Blog / IT Standards at Home and Abroad
SMBs have global reach these days, making compliance even more complicated.
In an age where cyber warfare and other digital threats abound, it’s in businesses best interests to keep their cyber security standards high. As the friendly neighbourhood cyber-man who pens our weekly cyber security newsletter and leads our security operations will tell you, all it takes is a single serious breach to cripple and potentially even kill your company. That’s really the only reason you should need to keep your IT standards high.
The thing is, what we should do and what actually happens are oftentimes two different things. With the advent of online shopping with credit cards, digitized health records and digitalized remote video diagnoses, it didn’t take long for the criminal element to take advantage of lax online security standards in overly cost-conscious enterprises and start stealing personal information or entire identities. It’s at roughly this point where the effects of poor practices in a few bad-apple businesses started causing problems for the rest of us, and governments felt the need to step in by legislating minimum cyber security and IT standards.
Of course, technology evolves quickly, so standards are often changing and can be difficult to keep up with. They also vary from jurisdiction to jurisdiction, so it’s important to know what legislation applies to your business and how the rules affect it. That’s why we’ve collected a list of the most common IT standards legislation likely to affect your business, and a brief description of each.
- PIPEDA/PIPA—The Personal Information Protection and Electronic Documents Act, also known as PIPEDA, has been written about at length by our friendly-neighbourhood cyber-man, so we’re not going to go over it here. We’re just listing it now so no one complains that we didn’t talk about Canada’s main IT standards act. We’re also not going to address Alberta’s PIPA act or any other provincial counterparts, as they’re all effectively the same.
- CASL—Once a headline-grabbing piece of legislation, the Canadian Anti-Spam Legislation, or CASL, has become something of an afterthought but is still very much in effect and businesses are very much bound by its rules. Prior to its introduction, Canadians had no legal recourse against companies blowing up their inboxes with unsolicited email ads and while most companies are only after qualified leads, those few bad apples we mentioned earlier set in motion a legislative process that would make sending unsolicited mail literally a $10 million CDN offense. It’s also the reason every commercial electronic message (CEM) must come with an unsubscribe option, and one that’s easy and straightforward; no more navigating frustrating 6-step mazes of URLs and buttons in order to take your address of a mailing list.
- PCI-DSS—Unlike other entries on this list, the Payment Card Industry Data Security Standards aren’t generally legally-binding on their own, though there are a few jurisdictions in the US that have codified PCI-DSS compliance into their state laws. That doesn’t mean you can get away with avoiding them outside those states, though. The standards were developed by payment card distributors and processors with incredibly deep pockets, like Visa and MasterCard and many American banks, and they’re all working in tandem. In other words, every payment processor agreement you come across is going to include a clause committing you to the PCI’s standards in their service agreement. And since banks and credit card companies have global reach, PCI-DSS might as well be a global law.
- GDPR—Although the European Union is substantially farther than the old adage “across the pond” would imply, it’s right next door as far as online businesses and ecosystems go, so it’s important to be familiar with their General Data Protection Regulation. Over there, data is broken down into two categories: Personal Data, which includes information like a customer’s name, email or mailing address, or other personally identifiable information. Special Category Data, on the other hand, involves ethnicity, religious and political viewpoints, or biometric and health data. It also defines roles for data handlers as controllers and processors. Although the goal is the same (protecting consumers data), the GDPR is laid out very compared to North American legislation, so make sure you or your MSP is familiar with it if you do business across the pond.
When it comes to legal standards for businesses that rely on technology and the internet (so, all of them these days), it’s important to stay up to date, not from a cyber security perspective but from a legal perspective. Not meeting these standards doesn’t create just a security liability, but also a legal liability, and one that could destroy your business if left unaddressed. Not only could a serious breach cost you millions in real damages and lost revenue, but it could leave you open to millions of dollars of legal damages and fines as well. That’s why it’s important to have an entire team of IT professionals supporting you. So if you need help ensuring your business’s standards are compliant with their relevant standards and legislation, contact one of our experts today so you can be stress-free about your IT compliance wherever you do business.
The TRINUS team