- Getting compliant is more involved than addressing a checklist. It starts with selecting the right cybersecurity framework based on your business obligations.
- Your framework choice must be driven by understanding your statutory, regulatory and contractual requirements, not just technical preferences.
- This understanding establishes the minimum controls needed to avoid negligence, comply with laws, regulations and contracts, and secure your systems from reasonable threats.
- A single negligent breach could close your business. Liability insurance does not cover professional negligence.
- ComplianceForge provides editable, expert-written documentation aligned to all major compliance requirements.
Where Do You Fit In The Mandatory Compliance Puzzle?
A single negligent breach could close your businesses forever, because liability insurance does not cover professional negligence! Below are several examples of how compliance with information security requirements affects common businesses:
HIPAA and PCI DSS Compliance
Example #1: Physical Therapist
Compliance Requirements: HIPAA, PCI DSS & State Breach Laws
Why? This physical therapist office deals with electronic Protected Health Information (ePHI) of clients so it falls under HIPAA. The office also accepts co-payments by credit card so it falls under PCI DSS. Since the state requires a breach notification plan, the office must also adhere to state-specific compliance requirements for data breaches.
PCI DSS and GLBA Compliance
Example #2: Certified Public Accountant (CPA)
Compliance Requirements: GLBA, PCI DSS & State Breach Laws
Why? Like most CPAs, this CPA deals with private financial information of clients, so it falls under GLBA. The CPA works for clients that accept credit cards and has access to their QuickBooks accounts (containing cardholder information), so the CPA must meet PCI DSS requirements. Most states waive state-sponsored breach laws if the company is GLBA compliant, so there are no additional requirements by the state.
GLBA and PCI DSS Compliance in Oregon
Example #3: Lawyer
Compliance Requirements: HIPAA, FACTA, GLBA, PCI DSS & State Breach Laws
Why? This law offices deal with Protected Health Information (PHI) for injury claims so its falls under HIPAA as a Business Associate. Since the office also performs real estate closings and is responsible for private financial information, it falls under both FACTA and GLBA. The office accepts payment by credit card so it falls under PCI DSS. This state waives its breach notification law if the law office is GLBA compliant, so there are no additional requirements by the state.
PCI DSS Compliance for Level 3 and Level 4 Merchants
Example #1: Coffee Shop
Compliance Requirements: HIPAA, PCI DSS & State Breach Laws
Why? This coffee shop accepts payment by credit and debit cards so it falls under PCI DSS. This specific state does not have any specific laws for breach notification, so the coffee shop only has to focus on PCI DSS compliance.
State Identity Theft Law Compliance
Example #1: Construction Company
Compliance Requirements: State Breach Laws
Why? The construction company operates in a state that has a law requiring both client and employee Personal Identifying Information (PII) to be protected and for notification in the event of a breach.