Gramm-Leach-Bliley Modernization Act (GLBA)
The Health Insurance Portability and Accountability Act (HIPAA) covers a wide range of topics, including specific standards for securing the privacy of healthcare-related data. Two parts of HIPAA in particular require healthcare providers to maintain standards for data integrity, data access, and audit controls for Protected Health Information (PHI).
The HIPAA Privacy Rule
HIPAA’s Privacy Rule restricts the use and disclosure of PHI. Under the law, organizations must provide security and privacy for personal health information to guard against reasonably anticipated threats or hazards, both in transit and during storage.
However, implementation and subsequent use of the BCSoTX solution does not require or involve the use or disclosure of PHI. In fact, original versions of documents, once backed-up, cannot be accessed except by authorized personnel.
BCSoTX’s complete data protection platform also includes encryption in storage as well as during transmission for an added level security.
The HIPAA Security Rule
HIPAA’s Security Rule sets forth administrative procedures, physical safeguards, and technical safeguards to protect access to PHI. This is where the BCSoTX solution can play an important role.
BCSoTX allows simple implementation of a disaster recovery and data backup plan. You can select and schedule what to backup, and when to back it up. All data sent to our data center is transmitted and encrypted with a unique AES 256-bit encryption key, the government standard for top-secret documents. BCSoTX’s SSAE-16 Type II data center meets the highest industry security standards and contains world-class hardware. Data center access is strictly limited and enforced by use of CCTV, biometric technology, and 24/7 personnel. Finally, in the event of a disaster, your data will be shipped to you fully loaded on the local device.
GLBA applies to non-bank mortgage lenders, loan brokers, specific financial or investment advisers, tax preparers, real estate settlement services providers, and debt collectors who are “significantly engaged” in financial activities.
The GLBA is broken down into three sections:
Rules on the collecting and sharing of private financial information
Data safeguards required to protect private information
A provision prohibiting anyone from obtaining private information under false pretenses.
The GLBA applies to non-bank mortgage lenders, loan brokers, specific financial or investment advisers, tax preparers, real estate settlement services providers, and debt collectors who are “significantly engaged” in financial activities. These institutions must send yearly privacy notices to customers that disclose their information sharing and protection practices. Customers – those who have a continuing relationship with a financial institution – can limit some sharing of their information, but not all of it. Consumers – those who obtain or have obtained financial products or services from financial institutions – are entitled to yearly privacy notices if an institution shares their information with a third-party not affiliated with that institution.
GLBA Data Sharing Disclosure
The Act poses a significant compliance challenge mainly to small and mid-sized financial institutions that are also trying to set their own security policies. BCSoTX helps to lessen this burden, particularly in terms of safeguarding data. BCSoTX stores data in its SSAE 16 Type II data center, which meets the highest industry security standards. In the event of a network disruption when a financial institution has to failover an office carrying sensitive data, BCSoTX gives that institution the same complete data access control over the virtualized servers as they have over original servers.
To fully comply with SOX, companies must adopt a specialized compliance archival system. These systems provide three specific services that data protection services do not:
1. Segments and separates a record which needs to be retained by law.
2. Applies an exact hold date for the piece of data such that the data vanishes in an exact moment, releasing the company from liability.
3. During the retention period, the system locks the file preventing tampering.
To further illustrate the differences between a specialized compliance archival system and data protection software, consider your email inbox. Data protection software will take a snapshot of your inbox each evening, and set it aside for retrieval in case your email system goes down. However, this image cannot capture emails sent to the auditing firm and then deleted from the “send” folder if these actions occur between evening backups. No data protection service can backup and separate in real-time all active and open files, much less segregate those applicable to an audit.
Specialized compliance archival software however, can be configured to capture all emails sent to the auditing firm, the moment the user hits “send.” An employee’s deletions of the email from the inbox afterwards will not affect the compliance archival software’s ability to store that email in an unadulterated format for the statutorily required seven years.
But other data protection companies state they can help me comply! Data protection companies can help you comply with SOX, but they cannot guarantee SOX compliance. Even if your company purchased a data protection service and implemented internal controls consistent with SOX, you still need a way to segregate and save in real-time communications relevant to an audit.
How can BCSoTX help and why do data protection services still matter?
SOX places the onus on the corporation to retrieve its audit trails in the event of an investigation. Specialized compliance archival software can keep the relevant files locked and safe. BCSoTX can backup and protect the specialized compliance archival system because this data is treated as any other data in the company. It is a single copy of data, vital to a company’s financial and reputational state. BCSoTX can keep this data safe at our SSAE-16 Type II data centers. By backing up your data on the local appliance and in the cloud, we give the company audit committee the peace of mind it needs.
Any business that accepts credit card payments or stores, processes, and/or transmits cardholder data must comply with PCI DSS.
BCSoTX encrypts all of its customers’ data, whether the data is in transit or at rest in our secure SSAE-16 Type II datacenter. That means the BCSoTX solution helps businesses comply with the section of PCI DSS that requires proper protection and encryption of stored cardholder data across open, public networks.
Sarbanes-Oxley Act (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
Laws and regulations are rarely straightforward, but BCSoTX alleviates much of your industry compliance burden by providing security measures that meet or exceed most standards. For example:
1. Our datacenters are SSAE-16 Type II certified and located on opposite North American coasts.
2. Our hardware meets the highest industry security standards for reliability and performance.
3. All data is encrypted – both in transit and while at rest – with a unique encryption key that meets the government’s FIPS 140-2 standard for top-secret documents.
4. Datacenter access is strictly limited and enforced by the use of CCTV, biometric technology, and 24/7 personnel.
5. The original version of data and applications, once backed-up, can only be accessed by authorized personnel that you identify.
The following lists some of the specific regulations that BCSoTX end-users must frequently comply with and how we help end-users meet each of these compliance standards:
Red Flags Rule Compliance
The Red Flags Rule, which is enforced by the Federal Trade Commission (FTC), came about as a way to protect consumers from identity theft. Based on sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, the rule mandates that businesses create and implement a written Identity Theft Prevention Program to detect “red flags” in their everyday
operations and identify ways to prevent security breaches. The rule applies to financial institutions and creditors, including (but not limited to) law firms, accounting firms, utility companies, medical practices, and hospitals. Failure to comply with the federal rule can result in a $3,500 fine per violation and/or a federal lawsuit filed by the U.S. Department of Justice on behalf of the FTC to comply in the future.
There are four steps that businesses must follow to achieve compliance with the Red Flags Rule.
1. Identify “red flags” and possible situations where your data could be vulnerable to identity theft.
2. Incorporate business practices to detect red flags.
3. Have a detailed appropriate response to prevent identity theft once red flags are detected. 4. Keep your plan up to date to reflect changes in risks from identity theft.
For BCSoTX users, step one will be the most critical to developing a plan. But with BCSoTX, you can rest assured that your data is fully protected with government-standard data encryption, accessible only by authorized personnel that you identify, whether in transit or while in one of the Axcient datacenters.
FINRA and MSRB
The Financial Industry Regulatory Authority (FINRA) and the Municipal Securities Rulemaking Board (MSRB) are private corporations that act as SROs. Brokerage firms and individual brokers must be members of one of these SROs, which:
Have regulatory authority over securities firms.
Write rules for dealers and municipal advisors.
Inform and educate the investing public.
Ensure the market operates fairly and with integrity and transparency.
In addition, FINRA oversees business between brokers, dealers, and the investing public; enforces rules and federal securities laws; monitors broker-dealers; and manages the largest arbitration forum between customer and member firms, as well as between brokerage firms and their employees.
BCSoTX provides the security and retention standards users need to comply with MSRB record retention rules and FINRA rules 4511 to 4515. The MSRB requires businesses to keep records for various durations depending on the types of records retained. FINRA requires all records to be kept for six years. In both cases, you can set the Axcient platform retention to make sure your records are protected and always available for any length of time, from anywhere, no matter what happens.
BCSoTX PROVIDES EASY COMPLIANCE AND PEACE OF MIND
No matter what industry rules or regulations you need to follow, BCSoTX ensures your data, applications, and systems are securely protected and instantly recoverable from anywhere. With BCSoTX’s SSAE-16 Type II certified datacenter, FIPS 140-2 standard encryption, reliable technology, and easy-to-use Web interface, achieving regulatory compliance and complete data, application, and system uptime is easier than ever.