Compliance & RegulatoryGlossary

U.S. federal law protecting medical and health information. Covers any business handling protected health information (PHI) — not just hospitals. Includes specific security and privacy requirements (the Privacy Rule, the Security Rule) and breach-notification obligations.

Why it matters: HIPAA fines can be substantial — and even non-medical businesses can fall under HIPAA if they handle health data for clients. The Security Rule's technical safeguards (encryption, access controls, audit logs) are where most IT work lives.

Related: HITECH, PHI, BAA, Email Encryption, ePHI, Breach Notification, Client Confidentiality, Retention Policy

A 2009 U.S. law that strengthened HIPAA's privacy and security requirements — added breach-notification rules, expanded enforcement authority, and increased penalties. HITECH effectively made HIPAA enforceable in ways the original law wasn't.

Why it matters: HITECH is why HIPAA enforcement has teeth today. The breach-notification provisions force healthcare providers and their business associates to publicly disclose incidents — a deterrent that pure compliance fines weren't providing.

Related: HIPAA, Breach Notification

Any individually identifiable health information held or transmitted by a HIPAA-covered entity or its business associate. Includes patient names, addresses, diagnoses, treatment records, billing information — anything that ties health data to a specific person.

Why it matters: PHI is the regulated category HIPAA protects. Mishandling PHI (sending unencrypted email, losing a USB drive, leaving records in a public area) triggers HIPAA breach-notification requirements regardless of intent.

Related: HIPAA, ePHI, BAA

Protected health information that is created, stored, maintained, or transmitted electronically. Subset of PHI specifically subject to HIPAA Security Rule requirements (encryption, access controls, audit logs, transmission security).

Why it matters: Nearly all PHI today is electronic — EHR systems, billing software, email, smartphones with patient information. The HIPAA Security Rule's technical safeguards apply specifically to ePHI.

Related: PHI, HIPAA

A written contract between a HIPAA-covered entity (like a medical practice) and any third party that creates, receives, maintains, or transmits PHI on its behalf (IT providers, billing services, cloud vendors). The BAA legally binds the third party to HIPAA-equivalent safeguards.

Why it matters: If your IT provider, cloud vendor, or contractor handles PHI without a signed BAA, the covered entity is non-compliant. Every vendor in a HIPAA chain must have a BAA — and Microsoft, Google, AWS, etc. all offer them for their cloud services.

Related: HIPAA, PHI

A security standard required by credit card networks (Visa, Mastercard, Amex, Discover) for any business that accepts, processes, or stores credit card data. Defines specific technical and procedural controls — network segmentation, encryption, access management, vulnerability scanning, and incident response.

Why it matters: Non-compliance can mean fines, increased transaction fees, or losing the ability to accept credit cards entirely. The current version (PCI-DSS 4.0) significantly tightened authentication and segmentation requirements; the 2025 deadline for full 4.0 compliance is past.

Related: Network Segmentation

A U.S. federal law requiring financial institutions to safeguard customer financial information and disclose how they share it. Applies broadly — "financial institution" includes banks, credit unions, tax preparers, mortgage brokers, and even some retailers offering financing.

Why it matters: GLBA's Safeguards Rule requires documented information-security programs. The FTC enforces it for non-bank financial institutions (the most-affected category for SMBs); penalties for non-compliance are significant.

Related: FTC Safeguards Rule, FFIEC

A U.S. federal law (2002) primarily targeting publicly-traded companies — requires CEOs and CFOs to certify the accuracy of financial reports, establishes accountability for accounting fraud, and mandates internal controls (including IT controls) over financial reporting.

Why it matters: If your business is public (or supplies a public company), SOX compliance touches IT — access controls on financial systems, change management, audit logs. Section 404 (internal-control assessment) drives most of the IT-relevant work.

An FTC regulation under GLBA that requires non-bank financial institutions to develop, implement, and maintain a written information-security program. Updated in 2023 with specific technical requirements (encryption, MFA, access controls, incident response).

Why it matters: The 2023 update significantly raised the bar — many small financial institutions that were technically GLBA-compliant before are not now. Compliance requires documented programs, designated security officers, and regular testing.

Related: GLBA, MFA

A voluntary framework published by NIST that organizes cybersecurity activities into five functions (Identify, Protect, Detect, Respond, Recover) plus a sixth (Govern) added in CSF 2.0. Widely adopted as the baseline reference for "what does mature cybersecurity look like."

Why it matters: Many cyber-insurance applications, vendor questionnaires, and contracts reference the CSF. Even when not legally required, it provides a defensible structure to point to when answering "how do we secure our business?"

Related: NIST 800-171, ISO 27001

A NIST publication defining 110 security controls for protecting Controlled Unclassified Information (CUI) on systems outside the federal government. Required for federal contractors and subcontractors that handle CUI — DoD, NASA, GSA, etc.

Why it matters: If your business contracts with the federal government (directly or as a sub) and handles any CUI, 800-171 compliance is contractually mandatory. CMMC certification is built on top of 800-171.

Related: CMMC, NIST CSF, NIST 800-53

A comprehensive NIST catalog of 1,000+ security and privacy controls. Originally required for federal information systems under FISMA; widely adopted as a reference catalog for any organization wanting a thorough control framework.

Why it matters: 800-53 is more comprehensive than 800-171 (which is essentially a subset). Federal agencies and contractors handling classified or high-sensitivity systems use it directly; smaller organizations pick relevant controls as needed.

Related: NIST 800-171

A U.S. Department of Defense certification program requiring contractors and subcontractors handling DoD information to be independently assessed against tiered security requirements. Built on NIST 800-171; third-party assessment required for higher tiers.

Why it matters: If your business is in the DoD supply chain (even as a small sub-supplier), CMMC certification will be a contract requirement. The certification process is non-trivial — start preparing well before contracts come up for renewal.

Related: NIST 800-171

A U.S. interagency body that issues IT examination guidance for banks, credit unions, and thrifts. The FFIEC Cybersecurity Assessment Tool (CAT) is the standard framework regulators use during bank IT exams.

Why it matters: If your business is a regulated financial institution, FFIEC guidance defines what your examiner will look at. Aligning IT operations with the CAT well before an exam saves significant remediation effort.

Related: GLBA

The European Union's data privacy law, in effect since 2018. Applies to any organization that handles personal data of EU residents — regardless of where the organization is based. Establishes broad rights for individuals (access, deletion, portability) and strict obligations on data handlers.

Why it matters: GDPR penalties can reach 4% of global annual revenue or €20 million, whichever is larger. Many U.S. businesses fall under GDPR without realizing it (any EU customers, EU website visitors, EU employees). U.S. state privacy laws (CCPA, others) borrow heavily from GDPR.

Related: CCPA, DSAR, Breach Notification

California's data privacy law — gives California residents rights to know what personal data businesses collect, request its deletion, opt out of sale, and avoid discrimination for exercising those rights. The 2023 CPRA amendments added stronger requirements and an enforcement agency.

Why it matters: CCPA applies to businesses meeting any one of several thresholds (annual revenue, volume of CA-resident data, etc.) — even if you're not in California. Other states (Virginia, Colorado, Connecticut, etc.) have followed with similar laws.

Related: GDPR, DSAR

A formal request from an individual asking what personal data an organization holds about them, often with the right to request correction, deletion, or portability. A core mechanism in GDPR, CCPA, and similar privacy laws.

Why it matters: Businesses subject to privacy laws must have a documented process for handling DSARs — and respond within statutory deadlines (typically 30-45 days). Ad-hoc handling doesn't scale once requests start coming in.

Related: GDPR, CCPA

Laws requiring organizations to notify affected individuals, regulators, and sometimes the public when a security incident exposes personal data. Triggers, timelines, and recipients vary by jurisdiction — every U.S. state has its own breach notification law.

Why it matters: Most breach response costs are not the incident itself — they're the cost of notification (mailings, call centers, credit monitoring) and regulatory fines for late notification. Breach response plans should be drafted before an incident, not during.

Related: HIPAA, HITECH, GDPR

Formal opinions from the American Bar Association (and state bar associations) interpreting Model Rule 1.6 (confidentiality) and 1.1 (competence) in the context of technology — defining lawyers' ethical duties around securing client data, using cloud services, and responding to breaches.

Why it matters: Law firms are bound by these opinions through state bar enforcement. ABA Formal Opinion 477R requires lawyers to take "reasonable efforts" to secure electronic client communications, and 483 sets duties around breach response.

Related: Client Confidentiality

A professional and often legal obligation (for lawyers, accountants, healthcare providers, etc.) to protect information clients share in confidence. The technology component of this obligation has expanded dramatically — secure email, encrypted storage, access controls, vendor due diligence.

Why it matters: Bar associations, medical boards, and licensing bodies treat IT failures that expose client data as professional-responsibility violations, not just IT incidents. The professional consequences (suspension, sanction) often exceed the technical or regulatory ones.

Related: Bar Association Guidance, HIPAA, Disclosure Requirements

An insurance policy that covers business losses from cyber incidents — ransomware payments, breach response costs, regulatory fines, legal defense, business interruption, sometimes the cost of restoring data. Distinct from general business insurance, which typically excludes cyber events.

Why it matters: Cyber insurance is increasingly a contractual requirement (vendors, customers, lenders demand it). Premiums have risen sharply as ransomware claims grew; underwriting is now strict — applications themselves are detailed security assessments.

Related: Insurance Application, Coverage Triggers

The set of security controls insurers require before issuing or renewing a cyber liability policy. Common requirements: MFA on all email and admin accounts, EDR on every endpoint, offline backups, documented incident response plan, employee security training, regular vulnerability scanning.

Why it matters: Failing to disclose or implement what was claimed on the application can void coverage at claim time. Misrepresenting your MFA coverage or backup approach in an application is often more costly than the incident itself.

Related: Cyber Liability Insurance, MFA, EDR

The conditions under which an insurer will pay a claim — defined in the policy. Common triggers: a covered event must occur, notice must be given within a deadline, proof of incident must be provided, certain pre-incident requirements must have been in place (MFA, backups). Coverage can be denied for events that don't meet trigger conditions.

Why it matters: Reading the trigger language matters. A policy that requires "60-day notice from discovery" can deny coverage for an incident reported on day 61. War-exclusion clauses and nation-state-attribution clauses have caused major coverage disputes.

Related: Cyber Liability Insurance

An audit framework from the AICPA evaluating a service organization's controls across five "Trust Service Criteria": Security, Availability, Processing Integrity, Confidentiality, Privacy. A SOC 2 report (Type I or Type II) is issued by an independent CPA firm.

Why it matters: Customers and vendors increasingly require SOC 2 reports before signing — especially for SaaS, hosting, and managed services. The audit takes 6-12 months on the first pass; ongoing compliance becomes a continuous operating discipline.

Related: ISO 27001

An international standard for Information Security Management Systems (ISMS) — defines requirements for establishing, implementing, maintaining, and continually improving an ISMS. Certification requires independent audit; widely recognized internationally as evidence of security maturity.

Why it matters: ISO 27001 is the international counterpart to SOC 2. Companies operating globally (especially with European customers) often pursue both. The standard is process-heavy — the discipline of running an ISMS is as much the deliverable as the certificate itself.

Related: SOC 2, NIST CSF