very clear picture of the dangers surrounding ransomware; however, there were two major issues in the story. First, the entities covered were obviously major entities implying that you needed to be in the public eye to be affected. This is certainly not the case. In fact, nearly 50% of small business owners say their business was affected by a cybersecurity attack in the last year. Ransomware is not just for highly public entities.  

Perhaps more importantly, the story painted paying the ransom as the cheaper and often faster way to go. In very rare occasions, paying the ransom is the only option; but if you’re stuck in a ransomware trap, we do not recommend jumping straight into paying the ransom. Here’s why: 

1. 1. Sure, after you pay the sum (typically in bitcoin), the vast majority of hackers suddenly become ethical and return your files. Let’s look at the reality, though. You’re relying on someone who just took your data hostage for an exorbitant fee to return that data to working order simply because you held up your end of the unwanted bargain. Sounds a lot like using hope as a data recovery strategy to us. At any point the hacker could respond, “Thanks, but no thanks!” or “Well, we thought this would be a sufficient amount”; but we ran into snags with your recovery. We’ll actually need x number to finish the job.” 
   2. Prevention is a better strategy. If your back-up is set up correctly with an on-premises and multi-tenant off-site solution, you should be able to roll back to data that existed before the ransomware attack. Granted, you may lose some data in the process if the encryption gets into the backup like it did in the attacks covered in the 60 Minutes story. Losing some data is a lot better than putting yourselves up the creek financially by paying a major ransom. In addition to proper backup, ensure that you’re effectively training employees and stringently monitoring data coming in and out of your network.
   3. Isolation is possible. In short, don’t store all of your valuable data in one place. If, on the off-chance, ransomware breaches your network, you don’t want to give it an open door to encrypt absolutely everything of value. Keep all critical applications on isolated networks to maintain global network safety.

Ransomware attacks may be on the decline. However, that just invites the hackers to come up with a more creative way to scam you out of time and money. Perhaps phone ransoms are coming next. Regardless of what the hackers create, make sure you’re prepared and don’t have to rely on paying a hefty ransom to keep your business in operation. 

No matter what industry you’re in, compliance acronyms are abundant, filling your days with both confusion and regulation. We call it the compliance alphabet soup. It’s time to make a little bit more sense of all those acronyms and what they likely mean for your business. 

GDPR (General Data Protection Regulation): While this regulation only applies to the European Union and information leaving the EU, we are seeing its effects state-side because it requires businesses that interact with EU citizens to comply, regardless of location. The goal of GDPR is to create greater data privacy and protect from breaches. If there is even the slightest likelihood that someone from the EU will be visiting your site or interacting with you online, make sure that you comply with GDPR regulations. We’ll cover GDPR in greater detail in our next blog.  

HIPAA (Health Insurance Portability and Accountability Act of 1996): While this law has been on the books since 1996, many medical practices are still not HIPAA compliant and believe that they are too small to be touched. Even if you aren’t directly in the medical industry, pay attention! Beyond the practices themselves, any organization that works with a medical practice has responsibility in HIPAA compliance through associate agreements. These agreements particularly apply to IT companies, law practices, accounting firms, and others that might have access to patient data in any way. Bottom line, all patient data must be protected, encrypted, and safe. You also need to have a specific HIPAA-compliance plan, breach response plans, and data recovery methodology. HIPAA has gained notoriety with larger scale medical breaches in recent years, in addition to larger fines levied for HIPAA breaches. The largest fine currently on record is $16 million. Small companies are also being hit with violations costing about $1.5 million apiece.     

HITECH (Health Information Technology and Clinical Health Act): HITECH entered the picture in 2009 and brought teeth to HIPAA violations. This regulation specifically covers the electronic transmission of health information. In its best form, it’s meant to improve patient care through better doctor coordination, better sharing of information, and strong data security of electronic health records. In practice, all those privacy forms that you sign whenever you go to the doctor really do have an important purpose.  

I-9 (Employment Eligibility Verification): This is the form that new hires must fill out within three days of employment to verify that they are eligible to work within the US. While this piece of paper may get lost among the sea of new hire paperwork, it should never be overlooked. Even if you’ve been correctly employing the I-9 form for years, you may want to go back and check for form updates. Some updates will have no impact; but to be truly in compliance, you’ll sometimes need to go back and have every employee update their I-9 information and verification documents.  

PCI DSS (Payment Card Industry Data Security Standard): Do you collect credit card information within your business? Any payment data collected and stored must be PCI compliant. To ensure compliance: 

• Employ strong security standards, like firewalls, anti-virus protection, and regular updates that protect your network as a whole 
• Encrypt all credit card information transmitted across open networks 
• Maintain strong data access controls to ensure that rogue people don’t gain access to your information   

These are just a few of the compliance acronyms you may encounter in your daily work. Don’t get lost in the compliance alphabet soup. A quality IT firm can help you comply with the vast majority of these and will be able to put a clear plan of action in place to increase your cybersecurity footprint.  

In most zombie movies, there is no antidote. No cure for their nasty zombie virus, it’s simply all downhill from there…You watch as they slowing begin to turn into the “working dead”. After the same-old, same old, day in and day out, your team quickly begins looking a lot like zombies. Soon your productivity has slowed down, along with your sense of adventure, and finally, it’s all over. The sparkle and excitement drain from your employees’ eyes as they mindlessly do their job. Obviously, no one wants a zombie, both in the horror sense and the work sense. Here are a few things that will help keep your employees immune to the virus.  

First of all, remember that a positive workplace is key to great employee morale. Positivity isn’t a slew of awesome perks, though that is nice. Positivity is the energy derived from the respect people have for one another. It’s also having trust in people and allowing them to speak freely about their issues. Often, bad employee morale is caused by a feeling of being defeated. It’s the hypocrisy that can often rear its ugly head in the corporate world. My motto is always to treat everyone as you would want to be treated. That’s a pretty good start for a more positive and productive workplace.                  

To piggyback off that, it’s also wonderful when leadership engages with employees. Yes, you’re busy, and yes you pay them so in your mind that should be enough. Well, you’d be surprised at how many people sincerely care about your business alongside that paycheck. The ones that do feel respected and engaged with the company when leadership even gives a simple hello while passing in the hallway. Spend a little personal time getting to know people and engaging with your employees. This will allow them to feel that much more connected to your business and be motivated to take care of it correctly.    

Then, of course, there is recognition. This is always a tough one because many business owners and bosses alike feel as though a paycheck is enough recognition. In a perfect world, it certainly would be. Today’s workforce requires a little butt patting. (Not literally, don’t do that!) What I mean is a simple thank you can be an immense boost to someone’s ego. If a few simple words increase productivity, then why the heck not? No one is asking for crazy bonuses, free lunch, or a gym membership. (Although, I’m sure you wouldn’t get turned down for that). Employees just need to know they are working in the right direction and are producing quality. Ultimately, they want to make you happy and your business succeed.  

The main takeaway here is to put some genuine care into your employees. Foster an environment where people can speak up about the good, bad, and ugly without negative repercussions. Mostly though, treat others as you would want to be treated and that will create the baseline for your success.