Time was, you can just hang up a shingle and call yourself a business. As long as you do not shoot anyone, you were pretty much left alone. Not so anymore. Excess federal and state regulations have come into being, many just in recent years, and many apply to small businesses. These rules intended to achieve any one of the many social goods, such as protecting the individual’s privacy and prevent identity theft, prevent financial scandals, or lastly, or so it seems, just to annoy small businesspeople by increasing paperwork burden. Fortunately, if you understand these principles, in compliance need not be too difficult or expensive.
If you have a publicly held company, you will need to comply with the Sarbanes-Oxley Act, which sets technical standards and reporting requirements for how companies handle their financial statements. Passed in response to the recent wave of corporate scandals, fiscal mismanagement and outright theft, Sarbanes-Oxley puts in place a set of requirements to establish internal controls to ensure the reliability of the financial statements of the company. Although the requirements are generally the same for companies of all sizes, smaller companies have been given some flexibility in terms of longer timeframes to be compatible. This Act requires, among other things security-related solutions to put into place to control access to financial data, providing audit trail and create detailed reports for the government. The good news is, if you follow the best practices in security, you’re already more than halfway there.
If you are in the healthcare industry, whether you’re a healthcare professional, pharmacy, or data processing agency serving the healthcare industry, you will need to comply with Health Insurance Portability and Accountability Act (HIPAA). HIPAA calls for companies that handle personal data in order to ensure that it is safe and protected from unauthorized access. If your company takes care information of any kind, for any reason, then you have to take technical measures to ensure that it is safe with features such as encryption, strong two-factor authentication, and adequate firewalling.
And if you’re in California, or if any of your customers are in California, you need to comply with SB 1386 (California Information Practice Act). This law requires that the company provide notice to customers when all technical hack, or other attack has occurred and caused personal information to be exposed and vulnerable to theft. Meant to safeguard against identity theft, this state law also apply to any subcontractor companies that hold information about California residents. This particular law is a ground-breaking, as though on paper just a California law, it has actually become federal law. California is the largest state, population-wise, in the US, and the mid-size company and many smaller ones have at least some clients in California, regardless of where the business is actually located. If, for example, your business is in Maine, the mail order department phone sold some products to someone in California, you must go. Compliance simply means that if the network is attacked, you must notify your customers.
Although this can be done individually, most companies actually make an announcement on their Web sites, or through the issuance of an official press release.
The Visa cardholder Information Security Program (CISP) is not a state or federal law, the mandate from VISA USA created to protect cardholder data. It calls on all vendors who accept credit card payments to follow higher standards of information security in order to guard against identity theft. CISP calls on vendors to implement standard security measures such as firewalls, anti-virus software, and strong authentication to control who has access to customer credit card data. Visa has also put forward a set of best practices. Compliance is easy, and includes adhering to the Payment Card Industry Data Security Standard which includes a call for the implementation of standard security technology, restricting access, and encrypting the transmission of any cardholder data.