7 min read

Staying Ahead of Regulatory Compliance Changes as Data Breaches and Penalties Reach Record Highs

Featured Image

Keeping up with changes to IT regulatory compliance and governance can be challenging due to their ever-evolving nature. Not only must organizations mitigate risks, protect sensitive data and prevent company financial and reputational loss, they also are adapting to societal changes that are driving transformation in the IT landscape. As more consumers utilize digital tools and services in their everyday lives, they are taking a vested interest in how their personal information is stored and used. They are placing greater social responsibility on companies to protect their data and act ethically at a time when record-high data breaches, fraud cases and regulatory noncompliance fines are the norm.

  • 2021 was a record-breaking year for data breaches. There were 1,291 data breaches by the end of September – an increase of 17% from 2020. (Security Magazine)
  • Amazon was given the largest General Data Privacy Regulation (GDPR) fine issued to date – $887 million. (Tech Crunch)
  • JPMorgan Chase is paying $200 million in fines to the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) to settle charges for violating federal record-keeping laws by allowing employees to conduct business over WhatsApp and personal devices. (Washington Post)
  • More than 40 million patient records were compromised by incidents reported to the federal government in 2021. (Healthcare IT News)
  • There has been a 437% increase in ransomware attacks in the past year, many of which happened following an announcement of a company merger or acquisition. The transitional phase that comes with a merger or acquisition can make a company a prime target for an attack. (Dark Reading)

The financial services, healthcare and manufacturing sectors are among the industries hardest hit by data breaches. According to the Identity Theft Resource Center, there was an increased lack of transparency in breach notices at both the organization and government level. While few reforms aimed at decreasing regulatory issues were adopted last year due to the pandemic, these highly regulated industries can expect to see some changes implemented in the near future.

Financial Services: Staying Compliant with Federal Banking Regulations

  • By May 1, 2022, banks will be required to notify their federal regulator if a computer security incident occurred as soon as possible and no later than 36 hours after a known incident. The new rule passed by the Federal Reserve, FDIC and the Office of the Comptroller of the Currency (OCC) also requires bank service providers to notify an affected bank if an incident could disrupt, degrade or impair services for four or more hours. 
  • The Federal Trade Commission recently announced updates to the Gramm-Leach-Bliley Act (GLBA) that amend standards for safeguarding customer information. Changes to the Safeguards Rule require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers and payday lenders to develop, implement and maintain a comprehensive security system to keep information safe. This includes specific security controls, new requirements for risk assessments and new accountability and reporting requirements. The changes include limiting who can access consumer data and use encryption to secure the data. Institutions must also explain their information sharing practices and allow customers to opt out of having their information shared with certain third parties. In addition, financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors or a senior officer in charge of information security. Additional changes could require financial institutions to report certain data breaches and other security events to the FTC. 
  • The Financial Services Committee is discussing changes to the credit reporting system and the use of alternative data, credit scoring and limits on the uses of credit information. 
  • The Consumer Financial Protection Bureau (CFPB) is looking into risks and practices associated with the ‘buy now, pay later’ trend, which is a popular method for consumers to purchase online goods. The CFPB is concerned about how quickly consumers are accumulating debt and would like to understand how customer data is being utilized. 

Healthcare: Enhancing Patient Access to Care Records

In 2021, the HIPAA Safe Harbor Bill amended the Health Information Technology for Economic and Clinical Act (HITECH) that now includes provisions that require the Department of Health and Human Services (HHS) to provide regulatory relief and other incentives to healthcare entities for voluntarily adopting recognized cybersecurity best practices and protocols. Proposed changes to HIPAA’s Privacy Rule could be issued in 2022. Regulations under consideration include changes to how substance abuse and mental health information records are protected.

  • As part of ongoing reforms to the 21st Century Cures Act, the federal government is implementing an Information Blocking Rule that affects the rights of patients and third parties to access medical records from providers. The rule was established to enhance patient access to medical records and help to communicate seamlessly across various software platforms and electronic devices. The new regulations apply to healthcare providers, health information tech companies, health information networks and exchanges. After Oct. 5, 2022, the rule will apply to all electronic protected health information (ePHI) as defined by HIPAA, including billing records, consultation notes, lab reports and more. Providers should contact their Electronic Health Records providers to ensure compliance and access to help improve care coordination. While provider negligence wouldn’t constitute a violation, intent to block or prevent access could result in noncompliance. These changes also could spur updates to state laws regarding timely access to health records. 
  • Keep an eye out for potential changes to telemedicine regulations. Certain licensing requirements and HIPAA regulations were loosened during the pandemic.
  • In the year ahead, there’s expected to be greater awareness of state laws on protected health information and hospitals using their own health information system rather than big providers who have unified PHI management and controls.  

Manufacturing and Supply Chain: Planning Ahead to Keep Production Moving

  • Ransomware and supply chain cyberattacks increased this past year, resulting in company shutdowns. In one such attack, Colonial Pipeline paid hackers nearly $5 million to regain control of its data. Conversations are expected to continue in 2022 regarding the legality of ransomware payouts. Last September, the Treasury Department’s Office of Foreign Assets Control updated its guidance on whether it might sanction companies that pay ransomware to countries, organizations and people on an embargo list.
  • How companies in the manufacturing sector manage and share data will likely be placed under a microscope. Therefore, companies may move at a faster pace to address data management and privacy concerns.
  • The U.S. National Institute of Standards and Technology (NIST) wants to update its Cybersecurity Framework to make it more concise and include guidance for supply chain security issues. The Cybersecurity Framework is a voluntary set of cybersecurity guidelines widely used across different industries in the U.S. and around the world. 

Government and Infrastructure: Patching at Risk Networks and Systems

  • Updates to the National Defense Authorization Act recently excluded provisions that would have mandated timeframes for critical infrastructure companies to report major cyberattacks and ransomware payments to federal officials. 
  • To promote good cyber hygiene, the Cybersecurity and Infrastructure Security Agency (CISA) recently implemented a Binding Operational Directive (BOD), which requires federal agencies to patch hundreds of unknown vulnerabilities that present a significant risk to networks. State organizations also will have to mature their security, in addition to enterprises wanting to do business with government agencies.

GDPR: ePrivacy Regulation clarification

General Data Privacy Regulation (GDPR), a data privacy law adopted by the European Union in 2018, puts tighter obligations and restrictions on data controllers and data processors to protect European citizens from privacy and data breaches. GDPR impacts companies that either offer goods and services to European citizens or collect data from people living there, regardless of company location. An updated proposal to the ePrivacy Regulation is expected to clarify who is responsible for obtaining consent to store cookies – data generated by a website that is stored on a user’s computer. Some big-name companies have recently been fined for cookie consent violations. Regulators are closely monitoring vulnerabilities and potential privacy risks that artificial intelligence, machine learning and other tech automation tools create.

Most of the legal and regulatory concerns in 2022 will focus on awareness of state laws on data privacy and breach notification. Regulatory compliance, the underwriting process and contracts will only get more complex from here, especially as more local governments create their own data privacy regulations that may differ from other domestic and international privacy laws. In addition, the definition of what constitutes as personal information has changed over time to include data such as internet searches and transactions, social media posts, photos, IP addresses and more. 

Businesses are being held more accountable as the substantial increase in privacy-related enforcement actions from federal agencies sheds light on the need for them to have sound cybersecurity policies, procedures and risk mitigation tactics that prevent the exposure of personal information. This means implementing tactics, such as multi-factor authentication, patch management and encrypted backups into IT environments, as well as building a culture of compliance within an organization will also become increasingly more important. Evolving company culture begins from the top and filters down to all departments to create company-wide awareness and cross-functional teams that are regularly updated on upcoming changes to regulations, potential impacts and what they can do to address them.

Partnering with an IT vendor can help take the burden off of tech teams to monitor, understand and communicate changes. At FNTS, we are a trusted advisor to companies in highly regulated industries to ensure they stay steps ahead of the latest changes to compliance and can implement organizational requirements to prevent and minimize risk to reputation and consumer confidence.