HIPAA (Health Insurance Portability and Accountability Act)

• Regulates the use and disclosure of protected health information (PHI) by covered entities like healthcare providers, health plans, and healthcare clearinghouses.

• Requires implementation of administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of PHI.

• Breach notification rules require notifying affected individuals of breaches of unsecured PHI.

CI DSS (Payment Card Industry Data Security Standard)

• Mandates 12 requirements for enhancing payment data security, including firewalls, encryption, access controls, vulnerability management etc.

• Applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers.

• Requires annual on-site audits and quarterly network scans by an Approved Scanning Vendor.

GDPR (General Data Protection Regulation)

• Comprehensive data protection regulation governing the collection, use, and transfer of personal data of EU residents.

• Requires implementing data protection principles like purpose limitation, data minimization, storage limits etc.

• Mandates breach notification within 72 hours, privacy impact assessments, and appointing a Data Protection Officer.

GLBA (Gramm-Leach-Bliley Act)

• Regulates the collection, safeguarding and use of customer records and information by financial institutions.

• Requires disclosure of privacy policies and practices related to sharing non-public personal information.

• Mandates establishing administrative, technical and physical safeguards to protect customer information.

CCPA (California Consumer Privacy Act) ( privacy in the US is one of my favorite topics. I may geek out and write several pages on this)

• Gives California residents rights over their personal information, including right to access, delete and opt-out of sale of their data.

• Requires businesses to disclose data collection and sharing practices and honor opt-out requests.

• Applies to for-profit entities doing business in California that meet certain revenue or data collection thresholds.

FISMA (Federal Information Security Modernization Act)

• Requires federal agencies to develop, document, and implement information security programs.

• Mandates performing periodic risk assessments and testing security controls.

• Agencies must report annually on compliance toCongress.

Complying with these and other regulations requires implementing robust information security policies, procedures, access controls, risk assessments, training and auditing practices.

Please keep in mind this is a baseline for all regulations. What is extremely interesting is how many companies view compliance as the top level of security. I am well aware that each company requires a tailored approach to their security implementation, and there is no one glove fits all. However, it does always make me extremely curious why the articles do not become more stringent in the baseline and verify articles in the incorporated subsections of the regulation for the most common big industries.