From SOX to HIPAA: Key Laws for Your Password Management Business Case

From SOX to HIPAA: Key Laws for Your Password Management Business Case

Saving time and money are not the only factors to consider in your password management business case. It also makes sense to take legal and regulatory compliance into account. While we cannot provide legal advice, we can equip you with information to develop your business case. Note that we are focusing mainly on the United States in this case. If you operate in other jurisdictions, research local requirements.

  1. Gramm-Leach-Bliley Act (GLB) Act

Passed in 1999, this law is one of the better known laws in information security. It applies to financial institutions such as banks and companies that provide services to them. For example, if you provide technology services to a bank, you need to understand this law. Here are a few of the specific concepts that relate to password management issues:

  • Safeguards rule for personal consumer information. Organizations are expected to develop systems, procedures, and policies that ensure consumer information is protected. In some organizations, simply identifying all personal consumer data is a challenge.
  • Financial Privacy Rule. Distinct from the rule above, this concept mandates certain disclosures and restrictions on the use of consumer information. For example, a consumer may restrict a bank from her data for marketing. Password management helps to ensure that consumer data is only used for the appropriate purpose.
  • Evaluate third party service providers. As a bank, you may have outsourcing arrangements with various companies. Those vendors may, in turn, have access to consumer information. As a result, banks are expected to assess and manage their vendors closely.
  • FTC Awareness. The text of the law itself is not the only matter you need to consider. The Federal Trade Commission has the ability to make rules relating to the GLB Act.

While financial services are held to a high standard, that does not mean that other industries and companies are exempt.

  1. Sarbanes-Oxley Act (also called “Sarbox” or “SOX”)

In the aftermath of major corporate scandals, the U.S. government passed new laws in an effort to stop another Enron-style failure. The Act had a significant impact on accounting and finance professionals in particular. There are also information security and password implications. Take note of the following points.

  • Identify all financial data systems.  Unless you know where all of your financial and accounting data resides, you cannot protect it.
  • Record keeping for auditors. If there are access changes that grant or deny access to sensitive data, keep robust records so you can easily address auditor questions.
  • Protect tax information. SOX has requirements relating to tax returns. Implementing controls relating to tax return data is also in scope. Just imagine the discomfort you may have if your tax return is challenged and the supporting data is compromised.

Important Note: SOX is mainly associated with publicly traded companies. However, some of its provisions apply to privately owned firms. As with any law, if you are unclear about whether it applies to you, consult a qualified lawyer for advice.

The next item on our list is not a law. Yet it matters for carrying on with your business.

  1. Payment Card Industry Data Security Standard

If your business accepts payments by credit cards, pay attention. Founded by American Express, Discover, JCB International, MasterCard, and Visa Inc, the standard sets requirements for security standards. While you could organize your business to avoid using credit cards, that is difficult to do. As you continue to build your password management business case, take note of these requirements.

  • Administrator Password Control. According to PCI DSS requirement 8.5, administrators are not allowed to share passwords. Password sharing sometimes happens when colleagues are trying to help each other such as picking up the slack when someone goes on vacation. To comply with the standard, you will need to improve this element of password control.
  • Implement controls over inactive user accounts. Since they represent a major hacker target, controlling these accounts is important. Using Compliance Auditor can help with this requirement.
  • Qualified assessors. For a full evaluation of your organization, consider engaging a qualified assessor to evaluate your security and controls environment.
  1. Health Insurance Portability and Accountability Act (HIPAA)

Delivering healthcare requires access to sensitive personal information. This act was developed to make sure that information is handled properly. Some organizations covered by HIPAA (“covered entities”) include: health care providers, health insurers, and health researchers. From a password management and security standpoint, take note of the following HIPAA expectations:

  • Access controls. Covered entities are expected to have policies that grant and restrict user access as required.
  • Unique user identification. If you have user accounts called “admin,” it is time to change that. This HIPAA expectation states that all users are expected to be uniquely identified. This process enables tracking and diagnosis for audits and investigations.
  • Emergency access procedure. In contrast to other standards and laws, this provision is somewhat unusual. Since access to information may have a life or death impact, HIPAA makes allowances for emergency information access. Applying proper controls and oversight to this emergency access is critical to discourage misuse.


  1. EU General Data Protection Regulation (GDPR)

You might wonder why we are including this European Union requirement here. There are two reasons. First, many U.S. companies do business in Europe and it pays to be informed about changes in that region. Second, other countries may follow the EU’s lead, so now is a good time to understand these requirements. For your password management business case, GDPR’s key points include:

  • Identify relevant user information. Before you apply GDPR password related controls, you need to know what to protect. Review your data to make sure you can identify all data related to EU residents.
  • Restrict user access to data to a greater degree. GDPR has stringent requirements on reporting data breaches. One way to minimize this risk is reducing the data available to any one user.
  • Continuous monitoring activities. An annual review is not going to be enough anymore. GDPR violations have the potential to lead to multi-million dollar fines. Continuous monitoring by an identity and password management solution will give you peace of mind that your organization is always compliant.


The security laws, regulations and guidelines directory (CSO)

10 Best Practices For Meeting SOX Security Requirements (Dark Reading)

HIPAA Security Rule Guidance Material (U.S. Department of Health & Human Services)

Written by Nelson Cicchitto