Compliance

Compliance Legislative Updates as of November 5, 2024

The compliance landscape for businesses handling sensitive information is evolving, with recent and proposed changes at both federal and state levels. This article provides an overview of key updates for federal regulations and specific rules in Indiana and Illinois, covering compliance laws like HIPAA, PCI, CMMC, data protection requirements, and the FTC Safeguards Rule. Each section also identifies the industries most affected and provides examples of businesses within those sectors.

---

Federal Legislative Updates

1. HIPAA (Health Insurance Portability and Accountability Act)

• Update: Proposed amendments by the Department of Health and Human Services (HHS) aim to bolster patient control over health data and enhance data-sharing transparency. These proposed changes focus on expanding patient rights and streamlining disclosures for healthcare providers.
• Key Legislation: 45 CFR Part 160 and Part 164.
• Timeline: Currently in the public comment period, with anticipated final rulings by mid-2025.
• Penalties: Fines range from $100 to $50,000 per violation, up to a maximum annual penalty of $1.5 million. Proposed amendments may raise this cap, especially in cases of repeated negligence.
• Industries Affected:
  • Healthcare, Health Insurance, Health Information Technology.
  • Examples: Hospitals, private practices, health insurance providers (e.g., Anthem Inc., Kaiser Permanente, CVS Health).

2. PCI DSS (Payment Card Industry Data Security Standard)

• Update: PCI DSS 4.0, effective March 31, 2024, introduces more flexible and detailed security requirements, enhancing data encryption standards and mandating stronger multi-factor authentication for credit card data protection.
• Key Requirements: Updated encryption protocols, rigorous audit processes, and enhanced security around cardholder data storage.
• Timeline: Organizations must comply by March 31, 2025.
• Penalties: Non-compliance fines range from $5,000 to $100,000 monthly until full compliance is achieved.
• Industries Affected:
  • Financial Services, Retail, E-commerce.
  • Examples: Banks, credit unions, online retail (e.g., Bank of America, Walmart, Shopify).

3. CMMC (Cybersecurity Maturity Model Certification)

• Update: CMMC 2.0, updated by the Department of Defense, streamlines certification levels for contractors handling government information. Levels now range from self-assessment for basic contractors to third-party assessment for more sensitive projects.
• Timeline: Mandatory compliance by Q3 2025 for all defense contractors.
• Penalties: Non-compliance can lead to contract suspension or termination and significant fines under the False Claims Act.
• Industries Affected:
  • Defense Contracting, Aerospace, Manufacturing.
  • Examples: Contractors for DoD, aerospace manufacturers, IT providers for defense (e.g., Lockheed Martin, Northrop Grumman, Boeing).

4. FTC Safeguards Rule (Gramm-Leach-Bliley Act)

• Update: Enhanced data protection protocols under the FTC Safeguards Rule, effective since June 2023, require comprehensive security programs for financial institutions. New requirements include multi-factor authentication, encryption, and annual security reports.
• Timeline: Currently effective for all regulated institutions.
• Penalties: Penalties for non-compliance can reach up to $100,000 per violation. In cases of negligence, executives may face personal liability, including fines and potential jail time.
• Industries Affected:
  • Financial Services, Mortgage, Insurance.
  • Examples: Banks, credit unions, insurance companies (e.g., Wells Fargo, Allstate, JPMorgan Chase).

---

State-Specific Compliance Updates

Indiana

• Indiana Data Protection Law (Senate Bill 5): Senate Bill 5, soon effective, mandates tighter data breach reporting. Businesses must notify consumers and the attorney general within 30 days of a data breach. The law also requires incident reports on how the breach occurred and what mitigation steps have been taken.
• Penalties: Starting at $5,000 per unreported violation, with increased fines for each day of delay.
• Timeline: Effective Q1 2025.
• Industries Affected:
  • Any industry handling consumer data, particularly healthcare, retail, and finance.
  • Examples: Hospitals, banks, retail chains (e.g., IU Health, First Financial Bank, Menards).

Illinois

• Illinois Data Protection and Cybersecurity Act (HB 3910): HB 3910 introduces rigorous security requirements for companies handling personal information. Mandatory measures include data encryption, multi-factor authentication, and annual cybersecurity audits.
• Penalties: Violations incur fines up to $50,000 per incident, with added penalties for unreported breaches.
• Timeline: Effective Q1 2025.
• Industries Affected:
  • Data-heavy industries, including finance, technology, and healthcare.
  • Examples: Insurance companies, hospitals, tech firms (e.g., Northwestern Memorial Hospital, State Farm, Motorola).
• Illinois Biometric Information Privacy Act (BIPA): With recent court rulings strengthening enforcement, BIPA regulates the collection, use, and storage of biometric data.
• Penalties: $1,000 – $5,000 per violation, with some companies facing substantial class-action settlements.
• Industries Affected:
  • Employers using biometric data, retail, tech.
  • Examples: Retailers using biometric security, tech companies, transportation (e.g., Jewel-Osco, Uber, Amazon).

---

Key Compliance Dates to Note

Legislation	Compliance Deadline	Primary Industries Affected
HIPAA Privacy Rule	Mid-2025 (TBD)	Healthcare, Health Insurance, HIT
PCI DSS 4.0	March 31, 2025	Financial Services, Retail, E-commerce
CMMC 2.0	Q3 2025	Defense Contracting, Aerospace, Manufacturing
FTC Safeguards Rule	Currently effective	Financial Services, Mortgage, Insurance
Indiana Senate Bill 5	Q1 2025	Healthcare, Retail, Finance
Illinois HB 3910	Q1 2025	Finance, Technology, Healthcare

---

Key Considerations in Layman’s Terms

1. Strengthened Data Protection Requirements: Laws now require encryption, multi-factor authentication, and clear protocols for handling sensitive data.
2. Shorter Data Breach Notification Periods: With new timelines for breach reporting, businesses must react quickly to notify authorities and affected individuals, as delay fines can accumulate.
3. Higher Fines for Non-Compliance: Non-compliance penalties are rising, and for some regulations, penalties increase daily until the issue is resolved.
4. Industry-Specific Requirements: Laws like CMMC apply specifically to defense contractors, while BIPA targets companies handling biometric data. Understanding your industry’s requirements is essential.
5. Compliance Demands are Broadening: Even small businesses in sectors like healthcare, finance, and retail are impacted by these updates, so implementing security protocols is necessary.

How Organizations Can Stay Compliant

• Conduct Regular Audits: Schedule compliance audits, either internally or through third-party assessors, to identify potential risks early.
• Implement Data Protection Protocols: Ensure encryption, multi-factor authentication, and secure data storage are in place for sensitive information.
• Develop Incident Response Plans: Create protocols for responding to data breaches, including notifying affected individuals and reporting to authorities.
• Train Staff on Compliance: Employees should understand the importance of data security and how to handle sensitive information.
• Stay Updated on Regulations: Compliance requirements are frequently updated, so businesses should regularly review federal and state laws.

---

News Sources

Illinois General Assembly – Illinois HB 3910

Federal Register – HIPAA Privacy Rule Updates

PCI Security Standards Council – PCI DSS 4.0 Release

U.S. Department of Defense – CMMC 2.0 Overview

Federal Trade Commission – FTC Safeguards Rule Update

Indiana General Assembly – Indiana Senate Bill 5