Chapter 116 · Flashcards

Compliance — Flashcards

Eleven cards covering SOX, HIPAA, GLBA, HIPAA criminal penalty tiers, the Uber breach case study, due care vs. due diligence, attestation, the CCO role, and compliance monitoring. Click any card to flip it.

What is SOX and what does it require of IT systems?

SOX (Sarbanes-Oxley Act, 2002): enacted after Enron, WorldCom, and Tyco accounting scandals to prevent corporate fraud. Applies to publicly traded companies (listed on US stock exchanges) and their auditors. Private companies are NOT subject to SOX. Section 302: requires CEO and CFO to personally certify the accuracy of financial statements and internal controls. False certification = criminal liability. Section 404: requires management to assess internal controls over financial reporting and external auditors to attest to that assessment annually. IT systems that support financial reporting must maintain: (1) Integrity (accurate, tamper-evident records), (2) Access controls (only authorized personnel access financial systems), (3) Audit logging (all access and changes recorded). Records retention: SOX requires financial records and audit logs to be retained for 7 years. Premature deletion = criminal violation. Criminal penalties: executives who knowingly certify fraudulent financial statements face up to 20 years imprisonment.

What is HIPAA and what does it protect?

HIPAA (Health Insurance Portability and Accountability Act): US federal law governing the handling of Protected Health Information (PHI). Who must comply: covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates (any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity). What PHI includes: any health information that identifies an individual — medical records, diagnoses, treatment plans, billing information, health insurance identifiers. Required safeguards: Administrative (policies, training, workforce management), Physical (facility access controls, device security), Technical (encryption, access controls, audit logs, transmission security). Enforcement: HHS Office for Civil Rights (OCR) investigates complaints and conducts audits. Breach notification: covered entities must notify affected individuals and HHS within 60 days of discovery. Encryption safe harbor: if PHI is properly encrypted and keys were not compromised, the incident may not be a reportable breach. Criminal penalties: three tiers based on intent (see penalty tier card).

What is GLBA and who must comply?

GLBA (Gramm-Leach-Bliley Act, 1999): US federal law governing how financial institutions handle customer financial information. Who must comply: financial institutions — banks, credit unions, securities firms, insurance companies, mortgage brokers, payday lenders, tax preparers, and any other company that offers financial products or services. Two key rules: (1) Financial Privacy Rule: financial institutions must provide customers with a privacy notice explaining what information is collected, how it is shared, and with whom. Customers may opt out of certain sharing with non-affiliated third parties. (2) Safeguards Rule: financial institutions must implement a written information security program with administrative, technical, and physical safeguards to protect customer financial information. What customer information is protected: any non-public personal information related to financial products or services — bank account numbers, credit card numbers, loan information, investment holdings, social security numbers collected during financial transactions. Enforcement: FTC for non-banking financial institutions; bank regulators for banks. Exam context: GLBA fills the gap for financial data that HIPAA covers for health data.

HIPAA criminal penalty tiers: what are they and when does each apply?

HIPAA criminal penalties escalate with intent. Three tiers: Class 6 (lowest): unknowing violation. Violator did not know they were violating HIPAA. Penalty: up to $50,000 and/or up to 1 year imprisonment. Example: employee accidentally emails PHI to wrong patient without realizing it. Class 5: violation under false pretenses. Violator knew the disclosure was improper. Penalty: up to $100,000 and/or up to 5 years imprisonment. Example: employee deliberately accesses a patient's records they are not authorized to view out of curiosity. Class 4 (highest): intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. Penalty: up to $250,000 and/or up to 10 years imprisonment. Example: billing clerk sells patient records to an insurance fraud ring. Civil penalties: in addition to criminal penalties, up to $25,000/year per identical violation type. Memory aid: $50K/1yr (unknowing) → $100K/5yr (false pretenses) → $250K/10yr (commercial/malicious). Each tier doubles the penalty and adds years.

Uber data breach case study: timeline and consequences

Timeline: October 2016 — attackers breach Uber systems and exfiltrate data on 25.6 million drivers and riders. November 2017 — Uber publicly discloses the breach (13 months after discovery). What made it worse: Uber's security leadership paid the attackers $100,000 in Bitcoin and required them to sign an NDA to keep the breach confidential. This was framed as a "bug bounty payment" but was actually concealment of a criminal breach. Consequences: (1) $148 million settlement paid across US states for breach notification violations (failure to timely notify regulators and individuals as required by state breach notification laws). (2) Uber's former Chief Security Officer (CSO) was charged and later sentenced to federal prison for obstruction of justice and concealment of the breach. Key lessons: paying an attacker to conceal a breach is not risk management — it is criminal obstruction. Breach notification laws exist to protect individuals. Concealing a breach transforms a security incident into personal criminal liability for the executives who authorized the concealment. Exam context: Uber is the canonical example of compliance violation consequences including executive imprisonment.

Due care vs. due diligence: how are they different?

Due care: the internal activities an organization performs to responsibly manage its own security and compliance obligations. Demonstrates that the organization is doing what a reasonable, responsible organization should do for its own operations. Due care examples: implementing security policies, running security awareness training, applying patches on schedule, conducting access reviews, operating a SIEM, maintaining incident response plans, conducting internal audits. Due diligence: the activities an organization performs to evaluate and monitor third parties — vendors, partners, suppliers, service providers. Demonstrates that the organization has verified that the external parties it relies on also meet appropriate standards. Due diligence examples: vendor security questionnaires, reviewing SOC 2 reports, conducting vendor background checks, verifying vendor financial stability, exercising right-to-audit, ongoing vendor monitoring. Memory aid: Due Care = internal (C = internal Care). Due Diligence = external (D = external Due diligence). Both are required for a complete compliance program. Due care without due diligence = you manage your own house but invite unknown guests. Due diligence without due care = you vet your guests but your house is a mess.

What is attestation and what legal accountability does it create?

Attestation: the formal process by which an authorized executive or individual signs off on compliance documentation, certifying that it is accurate and complete to the best of their knowledge. Legal effect: attestation creates personal legal accountability for the signatory. If the attested document is later found to be inaccurate, the signatory may face personal legal liability including fraud charges, perjury, or obstruction of justice. Examples: SOX Section 302 requires CEO and CFO to personally certify financial statements and internal control assessments. HIPAA compliance certifications signed by the covered entity's executive. PCI DSS compliance declarations signed by the security officer. Annual vendor compliance questionnaires signed by the vendor's authorized representative. Why attestation matters: it transforms a bureaucratic form into a legal commitment. Without attestation, compliance documentation is just paperwork. With attestation, making false claims becomes criminal conduct. Uber connection: the concealment of the breach by Uber's CSO can be understood as a failure of attestation — leadership was not truthfully representing the organization's security status. Exam point: attestation = executive sign-off = personal legal accountability.

What is the Chief Compliance Officer (CCO) role?

CCO (Chief Compliance Officer): the executive responsible for overseeing the organization's internal compliance program and ensuring the organization meets its regulatory, legal, and policy obligations. Responsibilities: monitoring regulatory changes and assessing their impact on the organization, ensuring compliance obligations are identified, documented, and assigned, managing internal audit processes and compliance assessments, reporting compliance status to the board of directors, overseeing training programs that ensure employees understand compliance requirements, managing responses to regulatory investigations and enforcement actions. Organizational placement: typically reports to the CEO or board. In some organizations the CCO role is combined with Chief Risk Officer (CRO) or Chief Legal Officer (CLO) depending on organizational structure and regulatory environment. CCO and security: the CCO and CISO must collaborate closely. Security controls are often the mechanisms by which compliance is achieved. Compliance requirements drive security investment decisions. The CCO ensures the organization meets regulatory requirements; the CISO ensures the security program that enables compliance is effective. Key difference from CISO: CCO focuses on regulatory compliance and legal obligations. CISO focuses on the security program. Different expertise, overlapping responsibilities.

What are the consequences of compliance failures beyond fines?

Compliance failures trigger consequences across multiple dimensions: Financial: civil fines (HIPAA: up to $25K/year per identical violation type; GDPR: up to 4% of global turnover), criminal fines, settlement payments (Uber: $148M), mandatory corrective action costs. Criminal: imprisonment for responsible executives (Uber CSO sentenced to prison; SOX violations = up to 20 years for fraudulent certifications). Operational: loss of operating license in regulated industries. A bank that loses OCC authorization cannot operate. A healthcare provider that loses accreditation cannot receive Medicare/Medicaid reimbursement. A government contractor that loses security clearance or certification loses federal contracts. Contractual: compliance certification is often a contractual prerequisite. Losing PCI DSS compliance means losing the right to process payment cards. Losing CMMC certification means losing DoD contracts. Customers who require their vendors to be certified may terminate contracts. Reputational: public disclosure of compliance failures damages customer trust, partner relationships, and market reputation. Often the lasting damage exceeds the direct financial penalty. Exam note: compliance failures rarely have only one consequence — identify all applicable consequence types in scenario-based questions.

What is compliance monitoring and why is automation essential?

Compliance monitoring: the ongoing process of verifying that the organization continuously meets its compliance obligations as systems change, regulations evolve, and the business grows. Compliance is not a one-time event; it must be maintained continuously. Internal monitoring tools: automated compliance dashboards, SIEM systems with compliance-mapped correlation rules, configuration management databases (CMDB), policy compliance scanners, vulnerability scanners benchmarked against compliance standards (CIS Benchmarks, DISA STIGs). External auditors: provide independent verification that internal monitoring is accurate. Catch gaps due to familiarity bias. Regulatory audits (OCR HIPAA audits, SEC SOX reviews, PCI QSA assessments) verify compliance claims. Why automation is essential at scale: an organization with 5,000 servers across SOX, HIPAA, and PCI DSS frameworks cannot manually check each server's patch status, access control configuration, and logging settings. Automation provides continuous real-time visibility; manual processes provide only periodic snapshots. A server that falls out of compliance at 2 AM on a Tuesday would not be detected until the next manual review without automation. Automation + auditors: automation provides scale; auditors provide independence. Both are required for a mature compliance program.

Which regulation applies: SOX, HIPAA, or GLBA? Quick classification

Quick classification for exam scenarios: SOX applies when: the organization is publicly traded (listed on a stock exchange), the context involves financial reporting, financial records, or IT systems supporting financial statements, the scenario mentions CEO/CFO certifications, audit trail requirements for financial data, or Section 302/404 compliance. HIPAA applies when: the organization is a healthcare provider, health plan, or healthcare clearinghouse (covered entity), or a business associate handling PHI on their behalf; the context involves patient health records, medical billing, treatment information, or health insurance data; scenarios mention HHS/OCR enforcement, breach notification timelines of 60 days, or encryption safe harbor. GLBA applies when: the organization is a financial institution (bank, credit union, insurance company, securities firm, mortgage company, tax preparer); the context involves customer financial data (account numbers, loan information, investment holdings); scenarios mention privacy notices, opt-out rights, or safeguards for customer financial information. Common trap: a hospital that also accepts payment cards must comply with HIPAA (for health data) AND PCI DSS (for payment cards) simultaneously. Multiple regulations can apply to the same organization and even the same data breach.