For years, compliance with data privacy regulations involved completing an annual audit and checking some boxes to satisfy industry requirements. You’ve probably heard of major regulations and standards, including:
- The Health Insurance Portability and Accounting Act (HIPAA) for health information.
- The Gramm Leach Bliley Act (GLBA) for banks and financial institutions.
- The Payment Card Industry Data Security Standard (PCI DSS) for companies that handle credit card information.
Today, data privacy is a day-to-day responsibility of not only the IT and compliance folks, but all employees, business partners, and vendors. Regulations enacted in recent years, such as the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act, and the New York SHIELD Act, have broadened the scope of data privacy requirements and introduced new consumer rights with regards to controlling and accessing their data.
Given increasingly stringent data privacy rules, severe penalties for noncompliance, and a number of high-profile data breaches, it’s no surprise that 44 percent of CEOs rank data privacy among the three policies that are most impactful of their business, according to a 2020 PwC survey. Nearly seven in 10 are “very actively” looking to shape data privacy policy.
What Is the HITRUST-CSF Certification?
The Health Information Trust Alliance Common Security Framework (HITRUST CSF) is a framework of controls and standards created to help organizations satisfy security, data privacy, and compliance requirements. HITRUST CSF covers a wide range of security functions, from access controls and disaster recovery to endpoint protection and third-party assurance.
Key systems and infrastructure within Direct Mail Depot’s operation have earned the HITRUST CSF certification, which means we have to prove to the HITRUST Alliance that our security systems and policies meet their strict standards. HITRUST CSF certification means exactly what the name implies – you have a high level of trust that your data is being protected.
HITRUST CSF was originally developed in collaboration with leaders from the healthcare sector. Early adopters were mostly healthcare organizations, and HITRUST CSF is the most widely adopted security framework in the U.S. healthcare industry. As a result, many people mistakenly assume HITRUST CSF is just another fancy word for HIPAA.
In reality, HIPAA is a law. There is no certification process. HITRUST CSF requires companies to go through a rigorous process and implement a wide range of controls and policies to become certified. HITRUST CSF also incorporates the requirements of PCI, GLBA, ISO, NIST, and other regulations and standards to ensure data privacy is maintained by a wide variety of organizations.
This is especially important when you’re trusting a third party with your customer data.
Data Privacy Must Be Engrained in the Company Culture
At Direct Mail Depot, security is a priority at every level of the company. Every employee must go through security awareness training. Instead of simply being handed a security manual, for example, the team goes through weekly security training, including real-world phishing tests that show employees how cyber criminals are trying to fool them.
The HITRUST CSF certification has required us to implement strict controls for the storage and transfer of data, both internally and externally. There are nearly two dozen categories of IT security policies and procedures that we maintain, such as mobile and wireless security, configuration and vulnerability management, and audit logging and monitoring.
Security also extends from the IT environment to the physical environment. The production plant has strict access controls, visitors need to be escorted, and nobody is all allowed to take photos or videos in that space, which prevents data from being accidentally captured.
Data privacy rules are growing in number and complexity for all companies, not just those in heavily regulated industries. It’s important to partner with companies that not only have the right technology and controls in place, but also have security baked into the company culture.
Do you have questions about how Direct Mail Depot protects the privacy of your customer data? Contact us to schedule a consultation.