HIPAA, GDPR, FINRA: Is Your Bottom Line Protected with Secure Mobile Messaging?
Anurag Lal, President and CEO of Infinite Convergence.
Nearly every enterprise today must deal with an evolving compliance landscape which includes an alphabet soup of industry-specific and general data privacy and security regulations. An already complex regulatory environment is projected to get even more complex. Enterprises can expect more regulations as governments across the globe enact laws for protecting data privacy and security. By the end of 2024, Gartner predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations.
Compliance with industry-specific and general data privacy regulations is now more than ever a critical part of reducing business risk. Companies that don’t prioritize compliance run the risk of hefty fines, lawsuits, loss of revenue, reputational damage and loss of consumer trust.
Securing communication and collaboration is an essential step enterprises can take to help avoid these business risks.
Let’s take a look at some of the regulations on the books today and why secure, compliant enterprise-grade mobile messaging and collaboration platforms are critical for reducing compliance risk and protecting the bottom line.
Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) established standards and requirements for handling protected health information (PHI) and electronic protected health information (ePHI). Protected health information is any information that can be used to identify patients or clients such as names, addresses, Social Security numbers, phone numbers, medical records, and financial information.
HIPAA is comprised of four primary rules including:
- The Privacy Rule - defines acceptable uses and disclosures of PHI by covered entities
- The Security Rule - defines safeguards for securing ePHI
- The Breach Notification Rule - lists reporting protocols for data breaches
- The Enforcement Rule - details the enforcement of HIPAA compliance
HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR). HIPAA regulated entities include U.S. hospitals, physician practices, health plans, medical centers, other healthcare providers, and business associates.
The bottom line importance of secure HIPAA compliant business communication
Use of consumer-grade messaging apps and unsecure collaboration tools puts organizations at risk for data breaches. Data breaches in this sector are on the rise as cybercriminals increasingly target healthcare enterprises to gain access to vast amounts of PHI. Today, fines for HIPAA violations range from $127 per violation to $50,000 per violation depending on the nature of the violation.
In March of this year alone, 63 breaches of 500 or more records were reported to OCR, a 46.51% increase from February, 6.92% more than the 12-month average, and 40% more breaches than in March 2022. The majority of the month’s reported breaches were classified as hacking/IT incidents. To date, OCR settled or imposed a civil money penalty in 130 cases resulting in a total dollar amount of $134,828,772.00.
In addition to the risk of substantial HIPAA violation fines, enterprises are also facing an increasing threat of data breach lawsuits. A Data Security Incident Response Report (DSIR) by BakerHostetler found that data breaches of 10,001 to 500,000 records see an average of 12-13 lawsuits filed. Smaller data breaches of less than 1,000 records see an average 4 lawsuits filed. According to BakerHostetler, lawsuits nearly doubled year-over-year and no longer are only the ‘big breaches’ capturing attention.”
Without HIPAA compliant mobile messaging, patient data is vulnerable to unauthorized use and disclosure. The statistics cited above underscore the need for HIPAA-regulated organizations to implement secure, compliant mobile messaging and collaboration solutions to safeguard PHI against data breach risks. By implementing an enterprise-grade business communication platform that meets all HIPAA standards and requirements, organizations can improve their overall security posture and reduce the likelihood of breaches and violations.
The European Union’s (EU) General Data Protection Regulation (GDPR), which went into effect in 2018, is considered to be one of the most comprehensive privacy and security laws globally. GDPR’s strict rules around personal data collection and how data is processed and stored by organizations are aimed at giving people more power over their data and less power to the organizations that collect and use data.
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’).” Name, identification number, photo, email address, location details and online identifiers such as IP addresses and cookie identifiers are all examples of personal data under GDPR.
Any enterprise that processes the personal data of EU citizens, regardless of whether the company is based inside or outside the EU, must comply with the GDPR.
The bottom line importance of secure GDPR compliant business communication
To comply with GDPR, enterprises should be using mobile messaging and collaboration platforms designed to ensure compliance. Consumer-grade messaging solutions like WhatsApp have significant compliance issues. The Data Protection Commission announced in January the conclusion of an inquiry into WhatsApp which resulted in a €5.5 million (just under $6 million) fine of WhatsApp Ireland for breaches of the GDPR relating to its service.
Penalties for companies and organizations that don’t comply with GDPR can result in substantial fines. Tier 1 violation fines are €10 million or 2% of a firm’s annual global revenue whichever amount is higher. Tier 2 violations result in fines of €20 million or 4% of annual global revenue whichever amount is higher.
DLA Piper’s most recent GDPR Fines and Data Breach Survey found that data protection supervisory authorities across Europe have issued a total of €1.64 billion ($1.74 billion) in fines since January 28, 2022. This represents a year-on-year increase in aggregate reported GDPR fines of 50%.
This figure is more than double the aggregate value of fines issued in 2021. According to DLA Piper, “the increase demonstrates data protection supervisory authorities’ growing confidence and willingness to impose high fines for breaches of the GDPR.” The report noted that on average, fines referred to the European Data Protection Board during 2022 for a ruling were increased by 630%.
Privacy regulations like GDPR mandate the bottom line protection of secure enterprise mobile messaging and collaboration technology that features end-to-end encryption and built-in technical safeguards and administrative controls designed to guarantee compliance.
The Financial Industry Regulatory Authority (FINRA) is an independent, nongovernmental organization empowered by the Securities and Exchange Commission (SEC) to write and enforce the rules governing registered brokers and broker-dealer firms in the United States.
FINRA is the single largest independent regulatory body for securities firms operating in the United States, overseeing more than 3,400 of these firms. This regulatory body has authority from the SEC to discipline brokers with fines and sanctions for rule violations.
Cybersecurity is a key area of focus for FINRA. FINRA states that it “evaluates firms’ approaches to cybersecurity risk management through reviews of their controls in areas including technology governance, risk assessment, technical controls, access management, incident response, vendor management, data loss prevention, system change management, branch controls and staff training. Through these reviews, FINRA also assesses a firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information.”
The bottom line importance of secure FINRA compliant business communication
FINRA and other financial sector regulatory bodies like the SEC are cracking down on firms using unapproved communication apps. Last year FINRA brought 14 cases related to off-channel communications, resulting in fines totaling $2.1 million. In the largest of these FINRA cases, Brokerage firm H.C. Wainwright & Co., LLC, received $1.5 million in fines. The SEC is also stepping up enforcement on this issue, fining 16 firms $1.1 billion in 2022 for using unapproved communication apps that violated recordkeeping provisions.
In a 2023 report on its examination and risk monitoring program, FINRA called out cybersecurity as one of the principal operational risks facing broker-dealers. The report stated that “as a result, FINRA’s expectation is that firms have developed and maintained reasonably designed cybersecurity programs and controls that are consistent with the firm’s risk profile, business model, and scale of operations.”
Securing business communication is now a bottom line issue for financial institutions. As non-compliance fines continue to increase and the cost of data breaches continue to rise, financial institutions today simply can’t afford compliance and data security risks. To ensure compliance and data security, financial institutions should look for mobile messaging solutions that provide built in security. The most secure mobile messaging platforms feature end-to-end encryption – the gold standard in secure messaging, robust administrative, technical and physical data security controls and compliance guaranteed technology that never collects or shares data.
Noncompliance with regulations like HIPAA, GDPR and FINRA can mean millions in fines for enterprises. To protect the bottom line, organizations should be adopting secure by design mobile messaging and collaboration technology.