Understanding Today’s Data Regulations Pt.1

Shimrit Tzur-David | October 23, 2018

Data regulation.

Some are restrictions aim to protect users and some are a framework for better organization security.

The modern phenomenon is set as the legal system is catching up with the ever-expanding connected world we live at, if you agree with regulatory oversight or not the sweeping effects on the world of digital information is enormous. How companies handle private data, the security protocols for a slew of industries, and even standards for private users, are all codified in a wide range of national and international legislation quantifying global threats and determining how to protect the end user better.

Organizations have always had a postmortem approach to data breaches, we learn from mistakes but someone (usually the users) pay for them, regulatory bodies aim to solve this by creating rules and guidelines learning from the mistakes and vulnerability of the many.

When reviewing most data regulations two subjects hold the highest weight, Sharing data and of course authentication, from fraud and credentials theft to accessing critical systems authentication is a field where security is literally the key and regulatory bodies are here to help.

To help understand the ins and outs of this essential topic–and how they affect authenticating digital identities–we’ve put together a two-part series on the most important data regulations that standardize today’s digital sphere answering the who, what and where of each regulation.

CIS Controllers

Who are they?

The Center of Internet Security (CIS) is a not-for-profit organization that develops its own Configuration Policy Benchmarks (CPB). The CPB are essentially guidelines by which organizations can improve their cybersecurity and compliance programs and posture. This initiative aims to create community developed security configuration baselines for IT and Security products that are commonly used by organizations. in addition, CIS puts out a series of protocols called CIS Controls which are updated and reviewed through an informal community process from time to time.

Which Industries?

The CIS’s Controls are recognized as some of the most comprehensive security baselines for most existing systems and are applicable to any industry that utilizes these technologies. The CIS is recommended by industry leaders such as the National Institute for Standards and Technology (NIST).

What is the Goal of the Regulation?

The goal of CIS’s regulations is two-fold. The CIS Controls are a set of recommended practices for securing a range of systems and devices. CIS Benchmarks are guidelines for specific operating systems, middleware, software applications, and network devices, with a strong emphasis on proper configuration. This includes proper security settings for hardware and software on mobile devices, laptops, workstations, and servers. A substantial part of CIS’s recommendations involves proper authentication practices. The organization has laid down the best practices for multi-factor authentication and password strength. CIS Control 5  which deals with access and administrative privilege, advocates for applying a variety of identifying factors in an organization-wide multi-factor scheme.


What is it?

The General Data Protection Regulations are the statutes produced by the European Union governing the handling of digital data. The laws of GDPR represents a paradigm shift in IT regulation as it changes the relationship between enterprises and the personal information they collect and store by placing the liability for breaches on the entity storing that data. Thus the GDPR is a series of obligations companies have when collecting and storing personal data, as well as strict demands on reporting in the event of a breach.

Which Industries?

GDPR applies to any business operating with the European Union or collecting the personal data of a European citizen, even if the company itself is foreign.

What is the Goal of the Regulation?

On the most fundamental level, GDPR seeks to revamp standards in digital information collection and storage to modes of operations that are safe by design. On the organizational end, a company must have strict guidelines to determine any interaction with sensitive information including “the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.” On the technical side, businesses are expected to adopt procedures by which personal data is always under several layers of protection such as pseudonymization and encryption. The difficulty with GDPR is that these authentication requirements are not specified in detail, placing the onus on companies to implement additional layers of authentication for accessing personal data. Easily-compromised credentials are heavily scrutinized by auditors. Additionally, in the event of a breach, liability can be placed at the feet of the organization if regulators determine weak authentication was a factor.


What is it?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of American laws that govern the healthcare system. Enacted by the United States Congress and signed by President Bill Clinton in 1996, the Act consists of five Titles that govern different aspects of the healthcare industry. The section of HIPAA that pertains most to information security is Title II, known as the Administrative Simplification (AS) provisions. Title II regulates the use and disclosure of protected health information (PHI), and mandates security standards required to protect data, especially identifying data for patients, providers, health insurance plans, and employers.

What is the Goal of the Regulation?

The safeguards defined by HIPAA aim to control access to computer systems containing PHI and protect communications pertaining to such data. Under HIPAA, encryption must be utilized when transmitting PHI electronically over open networks to protect against interception by unintended recipients. Parties to those communications must be properly authenticated. HIPAA also heavily regulates the modification of medical-related data and who is authorized to make those changes. Like other similar regulations, entities under HIPAA need to ensure they have strong access credentials for public and private networks, internet portals, computers, email accounts, medical devices, servers, and software applications. Like GDPR, HIPAA does not demand specific authentication tools. Authentication standards of the HIPAA Administrative Safeguards require that covered entities implement “reasonable and appropriate” authentication procedures to verify users accessing PHI. The level of security for given data must reflect the “potential risks and vulnerabilities” of this information becoming exposed.