Demystifying Data Protection Laws

Protecting sensitive or personal data of employees and customers is one of – if not the – most important responsibility of any business. While most of the world is adopting data protection laws, there are misconceptions about who needs to comply with which regulations and what information or data is actually covered. 

The first step to protecting data is understanding what data your applications have access to and if any of that data is personal, sensitive, or otherwise protected by the regulation(s) that you’re trying to comply with.

This blog clarifies what’s covered under three key data protection regulations in the world of cybersecurity: the General Data Protection Regulation (GDPR),  the California Consumer Privacy Act (CCPA) amended as California Privacy Rights Act (CPRA) as of January 1, 2023, and Health Insurance Portability and Accountability Act (HIPAA).

GDPR

Since May 25, 2018, the GDPR unifies the European Union data protection requirements. It specifies how organizations should safeguard personal data and uphold the privacy rights of anyone in EU territory.

GDPR Applicability

I hope this isn’t a surprise to anyone reading this, but GDPR isn’t just for EU businesses. If an organization offers goods or services to people in the EU or monitors the online behavior of people in the EU, they need to comply with GDPR. 

Data Protected Under GDPR

In the context of GDPR, personal data means any non-anonymized information that can be used to identify a “natural person” (aka someone who is alive). This includes:

• name
• address
• national identification number
• email address
• phone number
• home address
• date of birth
• race
• gender
• political affiliation
• credit card numbers
• data held by a hospital or doctor
• photographs in which an individual is identifiable
• identification number
• cookie ID
• IP address
• location data (cell phone, applications)

GDPR Data Breach Impact

Less severe GDPR infringements can cost a business €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. More severe violations can incur cost organizations up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. 

Example

A U.S.-based company expanded to Europe, but did not update its cloud applications to comply with GDPR data storage requirements. The company stored personal data of EU customers in a U.S. cloud region/zone. This violated the GDPR data sovereignty provision, which requires all data collected from EU citizens to be stored in the EU. The company could be fined up to €20 million.

CPRA

CPRA strengthens CCPA to better protect and preserve the privacy of Californians.

CPRA Applicability

Similar to GDPR, CPRA isn’t just for businesses physically operating in California. CPRA applies to any company that does business in California and collects personal data about California residents in the process of doing so and meets one of the following:

• makes at least $25 million in annual revenue
• possesses or shares the personal data of more than 50,000 consumers, households, or devices, or
• earns half or more of its annual revenue by selling personal data

Data Protected Under CPRA

CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. So…that’s pretty vague. 

CPRA defines “sensitive personal information” as personal information that reveals a person’s:

• social security, driver’s license, state identification card, or passport numbers
• a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• precise geolocation
• racial or ethnic origin, religious or philosophical beliefs, or union membership
• the contents of mail, email, and text messages, unless the business is the intended recipient of the communication
• genetic data

CPRA Breach Impact

Organizations can be fined up to $7,500 per offense under CPRA. And as of January 1, 2023, there is a new agency responsible for enforcing CPRA, so it’s likely that fines will increase when enforcement starts on July 1, 2023. 

Example

An online retailer based in California suffered a data breach that exposed millions of records that included passwords, names, email addresses, and other information. This failure to prevent unauthorized access and exfiltration, theft, or disclosure of non-encrypted PII. The retailer paid $5 million to settle a class action lawsuit.

Now that we have a better idea of what GDPR and CPRA actually protect, let’s try to make sense of who HIPAA applies to and what data it covers.

HIPAA

HIPAA is a U.S. federal law that requires the creation of national standards to protect sensitive patient health information. There are many facets of HIPAA, but today we’re focusing on two key aspects:  privacy and security. The Privacy Rule establishes how personal health information (PHI) should be used. The Security Rule defines how electronic PHI should be protected.

HIPAA Applicability

All parts of HIPAA, including the Privacy and Security rules, apply to “covered entities.” And while this term may be crystal clear to some legal or policy insiders, there are many people who don’t know what this actually means. In non-legal jargon, HIPAA applies to:

• medical providers
  • Examples: individual practitioners, hospitals, clinics, long-term care facilities, pharmacies, and dentists
• health insurance plans
  • Examples: company-sponsored health insurance plans, government-funded assistance like Medicare and Medicaid
• health care clearinghouses, which are described as entities that process non-standard health information into a standard format
  • Example: a medical billing clearinghouse that prepares claim information for a medical provider and submits the claim information to a health insurance company.

Business associates of covered entities have to comply with parts of HIPAA. A business associate is an outside person or company that needs to have access to your health information when providing services to the covered entity.  Common examples include attorneys and accountants who have access to PHI in the course of doing business with the doctor, insurance provider, or other covered entity.

Data Protected Under HIPAA

HIPAA rules protect PHI and define how it should be used. PHI is any information created, used, or disclosed in the course of providing a health care service, such as diagnosis or treatment. In short, it’s any medical information combined with certain “identifying information.”  HIPAA lists 18 identifiers that, when combined with medical information, create PHI.

• name
• address (anything more specific than the state)
• dates (any date more specific than the year) related to an individual — birthdate, admission date, etc.
• phone number
• fax number
• email address
• Social Security number
• medical record number
• health plan beneficiary number
• account number
• certificate or license number
• vehicle identifiers, such as serial numbers, license plate numbers
• device identifiers and serial numbers
• web URL
• internet protocol (IP) address
• biometric IDs, such as a fingerprint or voice print
• full-face photographs and other photos of identifying characteristics
• any other unique identifying characteristic

HIPAA Violation Impact

A HIPAA violation is when a HIPAA-covered entity or a business associate fails to comply with a part of HIPAA, including the Security and Privacy rules. Fines vary by violation type and tier, ranging from $127 per violation up to the annual cap of ~$1.9 million.

HIPAA and App Applicability

Sometimes, HIPAA applies to apps.  An application becomes a so-called “covered entity” when:

• users or intended users are covered entities
• development and creation of the app was paid for/funded by a covered entity for its sole use 
  • example: your health insurance provider’s application where you can track your plan coverage, explanations of benefits, deductibles, etc.
• the app is otherwise created to direct, create, or retain PHI on behalf of a covered entity.
  • example: a pediatrician’s application that contains your child’s medical records.

Typically, fitness apps are not considered covered entities and therefore do not have to comply with HIPAA.

However, even when HIPAA doesn’t apply, health application data is protected by the Federal Trade Commission. The FTC can fine businesses up to $46, 517 per violation. Notably, a breach is not limited to cybersecurity incidents. Violations include any instance of unauthorized access to PHI. This includes sharing of covered information without an individual’s authorization. FTC has specific notification requirements to inform impacted individuals and, in some cases, the media. 

Example

A health insurance provider was the target of a cyber attack. Hackers infiltrated the network and gained access to customer and employee names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers. In total, over 78 million records were stolen. The insurance provider had paid out almost $180 million in fines and settlements for failing to adequately protect data.

Bionic ASPM: Map Data Flows to Protect Data and Stay Compliant

Complying with GDPR, CPRA, HIPAA, or any other data protection law can be a bear for organizations that process, store, or transmit personal data through applications. This is especially true for cloud-first organizations that embrace DevOps and push code changes frequently. 

Bionic Application Security Posture Management (ASPM) provides a code-accurate map of your application architecture. This map gives you full visibility into all APIs, data flows, and dependencies of your applications and services.

With Bionic, you can easily and automatically collect accurate evidence to support GDPR, CPRA, and HIPAA compliance and reduce data security risks. 

Conclusion

This blog just scratches the surface of the complex world of data protection laws. The point is that lots of organizations need to comply with data privacy regulations and lots of data is covered under these laws. 

The first step to protecting anything is understanding what you need to protect. In celebration of data privacy week, we encourage everyone  to learn more, stay up to date on key changes to laws, and act as a champion for data security.

If you need help mapping the flow of data through your applications, Bionic ASPM can help. Book your demo today.