In A Brief History of Time, renowned physicist Stephen Hawking writes a succinct book in laymen’s terms about the structure, origin, development and eventual fate of the universe. The goal is to explain to non-astrophysicists, how it all has come to be so that everyday people can understand the universe a little bit better. While not quite as complex as astrophysics, IAM teams face an uphill climb in understanding the evolving compliance landscape and how it effects how they adequately govern their identities.
Understanding the history and backdrop of compliance helps point us in the right direction of meeting the various compliance and audit mandates that face organizations today. Here’s a quick snapshot of some of the most significant legislation of the past 30 years that might help to better understand this increasingly complex landscape:
- The European Union Data Protection Directive (EUDP) was passed in 1995. This directive was introduced by the European Union that was meant to regulate the processing of an individual’s personal data, and is viewed by many as the predecessor to GDPR.
- The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. The goal of HIPAA was to provide stronger data privacy and security provisions for safeguarding medical information, particularly that patient health information (PHI) is not shared without the patient’s consent or knowledge.
- The Data Protection Act of 1998, passed seven years after the introduction of the internet, was designed to protect personal data stored on computers, or within organized paper filing systems. It leaned heavily on EUDP provisions surrounding how data was processed, protected, and moved.
- The Freedom of Information Act 2000 provided public access to information that was held by the British government, local authorities, the NHS, state schools, and police forces. The act ensured that public authorities had to publish certain information, and that members of the public could request whatever information public authorities had on them.
- The Federal Information Security Management Act of 2002 (FISMA) requires federal agencies to develop, document, and implement agency-wide programs to secure information needed to support agency operations and assets. FISMA also helped in reaffirming NIST’s role of developing information security standards and guidelines that have become more and more prevalent in recent years.(1)
- Sarbanes-Oxley (SOX) was also enacted in 2002, largely in response to the Enron and WorldCom scandals. SOX compliance is rooted in standardizing how public companies in the United States disclose financial and accounting information. It portends itself to cybersecurity in how public companies implement controls over IT infrastructure and applications that house this type of financial information.
- The California Senate Bill 1386 went into effect in 2003 and was a precursor to how organizations disclose data breaches. Under the law, state agencies or people affiliated with working with the state are mandated to disclose a data breach to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
- The Payment Card Industry Data Security Standard (PCI) was initially introduced in 2004, but firmly established in 2006 applies to every merchant that accepts credit cards and ensures that they have proper controls for security management, including policies and procedures for how they process and store credit card information.
- In 2010, the landmark Dodd-Frank Act was created in order to increase transparency and accountability within the financial industry. There are several key provisions within this legislation, among them that it required large financial institutions to establish risk committees on their boards, and that these organizations must disclose cyberattacks to their customers.
- FISMA was reformed in 2014 and required that each federal agency had to implement information security controls on their systems that support operations and assets of the agency, including those providing by another agency, contractor, or other source.
- The General Data Protection Regulation (GDPR), implemented in 2016, was a landmark in cybersecurity and data protection, that lays out seven key principles that apply to any business that has consumers in the European Union. The seven principles are relating to: lawfulness fairness & transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity & confidentiality, and accountability.(2)
- The Data Protection Act of 2018 was meant to supplement GDPR regulations and extended data protection controls to all individuals located in the European Economic Area, regardless of the businesses location, and the data subjects’ citizenship or residence.
- The California Consumer Privacy Act (CCPA) was signed into law in 2018 and was meant to enhance privacy rights and consumer protection for residents of California. This was seen as a natural successor to GPDR, and has inspired similar legislation in more states since its passing.
Compliance is an ever-changing target, with new legislation being brought to the forefront of our attention every day. The vast compliance landscape often leads IAM teams to scramble to first identify what pieces of legislation are relevant for them, based on geography, customers, business type, size, and more, and then implement proper controls. Read more about the four ways that modern IGA solutions can help organizations meet various compliance mandates.
(1) NIST Risk Management Framework | CSRC (2) The principles | ICO