{"id":1868,"date":"2019-08-06T07:04:40","date_gmt":"2019-08-06T07:04:40","guid":{"rendered":"http:\/\/kusuaks7\/?p=1473"},"modified":"2024-07-18T17:49:24","modified_gmt":"2024-07-18T17:49:24","slug":"ten-data-privacy-and-encryption-laws-every-business-needs-to-know","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/ten-data-privacy-and-encryption-laws-every-business-needs-to-know\/","title":{"rendered":"Ten Data Privacy and Encryption Laws Every Business Needs to Know"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"1868\" class=\"elementor elementor-1868\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-7187c4a3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"7187c4a3\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-10329581\" data-id=\"10329581\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fc90e87 elementor-widget elementor-widget-text-editor\" data-id=\"fc90e87\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tWhat encryption laws does your organization need to comply with? Get started with this handy guide.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1ec91b0 elementor-widget elementor-widget-text-editor\" data-id=\"1ec91b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tYou\u2019ve probably heard that every business needs to stay up to date on and comply with the latest encryption and privacy laws. Failure to comply will result in fines that can range upwards of tens of millions of dollars.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-621923a elementor-widget elementor-widget-text-editor\" data-id=\"621923a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tBut which laws do you need to comply with, and what do you have to do?\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a43c87b elementor-widget elementor-widget-text-editor\" data-id=\"a43c87b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIf you\u2019re like us, when you\u2019re curling up with a book and a mug of tea (or coffee) after a hard day\u2019s work, you don\u2019t really want to read encryption laws. Encryption laws tend to be very broad or, in some cases, can even be described as nebulous. There are many types of data encryption laws on the books with governments and regulatory bodies around the world \u2014 some cryptography laws require encryption; others prohibit it or place restrictions on its use. International encryption laws vary by country and industry.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-51263d2 elementor-widget elementor-widget-text-editor\" data-id=\"51263d2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tFor example, some countries:\n<ul>\n \t<li>Guarantee the right for individuals to use encryption technologies and services.<\/li>\n \t<li>Require a license (or another form of registration) to provide or use encryption software or services.<\/li>\n \t<li>Have <a href=\"https:\/\/parlinfo.aph.gov.au\/parlInfo\/search\/display\/display.w3p;query=Id:%22legislation\/billhome\/r6195%22\" class=\"broken_link\" rel=\"noopener\">frameworks<\/a> for voluntary and mandatory <a href=\"https:\/\/thenextweb.com\/politics\/2018\/12\/10\/australias-horrific-new-encryption-law-likely-to-obliterate-its-tech-scene\/\" rel=\"noopener\">industry assistance to law enforcement<\/a> concerning encryption technologies.<\/li>\n \t<li>Require encryption to be used to protect the rights of data subjects (such as consumers, citizens, patients, etc.).<\/li>\n \t<li>Prohibit the export of cryptography technology or algorithms.<\/li>\n \t<li>Require enhanced transparency and communication about how data can be used.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4b287d7 elementor-widget elementor-widget-text-editor\" data-id=\"4b287d7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tFor the sake of this article, we\u2019re just going to focus on the regulations and laws that require encryption or reference the protection of encrypted data. These regulations and laws are sometimes called data encryption laws, data privacy laws or data protection laws (depending on the term you prefer to use). While narrowing down the topic helps somewhat, there are still many laws that fall into this category that govern your business and government alike depending on your location or industry. So, how do you know which laws apply and what they mean to your organization?\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-259a147 elementor-widget elementor-widget-text-editor\" data-id=\"259a147\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tGrab your mug and get comfortable \u2014 you\u2019re going to be here a while.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-41542c5 elementor-widget elementor-widget-text-editor\" data-id=\"41542c5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tLet\u2019s hash it out.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e651310 elementor-widget elementor-widget-heading\" data-id=\"e651310\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>The top 10 data privacy and encryption laws from around the world<\/h2>\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-50a2d9e elementor-widget elementor-widget-text-editor\" data-id=\"50a2d9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIdentity theft is on the rise and companies are making headlines almost daily with news about debilitating data breaches. As such, concerns about privacy and protecting personal information are taking center stage as technology continues to evolve and more lives are becoming intricately entwined with the digital world. These concerns often manifest in data protection laws and privacy regulations.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-35c0a50 elementor-widget elementor-widget-text-editor\" data-id=\"35c0a50\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<em>Note: We\u2019re just touching on the encryption and data protection aspects of these laws. There is far more information involved with these laws. For more in-depth information, you should go directly to the laws or speak with a legal professional about how these laws may apply to your organization and industry. <\/em>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f8919a2 elementor-widget elementor-widget-text-editor\" data-id=\"f8919a2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tHere are 10 of the encryption laws or regulations you should know. They\u2019re listed in alphabetical order and not in any order of importance because they\u2019re all important and play essential roles in protecting user data and privacy around the world.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d4345ae elementor-widget elementor-widget-heading\" data-id=\"d4345ae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>1. \u00a0California Consumer Privacy Act of 2018 \u2014 United States<\/h2>\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b4b5ce6 elementor-widget elementor-widget-heading\" data-id=\"b4b5ce6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who this encryption law applies to:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-87ce89c elementor-widget elementor-widget-text-editor\" data-id=\"87ce89c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThis law applies to organizations who deal with California customers and\/or their personal data. Some small companies are exempt, as it only applies to organizations who either:\n<ul>\n \t<li>share the personal info of at least 50,000 consumers,<\/li>\n \t<li>have more than $25 million in gross revenue, or<\/li>\n \t<li>derive 50% or more of their annual revenue from selling consumers\u2019 personal information<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0ec5d29 elementor-widget elementor-widget-heading\" data-id=\"0ec5d29\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What it requires:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0996171 elementor-widget elementor-widget-text-editor\" data-id=\"0996171\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe law states that companies who do not encrypt data or neglect to employ \u201creasonable security procedures\u201d are liable to be sued by consumers whose data is compromised.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-04423e0 elementor-widget elementor-widget-heading\" data-id=\"04423e0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-37edd2a elementor-widget elementor-widget-text-editor\" data-id=\"37edd2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tRegardless of where your business is located, if you process the data of Californians, you should ensure that you\u2019re:\n<ul>\n \t<li>Encrypting all private data by using in-transit encryption (e.g., SSL) and at-rest encryption.<\/li>\n \t<li>Employing reasonable security best practices to protect all nonpublic data in your possession.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6133597 elementor-widget elementor-widget-heading\" data-id=\"6133597\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bd144bd elementor-widget elementor-widget-text-editor\" data-id=\"bd144bd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tWe\u2019ve kicked our list off on the west coast of the United States with the first of our US quasi-encryption laws. <a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/billTextClient.xhtml?bill_id=201720180SB1121\" rel=\"noopener\">The California Consumer Privacy Act of 2018<\/a> (CCPA) is a piece of legislation that aims to protect the right to privacy of consumers in the U.S. state of California. The Act arose after the creation of the European Union\u2019s General Data Protection Regulation (GDPR) \u2014 which we\u2019ll speak more about later in this article \u2014 and though it shares some similarities, it is vastly different in many ways and isn\u2019t as stringent.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-aab8298 elementor-widget elementor-widget-text-editor\" data-id=\"aab8298\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe <a href=\"https:\/\/oag.ca.gov\/system\/files\/initiatives\/pdfs\/17-0039%20%28Consumer%20Privacy%20V2%29.pdf\" rel=\"noopener\">purpose of the encryption law<\/a> is to:\n<ul>\n \t<li>Give California consumers the right to what and how their information is used and hold businesses accountable for info compromised in breaches.<\/li>\n \t<li>Require businesses to disclose any sales of California consumers\u2019 personal information, cease sales of personal information when requested by consumers, and take \u201creasonable steps\u201d to protect the information.<\/li>\n \t<li>Prevent businesses from discriminating against California consumers who request info about how their info is collected or sold, or who refuse to allow businesses to sell their information.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b257743 elementor-widget elementor-widget-text-editor\" data-id=\"b257743\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tAs part of these requirements, the act states that California consumers\u2019 personal information must be protected. According to section 1798.150:\n<blockquote>\u201cAny consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business\u2019s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action\u2026\u201d<\/blockquote>\nWhat does it say about methods of security? Not much. Although it doesn\u2019t specify any specific methods of security, it does at least imply that encryption should be used to help protect the information. It\u2019s important to note, however, that non-compliance with this regulation could spell out fines and civil penalties of up to $2,500 for each violation or $7,500 for each intentional violation.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-14a40d6 elementor-widget elementor-widget-heading\" data-id=\"14a40d6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>2. Data Protection Regulation \u2014 Denmark<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a773bec elementor-widget elementor-widget-heading\" data-id=\"a773bec\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who this encryption law applies to:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4941482 elementor-widget elementor-widget-text-editor\" data-id=\"4941482\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThis data privacy regulation applies to any public authorities as well as private companies and organizations who handle confidential and sensitive personal data via email.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5ed296f elementor-widget elementor-widget-heading\" data-id=\"5ed296f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What it requires:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-85d274c elementor-widget elementor-widget-text-editor\" data-id=\"85d274c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe regulation states that encryption must be used when transmitting confidential and sensitive information via email over an open network (such as the internet).\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d29058f elementor-widget elementor-widget-heading\" data-id=\"d29058f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-da7eebe elementor-widget elementor-widget-text-editor\" data-id=\"da7eebe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tSo long as your organization is handling sensitive personal data, you need to ensure that you\u2019re encrypting the information. This requires assessing your organization to determine which method of encryption would be best for your particular needs. This can include the use of:\n<ul>\n \t<li>Encrypting all sensitive, private data using in-transit encryption (e.g., SSL).<\/li>\n \t<li>Encrypting such sensitive information using end-to-end encryption (such as S\/MIME, PGP, and other methods that will be discussed below).<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bac4b76 elementor-widget elementor-widget-heading\" data-id=\"bac4b76\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5876c34 elementor-widget elementor-widget-text-editor\" data-id=\"5876c34\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tDenmark\u2019s Data Protection Authority is serious about email security. The Data Inspectorate, the country\u2019s central independent authority that monitors data protection compliance, mandated the use of email encryption for all emails containing personal data beginning in January 2019. The <a href=\"https:\/\/www.datatilsynet.dk\/emner\/persondatasikkerhed\/transmission-af-personoplysninger-via-e-mail\/\" class=\"broken_link\" rel=\"noopener\">Data Protection Regulation<\/a> specifies that this protective measure needs to be used for all messages containing sensitive types of information.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9b349cc elementor-widget elementor-widget-text-editor\" data-id=\"9b349cc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tAccording to the official notice:\n<blockquote>\u201cThe Data Protection Authority has decided to sharpen its practice with regard to the transmission of confidential and sensitive personal data by e-mail in the private sector. In the future, it will thus be the Data Inspectorate\u2019s opinion that it will normally be an appropriate security measure \u2013 for both public and private actors \u2013 to use encryption when transmitting confidential and sensitive personal data with e-mail via the Internet.\u201d<\/blockquote>\nTo achieve end-to-end encryption, the Data Inspectorate outlines that organizations can use various methods of encryption such as pretty good privacy (PGP), NemID (Denmark\u2019s logon solution for public self-service, online banking solutions, etc.), and secure\/multi-purpose internet mail extensions (S\/MIME), or what are known as email signing and encryption certificates \u2014 which we\u2019ll speak more about later in the article.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5cf825a elementor-widget elementor-widget-text-editor\" data-id=\"5cf825a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tAlthough the email privacy regulation does not specify any penalties for noncompliance that we could find, it\u2019s nice to see that they at least provided some recommendations for data security methods such as the use of S\/MIME.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-da735a4 elementor-widget elementor-widget-heading\" data-id=\"da735a4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>3. European Banking Authority \u2014 European Banks \u2014 European Union<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-389661a elementor-widget elementor-widget-heading\" data-id=\"389661a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who this encryption law applies to:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-359d336 elementor-widget elementor-widget-text-editor\" data-id=\"359d336\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThis law applies to:\n<ul>\n \t<li>all \u201ccompetent authorities\u201d in the 28 member states of the European Union,<\/li>\n \t<li>EU financial institutions that handle internet payment services, and<\/li>\n \t<li>third-party e-Merchants who store, process, or transmit sensitive payment data.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e861cb9 elementor-widget elementor-widget-heading\" data-id=\"e861cb9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What it requires:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-77228a4 elementor-widget elementor-widget-text-editor\" data-id=\"77228a4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe regulation states that minimum security requirements must be put in place by financial institutions that ensure \u201csecure, end-to-end encryption.\u201d\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cadb953 elementor-widget elementor-widget-heading\" data-id=\"cadb953\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0ad7b36 elementor-widget elementor-widget-text-editor\" data-id=\"0ad7b36\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tWhether you\u2019re a financial institution or an e-Merchant that handles payment data, you must ensure that:\n<ul>\n \t<li>You\u2019re encrypting all sensitive data that can identify and authenticate customers.<\/li>\n \t<li>Any e-Merchants handling or processing sensitive payment data are not storing it \u2014 or, if they are, that they have \u201cthe necessary measures in place to protect these data.\u201d<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-89d69a1 elementor-widget elementor-widget-heading\" data-id=\"89d69a1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-404205f elementor-widget elementor-widget-text-editor\" data-id=\"404205f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe European Banking Authority (EBA) has a series of the minimum security regulations for financial institutions concerning internet payment services and the obligations of payment service providers (PSPs). This document, known as the <a href=\"https:\/\/eba.europa.eu\/documents\/10180\/934179\/EBA-GL-2014-12+%28Guidelines+on+the+security+of+internet+payments%29.pdf\/f27bf266-580a-4ad0-aaec-59ce52286af0\" class=\"broken_link\" rel=\"noopener\">Final Guidelines on the Security of Internet Payments<\/a>, does not affect the validity of the European Central Bank \u201cRecommendations for the Security of Internet Payments.\u201d The internet payment services covered under this data security regulation include:\n<ul>\n \t<li><strong>Cards<\/strong> \u2014 the execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in \u2019wallet solutions.\u2019<\/li>\n \t<li><strong>Credit transfers<\/strong> \u2014 the execution of credit transfers (CTs) on the internet.<\/li>\n \t<li><strong>E-mandate<\/strong> \u2014 the issuance and amendment of direct debit electronic mandates;<\/li>\n \t<li><strong>E-money<\/strong> \u2014 transfers of electronic money between two e-money accounts via the internet.<\/li>\n<\/ul>\nDid you know that all European banks are required to use <strong>extended validation (EV) SSL certificates?<\/strong> No, we\u2019re not making this up just because The SSL Store\u2122 happens to sell them. In section 4.2 (Risk Control and Mitigation), the guidelines specify that to restrict the use of fake sites, \u201ctransactional websites offering internet payment services should be identified by extended validation certificates drawn up in the PSP\u2019s name or by other similar authentication methods.\u201d\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-10fcb1b elementor-widget elementor-widget-text-editor\" data-id=\"10fcb1b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThis is particularly interesting considering that a recent <a href=\"https:\/\/www.businesswire.com\/news\/home\/20190627005150\/en\/Forty-Percent-Largest-Banks-North-America-Best-Practice\" class=\"broken_link\" rel=\"noopener\">Sectigo study<\/a> shows that 25% of European banks lack EV (though it\u2019s possible that some of these institutions may be in countries that are not part of the EU).\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-de8db11 elementor-widget elementor-widget-text-editor\" data-id=\"de8db11\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIn section 11 (Protection of Sensitive Payment Data), the guidelines specify that any data that is used to identify and authenticate customers should be appropriately secured against theft and unauthorized access or modification. Section 11.2 also specifies:\n<blockquote>\u201cPSPs should ensure that when exchanging sensitive data via the internet, secure end-to-end encryption is applied between the communicating parties throughout the respective communication session, in order to safeguard the confidentiality and integrity of the data, using strong and widely recognized encryption techniques.\u201d<\/blockquote>\nThese types of data privacy regulations also extend to third-party e-Merchants who store, process, or transmit sensitive payment data:\n<blockquote>\u201cIn the event e-merchants handle, i.e. store, process or transmit sensitive payment data, such PSPs should contractually require the e-merchants to have the necessary measures in place to protect these data. PSPs should carry out regular checks and if a PSP becomes aware that an e-merchant handling sensitive payment data does not have the required security measures in place, it should take steps to enforce this contractual obligation, or terminate the contract.\u201d<\/blockquote>\nWhen the EBA regulation was finalized in 2014, all EU financial organizations would\u2019ve had two months to either comply with the guidelines or to notify the EBA about their reason for not being compliant. Considering it\u2019s now 2019, though, everyone should be compliant with these guidelines at this point.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f9b09e6 elementor-widget elementor-widget-heading\" data-id=\"f9b09e6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>4. Federal Information Processing Standards \u2013 United States<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a8a7cf1 elementor-widget elementor-widget-heading\" data-id=\"a8a7cf1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who this encryption law applies to:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6d17be7 elementor-widget elementor-widget-text-editor\" data-id=\"6d17be7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThese federal standards pertain to non-military federal agencies, government contractors, vendors, and other organizations who work with them that \u201cuse cryptographic-based security systems to protect sensitive information.\u201d\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4d86f91 elementor-widget elementor-widget-heading\" data-id=\"4d86f91\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What it requires:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d210a9e elementor-widget elementor-widget-text-editor\" data-id=\"d210a9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe standards state that federal agencies, contractors or vendors must develop and implement cryptographic modules that protect \u201csensitive but unclassified information.\u201d\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e95c1ce elementor-widget elementor-widget-heading\" data-id=\"e95c1ce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9767866 elementor-widget elementor-widget-text-editor\" data-id=\"9767866\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIf your organization is a federal agency (or works with one) that uses crypto-based security systems, you should ensure that you\u2019re using cryptographic modules that meet the standards\u2019 four increasing, qualitative levels of security.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b374ca0 elementor-widget elementor-widget-heading\" data-id=\"b374ca0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f30de7a elementor-widget elementor-widget-text-editor\" data-id=\"f30de7a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/fips\/140\/3\/final\" rel=\"noopener\">Federal Information Processing Standards <\/a>(FIPS), which is mandated by the National Institute of Standards and Technology (NIST), is an entire computer security standards program in which certain types of data require specific levels of cryptographic security. This section of our list is, by no means, comprehensive. Rather, it should serve as more of an overview of the newest standard because there is a lot to know about FIPS and we simply don\u2019t have enough time or space in one article to cover it all.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-50ec242 elementor-widget elementor-widget-text-editor\" data-id=\"50ec242\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIn a nutshell, FIPS includes four security levels to examine cryptographic modules as part of its Cryptographic Module Validation Program (CMVP) validation process. It specifies what each level comprises, going as granular as specific ciphers and elliptic curves, but there is no uniform application. It varies from one organization to the next based on their function and the data they collection. When an organization can prove it has satisfied all the requirements, it\u2019s considered FIPS certified. The 140-1 standard was replaced by 140-2 in 2001, which focuses on the module that will still sensitive information.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9a6c5c7 elementor-widget elementor-widget-text-editor\" data-id=\"9a6c5c7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\nThe newest <a href=\"https:\/\/www.federalregister.gov\/documents\/2019\/05\/01\/2019-08817\/announcing-issuance-of-federal-information-processing-standard-fips-140-3-security-requirements-for\" rel=\"noopener\">FIPS testing standard<\/a>, FIPS 140-3, will become effective beginning on Sunday, Sept. 22, 2019. This standard specifies the requirements that any device\u2019s encryption system must meet if it is to be used by the federal government. FIPS 140-3 \u2014 which draws from NIST SP 800-140 and, for the first time, points to the international standard ISO 19790 \u2014 will supersede FIPS 140-2. Testing for FIPS 140-2, the current standard, will continue for at least one more year after FIPS 140-3 testing commences.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d3bbd50 elementor-widget elementor-widget-text-editor\" data-id=\"d3bbd50\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tSo, what does all of this mean for manufacturers and product testing laboratories? As a <a href=\"https:\/\/www.nist.gov\/news-events\/news\/2019\/04\/nist-links-federal-encryption-testing-international-standard-first-time\" rel=\"noopener\">news release<\/a> from NIST states:\n<blockquote>\u201cAny product that adheres to the international standard\u2014known as\u00a0<a href=\"https:\/\/www.iso.org\/standard\/52906.html\" rel=\"noopener\">ISO 19790<\/a>\u2014will therefore use an encryption approach that is acceptable both within and outside the United States. This should streamline a manufacturer\u2019s process for bringing a device to market because it reduces redundancy for companies trying to sell products internationally.\u201d<\/blockquote>\nAlthough there are no penalties for being non-compliant with FIPS regulations, non-compliance does place your organization at a greater risk of data breaches.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-329c45e elementor-widget elementor-widget-heading\" data-id=\"329c45e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>5. General Data Protection Regulation \u2014 European Union<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ff6ca7f elementor-widget elementor-widget-heading\" data-id=\"ff6ca7f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who this encryption law applies to:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b64d50f elementor-widget elementor-widget-text-editor\" data-id=\"b64d50f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThis privacy law applies to organizations that use the private data of European Union citizens (known as \u201cdata subjects\u201d in the legislation), regardless of where the organizations\u2019 locations, for the purpose of:\n<ul>\n \t<li>Offering them goods or services regardless of payment<\/li>\n \t<li>Monitoring their behaviors (that take place within the union).<\/li>\n<\/ul>\nThe regulation does not apply to authorities whose purposes are the prevention, investigation, detection or prosecution of criminal offenses or execution of criminal penalties\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c4d854e elementor-widget elementor-widget-heading\" data-id=\"c4d854e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h4>What it requires:<\/h4><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dddc014 elementor-widget elementor-widget-text-editor\" data-id=\"dddc014\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe law states that any organizations who don\u2019t protect personal data using \u201cappropriate safeguards\u201d are non-compliant and may be liable to fines and penalties as a result.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f90dbe0 elementor-widget elementor-widget-heading\" data-id=\"f90dbe0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4>\n<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-821a437 elementor-widget elementor-widget-text-editor\" data-id=\"821a437\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tRegardless of where your business is located, if you process the data of EU citizens, you should ensure that you\u2019re:\n<ul>\n \t<li>Implementing appropriate safeguards and measures to protect all private data (which could include data at rest and data in transit protection mechanisms).<\/li>\n \t<li>Regularly testing and evaluating the effectiveness of your technical and organizational measures for security.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c005e66 elementor-widget elementor-widget-heading\" data-id=\"c005e66\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a1d5a60 elementor-widget elementor-widget-text-editor\" data-id=\"a1d5a60\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe <a href=\"https:\/\/gdpr-info.eu\/\" rel=\"noopener\">General Data Production Regulation<\/a> (GDPR) is a European data protection law with teeth. Since it became effective in May 2018, this sweeping regulation gives data subjects (the EU citizens) the \u201cright of access\u201d to their personal data, as well as the \u201cright to be forgotten\u201d and \u201cright to be informed.\u201d\n\nThis omnibus law is comprehensive in scope and regulates much of what companies around the world are allowed (and not allowed) to do with personal information of data subjects (EU citizens) \u2014 particularly concerning its collection, use, and storage. GDPR also specifies who is responsible for the safety and security of that personal data once it is collected.\n\nAccording to <a href=\"https:\/\/gdpr-info.eu\/art-32-gdpr\/\" rel=\"noopener\">Chapter 4, article 32<\/a> of this European data protection law:\n<blockquote>\u201cThe controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:\n\n<strong>the pseudonymisation and encryption of personal data; <\/strong>\n\nthe ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;\n\nthe ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;\n\n<strong>a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.\u201d <\/strong><\/blockquote>\nThe regulation is intentionally vague as to the technical methods that should be used to secure personal data with the exception of explicitly mentioning encryption (though it does not specify any encryption methods). It also places the responsibility on the controller and the processor to recognize and address risks concerning the processing of personal data.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8ea229d elementor-widget elementor-widget-text-editor\" data-id=\"8ea229d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tWhen it comes to imposing fines and penalties for non-compliance, GDPR shows that it means business. <a href=\"https:\/\/gdpr-info.eu\/art-83-gdpr\/\" rel=\"noopener\">Article 83<\/a> states that infringements of some of the provisions within the regulation may \u201cbe subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.\u201d\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ef5d2f8 elementor-widget elementor-widget-text-editor\" data-id=\"ef5d2f8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tDepending on the size of the offending organization, we\u2019re talking about serious fines and penalties for noncompliance. Just look in the headlines for examples of what we mean. Just one year after it became effective, some major companies like <a href=\"https:\/\/www.thesslstore.com\/blog\/google-fined-57000000-for-gdpr-violations\/\" class=\"broken_link\" rel=\"noopener\">Google <\/a>and <a href=\"https:\/\/www.wsj.com\/articles\/facebook-faces-potential-1-63-billion-fine-in-europe-over-data-breach-1538330906\" rel=\"noopener\">Facebook<\/a> find themselves potentially facing significant fines over data breaches involving the personal information of EU citizens.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2d1262f elementor-widget elementor-widget-heading\" data-id=\"2d1262f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>6. Gramm-Leach-Bliley Act \u2014 United States<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dc23f28 elementor-widget elementor-widget-heading\" data-id=\"dc23f28\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who this encryption law applies to:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e74a902 elementor-widget elementor-widget-text-editor\" data-id=\"e74a902\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThis law applies to financial institutions and organizations of all sizes within the United States (such as banks, securities firms, insurance companies, and other financial service providers) who are involved with providing financial products or services to consumers.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2561003 elementor-widget elementor-widget-heading\" data-id=\"2561003\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h4>What it requires:<\/h4><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-38c895f elementor-widget elementor-widget-text-editor\" data-id=\"38c895f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe law states that companies who don\u2019t protect the integrity and security of consumers\u2019 data are subject to criminal and civil penalties.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5cc3968 elementor-widget elementor-widget-heading\" data-id=\"5cc3968\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8c08373 elementor-widget elementor-widget-text-editor\" data-id=\"8c08373\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIf your business is located in the U.S. and you process financial information, you should ensure that you\u2019re:\n<ul>\n \t<li>Encrypt all customer information \u201cheld or transmitted\u201d by you using both in-transit and at-rest encryption methods.<\/li>\n \t<li>Protect against reasonably anticipated threats to the security of the data.<\/li>\n \t<li>Establish and employ standards and best practices to protect data and access to it.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b385e73 elementor-widget elementor-widget-heading\" data-id=\"b385e73\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1b02502 elementor-widget elementor-widget-text-editor\" data-id=\"1b02502\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tLet\u2019s head back across the \u201cpond\u201d to the U.S. to discuss a law that was intended to modernize the financial services industry. The <a href=\"https:\/\/www.congress.gov\/bill\/106th-congress\/senate-bill\/900\/text\" class=\"broken_link\" rel=\"noopener\">Gramm-Leach-Bliley Act <\/a>is one that requires financial institutions to protect the privacy of a consumer\u2019s \u201cnonpublic personal information\u201d (NPI) and to communicate their information-sharing practices to them. The encryption law does distinguish between \u201ccustomers\u201d and \u201cconsumers,\u201d and requires notice about your privacy practices to be given to all of your \u201ccustomers,\u201d and to your \u201cconsumers\u201d as well if you share their information in certain ways.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d994ace elementor-widget elementor-widget-text-editor\" data-id=\"d994ace\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\nIn its Privacy Obligation Policy in Title V \u2014 Privacy, the Act states that each financial institution has \u201can affirmative and continuing obligation\u201d to respect the privacy of its customers and to protect the security and confidentiality of their nonpublic personal information. It goes on to state that each financial institution:\n<blockquote>\u201cshall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards\u2013\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ce5e061 elementor-widget elementor-widget-text-editor\" data-id=\"ce5e061\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t(1) to insure[sic] the security and confidentiality of customer records and information;\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4439fea elementor-widget elementor-widget-text-editor\" data-id=\"4439fea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2e8e214 elementor-widget elementor-widget-text-editor\" data-id=\"2e8e214\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.\u201d<\/blockquote>\nIn response, the Federal Trade Commission (FTC) released its Privacy of Consumer Financial Information final rule in 2000 and its <a href=\"https:\/\/www.federalregister.gov\/documents\/2019\/04\/04\/2019-04981\/standards-for-safeguarding-customer-information#p-amd-4\" rel=\"noopener\">Standards for Safeguarding Customer Information<\/a> final rule in 2001. The latter requires financial institutions to:\n<blockquote>\u201c[\u2026]\u00a0develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.\u201d (16 CFR \u00a7 314.3)<\/blockquote>\nThis is where things get more specific. <a href=\"https:\/\/www.federalregister.gov\/documents\/2019\/04\/04\/2019-04981\/standards-for-safeguarding-customer-information#sectno-citation-%E2%80%89314.4\" rel=\"noopener\">\u00a7 314.4<\/a> of the FTC\u2019s 2001 standards specifies that <strong>every financial organization needs to \u201cprotect by encryption all customer information held or transmitted by you both in transit over external networks and at rest.<\/strong>\u201d If the encryption of customer information isn\u2019t possible for some reason, the rule states that you may instead \u201csecure such customer information using effective alternative compensating controls reviewed and approved by your CISO.\u201d\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-15702af elementor-widget elementor-widget-heading\" data-id=\"15702af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>7. Healthcare Insurance Portability and Accountability Act \u2014 United States<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-384b0e1 elementor-widget elementor-widget-heading\" data-id=\"384b0e1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who this encryption law applies to:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-238ac6e elementor-widget elementor-widget-text-editor\" data-id=\"238ac6e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tWe\u2019ll speak more to what it means to protect <strong>data at rest<\/strong> and <strong>data in transit<\/strong> later in the \u201cTakeaway\u201d section of this article. For now, let\u2019s move on to the seventh encryption law on our list.\n\nThis law applies to U.S. organizations that handle patients\u2019 sensitive and confidential personal information, including:\n<ul>\n \t<li>health plans,<\/li>\n \t<li>healthcare clearinghouses,<\/li>\n \t<li>healthcare providers, and<\/li>\n \t<li>their business associates.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-094e179 elementor-widget elementor-widget-heading\" data-id=\"094e179\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What it requires:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f000963 elementor-widget elementor-widget-text-editor\" data-id=\"f000963\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe law states that companies who disclose confidential and personal information through any method are liable to varying levels of penalties depending on their level of intention:\n<ul>\n \t<li>Those who \u201cknowingly\u201d obtain or disclose the information face fines of up to $50,000 and up to one year in prison (or both).<\/li>\n \t<li>Confidential and personal health information obtained through \u201cfalse pretenses\u201d can result in penalties of up to $100,000 and up to five years in prison (or both).<\/li>\n \t<li>Offenses committed with the intent to \u201csell, transfer, or use individually identifiable health information for commercial advantage\u201d can result in up to $250,000 in fines and up to 10 years in prison (or both).<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-62ce033 elementor-widget elementor-widget-heading\" data-id=\"62ce033\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e78f78e elementor-widget elementor-widget-text-editor\" data-id=\"e78f78e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIf your business handles, stores, or processes electronic protected health information (ePHI), then you need to ensure that you\u2019re:\n<ul>\n \t<li>Performing assessments to determine the best methods of protection of ePHI.<\/li>\n \t<li>Adopting integrity controls and encryption as \u201caddressable implementation specifications.\u201d This could include in-transit (SSL) and at-rest data encryption.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2e462f5 elementor-widget elementor-widget-heading\" data-id=\"2e462f5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-059431c elementor-widget elementor-widget-text-editor\" data-id=\"059431c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tWhat is there to know about <a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/PLAW-104publ191\/pdf\/PLAW-104publ191.pdf\" rel=\"noopener\">Healthcare Insurance Portability and Accountability Act<\/a> (HIPAA) data security? A lot, and yet very little at the same time. At its core, HIPAA was created to protect and regulate the availability of health insurance policies for all individuals and groups. It is administered by the Department of Health and Human Service\u2019s (HHS\u2019s) Office for Civil Rights (OCR) and has had multiple updates and \u201cguidance notices\u201d issued for it over a 10-year period, including:\n<ul>\n \t<li>Privacy and Security Rules that were added in 2003.<\/li>\n \t<li>The HIPAA Enforcement Rule that was added in 2006.<\/li>\n \t<li>HITECH Act requirements that were incorporated in 2009.<\/li>\n \t<li>The Final Omnibus Rule that was created in 2013.<\/li>\n<\/ul>\nThough it may seem counterintuitive, the <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/security\/index.html\" class=\"broken_link\" rel=\"noopener\">HIPAA Security Rule<\/a> itself is purposefully vague. This is because the legislation\u2019s creators recognized that technology would evolve over time, so they didn\u2019t want to require specific safeguards that could soon become obsolete. Their way around this was to instead outline the responsibilities that any organizations handling the sensitive information would need to address and leave the method of choice up to them. This approach aimed to protect privacy while also not limiting the affected organization from adopting new technologies that would improve patient care and efficiency.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a3af891 elementor-widget elementor-widget-text-editor\" data-id=\"a3af891\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tFor example, in <a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/ocr\/privacy\/hipaa\/administrative\/combined\/hipaa-simplification-201303.pdf\" class=\"broken_link\" rel=\"noopener\">\u00a7 164.306(a)<\/a> states:\n<blockquote>(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.\n\n(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.\n\n(3) Protect against any reasonably anticipated uses or disclosures of such information<\/blockquote>\nHowever, the rule doesn\u2019t go much into specifics about how the affected organizations or entities should accomplish these tasks. Instead, what it does say in \u00a7 164.306(b) is that:\n<blockquote>\u201cCovered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.\u201d<\/blockquote>\nA few technical safeguards mentioned in \u00a7 164.312, including:\n<ul>\n \t<li>(2)(iv): \u201cEncryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.\u201d<\/li>\n \t<li>(2)(e)(1): \u201cStandard: Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.\u201d<\/li>\n \t<li>(2)(ii): \u201cEncryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.\u201d<\/li>\n<\/ul>\nIf you\u2019re looking for more info on HIPAA, the good news is that we\u2019ve written a few blog posts relating to the HIPAA framework and how it aims to help to protect electronic protected health information (ePHI). One of these articles break down the <a href=\"https:\/\/www.thesslstore.com\/blog\/hipaa-compliance-technical-safeguards\/\" class=\"broken_link\" rel=\"noopener\">technical safeguards<\/a> that HIPAA\u2019s Security Rule; others are examples of what happens when healthcare-related organizations are noncompliant or suffer <a href=\"https:\/\/www.thesslstore.com\/blog\/amca-files-for-bankruptcy-just-months-after-data-breach\/\" class=\"broken_link\" rel=\"noopener\">cyber security breaches<\/a>. Hopefully, these articles will provide additional insight for you concerning the HIPAA related data privacy.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-392344d elementor-widget elementor-widget-text-editor\" data-id=\"392344d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tOtherwise, we\u2019re moving on to discuss financial services encryption requirements in the Northeastern U.S.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2cc8667 elementor-widget elementor-widget-heading\" data-id=\"2cc8667\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>8. New York Department of Financial Services \u2014 United States<\/h2>\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-98a4cd1 elementor-widget elementor-widget-heading\" data-id=\"98a4cd1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who these encryption standards apply to:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9e25565 elementor-widget elementor-widget-text-editor\" data-id=\"9e25565\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThese regulations apply to any person who participates in the business operations of a covered entity, which includes those who operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the:\n<ul>\n \t<li>Banking Law,<\/li>\n \t<li>Insurance Law, or<\/li>\n \t<li>Financial Services Law.<\/li>\n<\/ul>\nSome companies and individuals are exempt from the requirements of select sections of the regulations, including covered entities:\n<ul>\n \t<li>with fewer than 10 employees.<\/li>\n \t<li>less than $5 million in gross annual revenue in each of the last three fiscal years.<\/li>\n \t<li>less than $10 million in year-end total assets.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6cc7fad elementor-widget elementor-widget-heading\" data-id=\"6cc7fad\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What they require:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0c7855f elementor-widget elementor-widget-text-editor\" data-id=\"0c7855f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe law states that the superintendent can enforce these regulations with companies who are noncompliant under any applicable laws.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5d8fea7 elementor-widget elementor-widget-heading\" data-id=\"5d8fea7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b02745c elementor-widget elementor-widget-text-editor\" data-id=\"b02745c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\nIf you process or handle the nonpublic data of New York consumers, you should ensure that you\u2019re:\n<ul>\n \t<li>creating a cybersecurity program that includes the use of encryption.<\/li>\n \t<li>using alternate compensating controls if encryption is infeasible.<\/li>\n \t<li>periodically disposing of nonpublic information that\u2019s not necessary for business operations or required to be retained by law or regulation.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f66d463 elementor-widget elementor-widget-heading\" data-id=\"f66d463\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-286c7ed elementor-widget elementor-widget-text-editor\" data-id=\"286c7ed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe New York State Department of Financial Services (NY DFS) put in place Cybersecurity Requirements for Financial Services Companies that went into effect in March 2017. These state-mandated requirements aim to protect consumers and businesses alike by promoting \u201cthe protection of customer information as well as the information technology systems of regulated entities.\u201d They hold to certain regulatory minimum standards without \u201cbeing overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.\u201d\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4ef2a12 elementor-widget elementor-widget-text-editor\" data-id=\"4ef2a12\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tUnlike some of the other regulations and laws on our list, the NY DFS mandate does require the use of certain controls, including encryption, as part of its cybersecurity program. This requirement aims to protect sensitive, nonpublic information that is held or transmitted \u2014 meaning it protects both data at rest and data in transit over external networks. According to Section 500.15 (a):\n<blockquote>\u201cAs part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.\u201d<\/blockquote>\nIn the event that encryption isn\u2019t feasible for data at rest and data in transit applications \u2014 which, really, when would that realistically be the case? \u2014 \u201calternative compensating controls reviewed and approved by the covered entity\u2019s CISO\u201d could apply, and the effectiveness of such measures would need to be reviewed at least annually by the chief information security officer.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5136b03 elementor-widget elementor-widget-text-editor\" data-id=\"5136b03\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThese requirements aren\u2019t only expected of the primary organizations \u2014 they also apply to third parties who handle nonpublic information. Section 500.11 states that the organization\u2019s policies and procedures also must address third-party service providers\u2019 policies and procedures as well in the event that such a party has access to consumers\u2019 sensitive data. Such documents must discuss the policies and procedures for the use of encryption.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-654854d elementor-widget elementor-widget-text-editor\" data-id=\"654854d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tLike the CCPA, there are certain organizational size requirements to qualify as a covered entity. For the NY regulation, entities with fewer than 10 employees, less than $5 million in gross annual income (in each of the last three fiscal years), or less than $10 million in year-end total assets are exempt from certain requirements.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ab5e403 elementor-widget elementor-widget-text-editor\" data-id=\"ab5e403\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-191934d elementor-widget elementor-widget-heading\" data-id=\"191934d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>9. Payment Card Industry Data Security Standard \u2014 Global<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-66975c7 elementor-widget elementor-widget-heading\" data-id=\"66975c7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who these encryption standards apply to:<\/h4>\n<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fa4505e elementor-widget elementor-widget-text-editor\" data-id=\"fa4505e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThese standards apply to virtually any entities or organizations that handle payment card data, including financial institutions, merchants, and service providers. If a bank account number is a primary account number (PAN) or contains PAN digits, then these standards would also apply.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-27ecc27 elementor-widget elementor-widget-heading\" data-id=\"27ecc27\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What they require:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8ee839d elementor-widget elementor-widget-text-editor\" data-id=\"8ee839d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThese standards require that companies who do not encrypt data and employ adequate security procedures are liable to fines and penalties that are defined by the payment card brands. The PCI Security Standards Council (PCI SSC) itself does not impose consequences, fines, or penalties for non-compliance.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dfd2918 elementor-widget elementor-widget-heading\" data-id=\"dfd2918\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6f6c8da elementor-widget elementor-widget-text-editor\" data-id=\"6f6c8da\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tSince these standards are issued by a global council, if your business handles, processes, or stores payment card data, you should ensure that you\u2019re:\n<ul>\n \t<li>using encryption and other methods to render certain information unreadable, including data at rest and data in transit encryption methods.<\/li>\n \t<li>implementing appropriate policies, processes, and procedures to protect all payment card data in your possession.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5f4c7a7 elementor-widget elementor-widget-heading\" data-id=\"5f4c7a7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-02cb086 elementor-widget elementor-widget-text-editor\" data-id=\"02cb086\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIf you\u2019re an organization that processes, transmits, or stores payment card data \u2014 debit and credit cards alike \u2014 then you ought to be at least familiar with the <a href=\"https:\/\/www.pcisecuritystandards.org\/document_library?category=pcidss&amp;document=pci_dss\" rel=\"noopener\">Payment Card Industry Data Security Standard<\/a> (PCI DSS) v3.2.1. This standard is essential to helping protect cardholders and the payment card ecosystem as a whole.\n\nThe most recent version of PCI DSS was developed to provide supplemental guidance and not to supersede, replace, or extend requirements in any Payment Card Industry Security Standards Council (PCI SSC) standards. Like many of the other encryption laws and regulations on our list, it also doesn\u2019t endorse the use of any specific technologies, products, or services.\n\nPCI DSS dictates that all entities involved in payment card processing must protect the storage and transmission of data across open, public networks. Requirements 3 and 4, respectively, provide guidelines on\n<ul>\n \t<li>Protecting stored cardholder data: r\n<ul>\n \t<li>through retention and disposal policies, processes, and procedures;<\/li>\n \t<li>\u00a0by rendering certain types of information unreadable;<\/li>\n \t<li>by using disk encryption or column-level database encryption; and<\/li>\n<\/ul>\n<\/li>\n \t<li>Encrypting the transmission of cardholder data across open, public networks (including the internet, wireless technologies, cellular technologies, general packet radio service, and satellite communications).<\/li>\n<\/ul>\nThe <a href=\"https:\/\/www.pcisecuritystandards.org\/pci_security\/why_security_matters\" rel=\"noopener\">Payment Card Industry Security Standards Council<\/a>, a global forum, is the authority that responsible for the development of these industry standards. However, they\u2019re not responsible for enforcing compliance with them \u2014 that\u2019s left up to the five major payment card brands:\n<ul>\n \t<li>American Express,<\/li>\n \t<li>Discover,<\/li>\n \t<li>JCB International,<\/li>\n \t<li>Mastercard, and<\/li>\n \t<li>Visa.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3fa7b8c elementor-widget elementor-widget-text-editor\" data-id=\"3fa7b8c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tPCI SSC also has released a number of other PCI standards and resources, including the <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI-3DS-SDK-Security-Standard-v1.1.pdf\" rel=\"noopener\">PCI 3-D (PCI 3DS) SDK Security Standard <\/a>and <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/P2PE_Program_Guide_v2.0.pdf\" rel=\"noopener\">Payment Card Industry Point-to-Point Encryption (PCI P2PE) Standard<\/a>. These documents provide additional guidance concerning security requirements, assessment procedures, and processes for software development kits and point-to-point products. The current industry standard for P2PE is PCI Point to Point Encryption v2.0. The next version of the standard, PCI P2PE v3.0, is anticipated to be published in Q4 2019 to Q1 2020.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6fe1dca elementor-widget elementor-widget-text-editor\" data-id=\"6fe1dca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThere is much more that could be covered about PCI DSS and other PCI-related standards at the granular level. However, we only have so much time (and we\u2019ve already spent a lot on this so far!). So, for now, we\u2019ll move on to encryption law that hails from the Great White North.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d1e6f70 elementor-widget elementor-widget-heading\" data-id=\"d1e6f70\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>10. Personal Information Protection and Electronic Documents Act\u2014 Canada<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-460887f elementor-widget elementor-widget-heading\" data-id=\"460887f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>Who this encryption law applies to:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c789e6a elementor-widget elementor-widget-text-editor\" data-id=\"c789e6a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThis law applies to private-sector organizations that handle Canadian consumers\u2019 personal data for commercial activity. This includes businesses that operate within the country but have personal data that crosses all provincial or national borders \u2014 with the exception of organizations that operate entirely within:\n<ul>\n \t<li>Alberta<\/li>\n \t<li>British Columbia<\/li>\n \t<li>Quebec.<\/li>\n<\/ul>\nThe law does not apply to organizations that don\u2019t engage in commercial, for-profit activities.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bb3e865 elementor-widget elementor-widget-heading\" data-id=\"bb3e865\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What it requires:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-05484c2 elementor-widget elementor-widget-text-editor\" data-id=\"05484c2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\the law states that individuals and the Office of the Privacy Commissioner of Canada (OPC) can file complaints against companies who do not use collected personal data as specified or implement appropriate security safeguards. The results of a subsequent investigation could result in fees and penalties against the organizations.\n\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d1776d0 elementor-widget elementor-widget-heading\" data-id=\"d1776d0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>What you should do:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-12de518 elementor-widget elementor-widget-text-editor\" data-id=\"12de518\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIf your business handles Canadian consumers\u2019 personal data for commercial purposes, you should ensure that you\u2019re:\n<ul>\n \t<li>Only using consumers\u2019 personal information for the specific purpose that it was collected for.<\/li>\n \t<li>Implementing security safeguards that are appropriate to the sensitivity of the information, which should include encryption.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-67b5aa9 elementor-widget elementor-widget-heading\" data-id=\"67b5aa9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><h4>The nitty-gritty details:<\/h4><\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cbd072f elementor-widget elementor-widget-text-editor\" data-id=\"cbd072f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tCanada has its own data privacy regulations \u2014 such as the <a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/\" rel=\"noopener\">Personal Information Protection and Electronic Documents Act<\/a> (PIPEDA). This federal privacy law is intended for private-sector organizations and outlines how businesses must handle personal information in the course of commercial activity. Although this is a Canadian law, it does also apply to businesses that operate within the country and handle personal data that crosses provincial or national borders.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-73624e5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"73624e5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-bb1f32f\" data-id=\"bb1f32f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-db9fa96 elementor-widget elementor-widget-text-editor\" data-id=\"db9fa96\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tMuch like GDPR, the law specifies that a person\u2019s personal information can only be used for the purpose it was collected \u2014 so a company can\u2019t say they\u2019re collecting the info for service-related functions only and then turn around and use the contact information for marketing purposes. Instead, they\u2019d have to obtain consent again while specifying that the information would be used for that new purpose. The law also specifies that people have the right to access their personal information and challenge its accuracy.\n\nAll businesses operating under PIPEDA are required to follow 10 fair information principles:\n<ol>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_accountability\/\" rel=\"noopener\">Accountability <\/a><\/li>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_purposes\/\" rel=\"noopener\">Identifying Purposes <\/a><\/li>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_consent\/\" rel=\"noopener\">Consent <\/a><\/li>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_collection\/\" rel=\"noopener\">Limiting Collection<\/a><\/li>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_use\/\" rel=\"noopener\">Limiting Use, Disclosure, and Retention<\/a><\/li>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_accuracy\/\" rel=\"noopener\">Accuracy<\/a><\/li>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_safeguards\/\" rel=\"noopener\">Safeguards<\/a><\/li>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_openness\/\" rel=\"noopener\">Openness<\/a><\/li>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_access\/\" rel=\"noopener\">Individual Access<\/a><\/li>\n \t<li><a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/p_principle\/principles\/p_compliance\/\" rel=\"noopener\">Challenging Compliance<\/a><\/li>\n<\/ol>\nThroughout this dense and strangely-worded regulation is the clause, \u201cto protect that information by security safeguards appropriate to the sensitivity of the information\u2026\u201d Although the regulation does not specify particular safeguards \u2014 which is likely by design due to continually changing technologies \u2014 it could entail the use of encryption, firewalls, and security patches.\n\nNon-compliance should be a concern for covered organizations. As Global News <a href=\"https:\/\/globalnews.ca\/news\/4619728\/failure-to-report-canadian-privacy-breaches-could-mean-big-fines-after-nov-1\/\" rel=\"noopener\">reports<\/a>:\n<blockquote>\u201cFailure to report the potential for significant harm could expose private-sector organizations to fines of up to $100,000 for each time an individual is affected by a security breach, if the federal government decides to prosecute a case.\u201d<\/blockquote>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-af9a12e elementor-widget elementor-widget-heading\" data-id=\"af9a12e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>Bonus Round: The Proposed New York Privacy Act<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-b2934b8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b2934b8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-fa0b62e\" data-id=\"fa0b62e\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-28c6c39 elementor-widget elementor-widget-text-editor\" data-id=\"28c6c39\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tYou may have heard that individual states are now working to develop their own version of the CCPA. New York is next on the list with its proposed new privacy legislation known as the <a href=\"https:\/\/www.nysenate.gov\/legislation\/bills\/2019\/s224\" class=\"broken_link\" rel=\"noopener\">New York Privacy Act<\/a> (NY SB 224), or what may be cited as the \u201cRight to Know Act of 2019.\u201d The goal is to modernize the state\u2019s current privacy law to give NY residents more control of their personal information and how it is collected and disclosed.\n\nWhile there are some similarities between the CCPA and the NYPA, there are some notable differences as well:\n<ul>\n \t<li>There is no minimum size for organizations that would be subject to the requirements of the Act.<\/li>\n \t<li>More responsibilities are imposed on businesses.<\/li>\n \t<li>New York residents can sue violating companies directly rather than having to wait on the district or state attorney general\u2019s office to take action.<\/li>\n<\/ul>\nAs of this point, the act doesn\u2019t include any specific methods of protection for consumers\u2019 data information, such as the use of encryption or email signing certificates. It also does not specify any government penalties or fines for violations of the act, nor does it outline any consumer actual or statutory damages. Hopefully, the legislation will be updated to provide a bit more specific recommendations or requirements concerning data security methods.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-31b334e elementor-widget elementor-widget-heading\" data-id=\"31b334e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>Takeaway: What these encryption laws mean for you<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e7e105f elementor-widget elementor-widget-text-editor\" data-id=\"e7e105f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tAs we said at the beginning, some of these laws may not apply to your business depending on your industry or location. However, it\u2019s important to be aware of which ones do because some encryption laws and regulations, such as GDPR and PCI DSS, are far-reaching and apply to organizations beyond their geological borders. The GDPR, for example, applies to organizations inside and outside the EU that handle the personal information of EU citizens, and PCI DSS applies to virtually anyone who handles card payments.\n\nWhat can you do to increase data security? In general, there are some methods of protection that should be implemented across the board (regardless of industry or location) to be compliant with data privacy and encryption laws:\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9ce1e29 elementor-widget elementor-widget-heading\" data-id=\"9ce1e29\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\"><h3>Use SSL\/TLS to protect data in transit<\/h3><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-876353f elementor-widget elementor-widget-text-editor\" data-id=\"876353f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tWhen you transmit information over an open network such as the internet, you have no control over which servers and devices the information will pass through along the way. This is why it\u2019s imperative that everything within your organization uses a secure, encrypted connection via your website.\n\nThere\u2019s no way around it: If you handle the transfer of sensitive data such as consumers\u2019 personal and financial information on your website, you need to use a secure, encrypted protocol (HTTPS). This means using an SSL\/TLS (secure sockets layer\/transport layer security) certificate. HTTP is not secure (even <a href=\"https:\/\/www.blog.google\/products\/chrome\/milestone-chrome-security-marking-http-not-secure\/\" rel=\"noopener\">Google says so<\/a>) and leaves your site and its visitors vulnerable.\n\nWhen you use SSL on your site, it reassures site visitors by displaying a padlock indicating that shows the site is secure. In Google Chrome,\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-120ac41 elementor-widget elementor-widget-heading\" data-id=\"120ac41\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\"><h3>Use other encryption methods to protect data at rest<\/h3><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-da0fa29 elementor-widget elementor-widget-text-editor\" data-id=\"da0fa29\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tIn addition to protecting data in transit, it\u2019s also vital that your organization protects data at rest as well. What\u2019s the difference? Data in transit only protects data while it\u2019s being transmitted through a secure, encrypted channel. Once it arrives at its destination, though \u2014 typically a web server or even another data storage device \u2014 it\u2019s no longer protected by the SSL\/TLS protection and is vulnerable.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2b715fc elementor-widget elementor-widget-text-editor\" data-id=\"2b715fc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tLet\u2019s consider email as an example. Email involves both data and rest and data in transit. When an email sits in your email inbox, it\u2019s considered data at rest. Once you create a new message and click \u201cSend,\u201d it becomes data in transit. Once it arrives in your recipient\u2019s email box, it again becomes data at rest. Wouldn\u2019t you want it to be secure and encrypted to ensure that no one except your intended recipient can access your plaintext message and any attachments?\n\nA secure\/multipurpose internet mail extension (S\/MIME) certificate can help you do just that. S\/MIME certificates is a way to keep your data at rest secure through email encryption. When you send an email using an S\/MIME certificate, you\u2019re taking the plaintext email message you\u2019ve written and encrypt it so that only your intended recipient can decrypt it using a corresponding secret key. This means that when you send an email using an email signing certificate, it remains encrypted both when it\u2019s in transit and at rest.\n\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-11b177c elementor-widget elementor-widget-image\" data-id=\"11b177c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/05\/Encryption-and-Email-1.png\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0ff65fc elementor-widget elementor-widget-text-editor\" data-id=\"0ff65fc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tAn added bonus of S\/MIME is that because it\u2019s also an email signing certificate, it means that you can use a trusted certificate authority (CA) to authenticate yourself to your email recipient and show that you really are who you claim to be.\n\nSounds like a win-win situation to us.\n\nBut what if you need to encrypt other data at rest that isn\u2019t email? Other methods of data at rest encryption involve the use of third-party encryption solutions, such as BitLocker or VeraCrypt, that use various encryption algorithms including <a href=\"https:\/\/www.thesslstore.com\/blog\/cipher-suites-algorithms-security-settings\/\" class=\"broken_link\" rel=\"noopener\">Advanced Encryption Standard (AES) or Rivest Shamir, and Adleman (RSA) encryption<\/a>.\n\nWhat are the differences between these two encryption algorithms? AES is a symmetric algorithm that uses up to a 256-bit key for both encryption and decryption. It\u2019s fast, efficient, and often involves the use of a passcode. RSA, on the other hand, is what\u2019s known as asymmetric encryption, meaning that it uses a separate public key and private key for the encryption and decryption processes. RSA is more computationally-intensive counterpart that\u2019s best left to encrypting small amounts of data.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fbfb3a0 elementor-widget elementor-widget-text-editor\" data-id=\"fbfb3a0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tCommercial database solutions (such as MS SQL) also come with encryption solutions for protecting records stored in your database. Check your database documentation to see what encryption options are available and to determine whether you\u2019re already using them.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b669aaf elementor-widget elementor-widget-heading\" data-id=\"b669aaf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2>Final thoughts Phew.<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5323963 elementor-widget elementor-widget-text-editor\" data-id=\"5323963\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThat was a lot of information \u2014 and we\u2019ve just touched the tip of the iceberg. There are many other encryption laws in place or in the works around the world. Some laws are comprehensive while others are more simplistic. A little more than a year after the GDPR launched, we\u2019ve seen several other laws become enacted or at least start the process of development. It\u2019ll be interesting to see what new laws will be put into effect in the next couple of years and how the world of data privacy and encryption regulation will continue to change \u2014 hopefully, for the better.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Every business needs to stay up to date on and comply with the latest encryption and privacy laws. Failure to comply will result in fines that can range upwards of tens of millions of dollars. But which laws do you need to comply with, and what do you have to do? For the sake of this article, we&rsquo;re just going to focus on the regulations and laws that require encryption or reference the protection of encrypted data. These regulations and laws are sometimes called data encryption laws, data privacy laws or data protection laws.&nbsp;<br \/> <!-- [if !supportLineBreakNewLine]--><br \/> <!--\n<\/p>\n","protected":false},"author":602,"featured_media":3536,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[95],"ppma_author":[3308],"class_list":["post-1868","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-big-data-amp-technology"],"authors":[{"term_id":3308,"user_id":602,"is_guest":0,"slug":"casey-crane","display_name":"Casey Crane","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_62b93d4d-9128-4c88-bf3a-1ca52c8ea99f-150x150.jpg","user_url":"https:\/\/www.thesslstore.com\/","last_name":"Crane","first_name":"Casey","job_title":"","description":"Casey Crane is Cybersecurity Journalist and SEO Content Manager at The SSL Store\u2122. She is a regular contributor to Hashed Out and Infosec Insights with experience in journalism and writing, including crime analysis and IT security."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/602"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=1868"}],"version-history":[{"count":8,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1868\/revisions"}],"predecessor-version":[{"id":36898,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1868\/revisions\/36898"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/3536"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=1868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=1868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=1868"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=1868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}