PCI, PII, GDPR and HIPAA are all standards that have been defined to ensure data security. They are all different, created by different bodies and have different compliance guidelines. Why should you care? Because as a business, you are subject to these safeguards and breaching any of these can result in material losses to your business in the form of penalties, loss of business, and in some cases, possible criminal charges.
Hybridge helps many of its clients navigate the various requirements and standards applicable to their business. Below we summarized some of the standards for your reference.
The Standards – definition and overview
PCI
PCI is the Payment Card Industry Data Security Standard. It was created by the five major credit card brands and defines regulations for keeping card data safe. If you take credit cards as a method of payment, these rules and regulations apply to your business regardless of your size.
Credit card theft costs small businesses at least $20,000 per data breach on average. If a breach occurs and the business is not following PCI compliance regulations, the business can be charged fines as great as $50,000.
PII
Short for Personally Identifiable Information. It is any data that directly or when combined with additional/indirect data can uniquely identify an individual. If you are storing personal customer data, you should be familiar with PII. It is defined by the federal government by the OMB and also NIST (National Institute of Standards and Technology).
There are no hard guidelines regarding PII compliance and it is assessed on a case by case basis. However, there are heavy fines for data breaches that can reach up to $25,000 per incident.
GDPR
The General Data Protection Regulation that will come into force in May, 2018. It is defined by the EU but its reach extends to US companies as it specifies regulations around the management of data for EU citizens (if you have customers that are EU based) and for EU-based entities (if you have a presence in the EU).
Penalties are hefty and compliance may be tricky. However, if you are doing business in the EU, you should get familiar with the details of GDPR.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 established standards for the confidentiality, security and transmissibility of health care information. There are four types of standards: privacy, security, enforcement and breach notification. It is applicable to any business that is handling health information.
Penalties are assessed based on level of negligence and can have both financial penalties and is some cases criminal penalties.
While trying to understand each of these standards and trying to craft a compliance plan might seem daunting, it is worth your while to assess whether any of these standards are applicable to your business and determine your level of exposure.