With the passage of the California Privacy Rights Act (CPRA), U.S. data privacy law entered a new era. In addition to establishing the first data protection enforcement agency in the U.S., the CPRA ushers in several stringent requirements for insurers and their service providers and is likely to serve as a model for other states considering similar legislation. As we head into 2021, your business should be on notice that data privacy requirements are about to get a lot tougher and ensure that your service providers have put the appropriate safeguards in place to protect your personal information.
While laws like the CPRA require insurers to protect sensitive data, they often give businesses little guidance on how to secure the information systems that process that data. If your business is wrestling with the growing patchwork of data privacy and security requirements, selecting service providers that have certified against an industry-recognized security framework like HITRUST CSF can help you streamline your compliance efforts while providing powerful validation that your service providers have implemented industry standard security programs and best practices.
HITRUST CSF – Not just for healthcare anymore
When vetting service providers, looking at their security certifications is an important starting point. However, not all security certifications are created equal, and relevance will vary depending on your industry and location. In terms of scope, HITRUST CSF offers one of the most comprehensive certifications available. The Common Security Framework consists of 270 requirements spread across 19 domains ranging from access controls and business continuity to risk management and data protection and privacy. Although HITRUST CSF was originally developed to help healthcare organizations address the security requirements of the HIPAA Security Rule, the framework has now been aligned with the controls of other industry standard cybersecurity frameworks, making it an elite certification across multiple industries — like P&C and life insurance — around the globe.
The broad-based appeal of HITRUST CSF is due in large part to its “assess once, report many” approach to certification. HITRUST CSF draws on multiple security frameworks, including ISO 27001, PCI DSS, NIST 800-53 and the NIST Cyber Security Framework. Because so many HITRUST CSF controls align with those of other security frameworks, certification against HITRUST CSF helps businesses comply with a wide range of security and privacy frameworks while streamlining the assessment process.
Getting certified – What’s involved?
In terms of getting certified, HITRUST CSF offers one of the most rigorous assessments available. Organizations begin the certification process by engaging an external auditor approved by HITRUST to perform a validated assessment. More than other certifications, HITRUST CSF also stresses the importance of developing and implementing the appropriate policies and procedures to safeguard covered information. This combined emphasis on program development and independent third-party assessment place HITRUST CSF in a league of its own when it comes to validating your program to customers concerned about the security of their data.
Once organizations do achieve HITRUST CSF certification, they must demonstrate continuing commitment to data privacy and security through annual assessments. In addition to the biannual validated assessment, organizations must complete an interim assessment that is more limited in scope during intervening years. This annual review cycle ensures that service providers engage in continuous monitoring and improvement of data security and privacy rather than adopting a “one and done” approach to compliance.
One size does not fit all – Which certifications should your service providers carry?
While HITRUST CSF is intended to harmonize requirements across several security and privacy frameworks and legal requirements, many service providers find it useful to maintain multiple certifications. These certifications represent some of the most widely recognized options available to businesses that process sensitive information:
- PCI DSS – Companies that process credit card transactions should maintain PCI DSS certification, which is overseen by the Payment Card Industry Security Standards Council (PCI SSC). PCI DSS certification requires businesses to meet stringent requirements and engage in continuous monitoring throughout the year. Requirements address seven critical security controls, including change management processes. Other requirements include biannual penetration testing of internal and external networks by an independent third party, as well as quarterly vulnerability scanning of your organization’s information systems.
- ISO 9001 & 27001 – The International Organization for Standardization (ISO) publishes international standards that address best practices for a wide range of industries and applications. ISO 9001 is a formal Quality Management Program developed by the USPS and major mailers specifically for the mailing industry. The widely known ISO 27001 standard provides requirements for establishing and maintaining an information security management system (ISMS). While organizations can certify against ISO 27001, it is not obligatory, and many organizations choose to address ISO 27001 requirements without pursuing formal certification.
- SOC 2 Reporting is not a certification, per se. Rather, it is a report that requires organizations to attest to five Trust Services Criteria: Security, Availability, Confidentiality, Privacy and Processing Integrity. SOC 2 reports are widely accepted across many industries and can be done in conjunction with security certifications. For example, some organizations choose to obtain a SOC 2 report based on HITRUST CSF control requirements.
- FISMA – The Federal Information Security Management Act (FISMA) is a United States federal law that requires federal agencies and contractors to develop, document and implement an information security and protection program. FISMA certification demonstrates compliance with NIST 800-53 Baseline Security Controls for Federal Information Systems and Organizations. Requirements include maintaining an up-to-date system inventory, data categorization, selection and implementation of NIST security controls, development of a System Security Plan, continuous monitoring and conducting annual risk assessments.
- USPS Platinum Full-Service Certification – Platinum Full-Service Certification is reserved for mailers who consistently meet USPS mail quality thresholds, have a formal Quality Management Program and pass an internal audit and an independent external audit by a certified Quality Auditor. Only a handful of mailing service providers in the U.S. have achieved USPS Platinum Full-Service Certification. Thus, any vendor that maintains this certification is in select company.
See also: Data Security to Be Found in the Cloud
As more states enact tough data protection legislation, validating the security of your service providers will become increasingly vital. Moreover, while it’s never too late to make a good impression, it can be really tough to earn back the lost trust of your customers following a data breach. Verifying that your service providers maintain rigorous, relevant, industry-recognized certifications is one of the most important steps you can take to protect your data and inspire the confidence of your customers.