If your business is a financial or healthcare institution, or you accept credit cards, you may want to pay close attention as there are a number of regulatory updates in store for 2019.
Let’s take a look.
GLBA: Financial Institutions May Not Have To Send Annual Privacy Notices
The Bureau of Consumer Financial Protection announced amendments to the Gramm-Leach-Bliley Act (GLBA) that actually took effect in September 2018.
The GLBA is legislation that requires financial institutions to send annual privacy notices to their customers, provide measures to protect private data, and to describe “whether and how they share customers’ nonpublic personal information” (NPPI).
The late 2018 changes now exempt institutions from providing the annual privacy notices if they meet two rules, per Drinker Biddle & Reath:
-
“The institution only shares NPPI with nonaffiliated third parties only under one of the GLBA statutory safe harbors that do not trigger a customer’s right to opt out of such sharing; and
-
The institution has not changed its NPPI disclosure policies and practices from the policies and practices in the institution’s most recent annual notice to customers.”
If you meet those criteria, you may no longer be required to send your customers your annual privacy notice.
PCI DSS: A Minor Update For Past Deadlines
The PCI Data Security Standard is used by businesses around the world to safeguard credit card data before, during, and after a purchase is made.
“PCI DSS version 3.2.1 replaces version 3.2 to account for effective dates and secure socket layer (SSL) / early transport layer security (TLS) migration deadlines that have passed,” according to a news release issued in May. “No new requirements are added in PCI DSS v3.2.1.”
All validations of the PCI DSS must be at least v3.2.1 as of January 1, 2019. Until then, PCI DSS v3.2 will remain valid.
HIPAA: Health Institutions Required To Report Data Breach Response Plan
Finally, the Health Insurance Portability Accountability Act (HIPAA) protects you from, among other things, nonprivileged people and businesses from seeing your private medical data.
As of 2019, HIPAA will require that businesses who suffer from a data breach must have procedures in place to track, investigate, and report the breach to the Department of Health and Human Services Office for Civil Rights.
This is especially important as the cost of data breaches is expected to hit $2.1 trillion in 2019 “as a result of the increase in cybercrime and the sheer scale of data that will be recorded on consumers’ lives."
If any of these regulations affect your business, please keep them in mind for 2019 to ensure that your business stays compliant.