Businesses in today’s global marketplace face some daunting obstacles: rapidly changing technology, digital transformation, and an increasing number of industry-specific data security and privacy laws. Failure to comply with these laws could lead to costly fines, penalties, and damaged customer confidence. Fortunately, identity and access management (IAM) solutions have evolved to meet the demands of a regulation-heavy marketplace.
From commonly encountered laws to highly-granular compliance regulations, a robust IAM program can give institutions broad protection, threat visibility, risk mitigation — and most importantly, peace of mind.
Let’s review seven key regulations that require identity and access management compliance.
The 2016 General Data Protection Regulation (GDPR) is a far-reaching privacy bill that protects the identity information and personal data of EU citizens — and impacts any company doing business with customers in Europe. GDPR mandates that foreign and domestic companies ensure customer awareness and consent regarding private data access and use.
Organizations are responsible for the security of data during the collection process as well as storage. A robust IAM solution that satisfies the GDPR compliance requirements for data privacy and security must include:
Data protection is the key to satisfying GDPR compliance requirements. An IAM solution that monitors access to a customer’s personal data is not enough. Under GDPR, consumers have the right to “be forgotten” and to deny or revoke the collection of their data.
An effective IAM solution must track all access to personal data collected and update access rights based on both organizational changes and relevant customer preferences.
Created in response to numerous cases of high-profile corporate fraud, the Sarbanes-Oxley Act of 2002 (SOX) touches on all publicly-traded organizations but primarily targets financial services (such as banks and insurance companies). IAM solutions that meet SOX security standards must address both identity management and data security. Sarbanes-Oxley security standards require tested, documented internal controls to ensure the integrity and security of financial reporting — and the data integrity of the accounting going into these reports. SOX compliance mandates adequate internal controls for both digital and physical assets. This includes:
Companies can reduce the risk of data breaches by providing granular, conditional access controls — and by automating IAM activities such as user provisioning and de-provisioning, predictive SoD analysis, and access logging and usage tracking. At the end of the day, the ability to produce on-demand evidence for an audit is key to aligning with SOX requirements.
Enacted as a national healthcare standard in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that guarantees the privacy and security of protected health information (PHI) that health insurance and healthcare providers collect and store.
The Department of Health and Human Services (HHS) designed HIPAA to target healthcare organizations with lax security practices around identifiable health information.
HIPAA forced covered entities to ensure that patient data was kept confidential, and access to that data was limited to healthcare providers directly servicing the patient. Much like GDPR and SOX, HIPAA compliance procedures limit access to PHI (Protected Health Information) based on identity and purpose. HIPAA also shares a close relationship with the HITECH Act, which mandates data security for electronic healthcare records (EHR).
As digital healthcare data proliferates, an IAM solution paired with HIPAA compliance policies helps create a wide umbrella of protection against privacy violations. An effective IAM solution must include:
Healthcare-related businesses benefit from the implementation of these IAM capabilities. With effectively managed rights and proper account termination, administrative transactions become less complicated. In addition, automated logging helps HIPAA auditors to verify electronic media policy compliance more easily.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, mandates that financial institutions create and maintain information security programs that protect customer information. The GLBA applies explicitly to sensitive data such as social security numbers, credit history, and account numbers. GLBA also includes safeguards for consumer financial information and provides privacy for more benign information such as addresses and phone numbers.
Financial institutions reduce risk when they implement organization-wide “least privilege” policies and safeguard identifiable information according to GLBA privacy rules.
All financial services employees — not just security programs — should be aware of the Safeguards Rule and comply with federal privacy policies and consumer protection rules.
An IAM solution can proactively improve GLBA compliance through:
Organizations and executives that violate GLBA face significant financial penalties and potential jail time — particularly for those who ignore or willfully circumvent security safeguards. Enforcement of GLBA is handled by the Federal Trade Commission (FTC).
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students in post-secondary educational institutions.
FERPA specifically protects the rights of students to restrict access to student data, educational records, and even public-facing directory information. Eligible students may also prevent or grant record access to their parents.
Other FERPA compliance requirements an IAM solution should address:
The ability to easily manage and track access is key to privacy law compliance. For effective FERPA compliance, IAM solutions should centrally manage and cross-reference accounts of eligible students and their parents, as well as school staff and faculty, and ensure that controls limit access to student records.
Following in the footsteps of GDPR, the 2020 California Consumer Privacy Act (CCPA) brought massive privacy implications for U.S. businesses that serve California consumers. CCPA is similar to GDPR in that it provides California citizens the same level of control over their personal information that EU citizens currently exercise. CCPA regulations apply to any company that generates $25 million or more in gross revenue and collects personal information from California consumers.
IAM solutions that assist in the satisfaction of CCPA compliance requirements for privacy and data security must include:
With CCPA, consumers are in control of their privacy and personal information with rights to deny or revoke either the collection or sale of their data. While this parallels data protection with GDPR, it differs in enforcement.
The SHIELD Act is the common name for New York’s “Stop Hacks and Improve Electronic Data Security Act” implemented in 2019. Similar to GDPR and CCPA, this data protection act dramatically expands security and privacy notification requirements on companies storing the personal information of New York citizens. This goal is to enforce better protection of personal data, prevent breaches, and improve consumer notification requirements.
Any organization already in compliance with either HIPAA or GLBA will find similar safeguards in the SHIELD Act. However, SHIELD considers the burden of cybersecurity requirements for small businesses collecting and storing personal information. It adjusts its directives to be appropriate for the size and complexity of the organization.
IAM solutions that address NY SHIELD Act data security standards should include:
As organizations move to the cloud and add more SaaS applications, IT architecture becomes more complicated. To comply with modern privacy regulations, businesses need complete visibility into how and where human and machine identities access protected data — whether in the cloud, hybrid, or on-premises IT infrastructure.
Saviynt goes beyond just IAM. Our converged Platform brings industry-leading, cloud-first simplicity and scale to today’s complex compliance challenges.
With Enterprise Identity Cloud (EIC), you get all five of Saviynt’s flexible, automated, cloud-first solutions in one single, cohesive platform:
Find out how EIC can unify controls and risk management for every identity, app, and cloud across your business and transform your security posture.