We are all working to ensure our customers are compliant with one of the above.

This post gives you an overview of each of these regulations:

Cyber Essentials is a cyber security standard developed under the auspices of the Communications-Electronics Security Group (CESG), the information security arm of Government Communications Headquarters (GCHQ) in the United Kingdom. It identifies the security controls that an organization must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from Internet-based threats.

The General Data Protection Regulation (GDPR) is a regulation passed by the European Union to unify data protection for everyone in the EU. It specifically regulates the transfer of data about EU citizens to counties not in the EU. The regulation also recommends that large organizations have a Data Protection Officer whose sole responsibility is safeguarding personal data.

The Health Insurance Portability and Accountability Act (HIPAA) was passed by the US Congress in 1996. It has five titles, but we’re only really concerned about Title II. This section establishes the privacy and security rules around the sharing and transfer of health information.

The Family Education Rights and Privacy Act (FERPA) was passed by the US Congress in 1974. It established regulations regarding the transfer and sharing of educational records. It also establishes what information about a student is FERPA-regulated and what information is not. It also has somewhat controversial (especially among parents paying for the child’s education) regulations, like student consent prior to the release of records.

Payment Card Industry Data Security Standard (PCI DSS, or simply PCI) is not a law. It is a standard agreed upon by banks and the credit/debit card industry in the US. This standard has twelve requirements that merchants must adhere to. If there is a breach and the merchant did not adhere to the PCI standard, fines and other penalties may occur. Some US states, such as Minnesota and Nevada, have laws that specially require PCI compliance for merchants.


About this entry