Would Increased Regulation Reduce the Number of Information Breaches?

“…Information breach prevention is not always based on effective risk management practices but can also be mitigated by complying with industries’ or governments’ framed regulations and standards. The authors in [ 37 ] examine the effectiveness of regulations applied in different industries to analyze whether the information breach impact is reduced. Information security regulations and standards to avoid data breaches vary among industries and businesses.…”

“…These framed standards and regulations provide a checklist for compliance. To understand how standards and regulations can provide prevention, the literature provides an overview of different standards, such as ISO 270012013: [ 38 ], PCI DSS [ 39 ], FISMA with FIPS 200 [ 40 ], and HIPAA administrated by HHS [ 37 , 44 ].…”

“…The impact of data breaches stated above necessitates focused strategies to overcome this problem, for which various laws, regulations, policies, procedures, and best practices are being enforced. These principles ensure information security by compliance to avoid data breaches that vary in impact among various industries and businesses [ 37 ]. The aforementioned principles are framed to provide a checklist for compliance, which includes: ➊ ISO 27001 standard, which is used to regulate information security and management systems for mitigating and minimizing data breaches by providing a mechanism for the identification, assessment, and controlling the risk of these incidents [ 38 ]; ➋ Payment Card Industry Data Security Standard (PCI DSS) is an industry-standard used by credit card service providers for protecting the cardholder data by practising the 12-prescribed requirements [ 39 ]; ➌ US Government has framed a regulatory framework called the Federal Information Security Management Act (FISMA), which is used to protect US Government Information Systems.…”

“…The aforementioned principles are framed to provide a checklist for compliance, which includes: ➊ ISO 27001 standard, which is used to regulate information security and management systems for mitigating and minimizing data breaches by providing a mechanism for the identification, assessment, and controlling the risk of these incidents [ 38 ]; ➋ Payment Card Industry Data Security Standard (PCI DSS) is an industry-standard used by credit card service providers for protecting the cardholder data by practising the 12-prescribed requirements [ 39 ]; ➌ US Government has framed a regulatory framework called the Federal Information Security Management Act (FISMA), which is used to protect US Government Information Systems. Federal agencies are required to ensure continuous system monitoring and each agency receives annual grade on FISMA compliance [ 40 ]; ➍ An integration to FISMA, National Institute of Standards and Technology (NIST) provides the implementation guidance for Federal Information Processing Standard (FIPS 200) by addressing seventeen control areas for risk management [ 37 , 39 , 40 ]; ➎ Graham-Leach-Bliley Act 1999 is one of the major requirements for financial institutions known as the safeguard rule, which protects the customer’s information including confidentiality, security and integrity [ 41 ]; ➏ Financial institutions are bound to develop and apply an information security program under the Federal Trade Commission (FTC) [ 42 , 43 ]; and ➐ Health Insurance Portability and Accountability Act (HIPAA) 1996 [ 44 ], administered by the Health and Human Services (HHS) Department, provides two main rules to address security concerns, such as, privacy and security. The privacy rules address that only individual identity information can flow for research purposes, whereas the security rules address certain controls for electronically protected health information.…”

“…Besides that, HHS guides entities on how to comply with security requirements [ 44 , 45 ]. The impact of compliance with these principles can be judged by the reports, such as the Romansky report, which concludes a 6.1 percent reduction in data breach incidents, and the Verizon 2010 report concludes that PCI compliant organizations are 50 percent less vulnerable to attacks [ 37 , 39 , 40 , 41 , 42 , 45 ].…”

Getting Smarter about Smart Cities: Improving Data Security and Privacy through Compliance

“…Information breach prevention is not always based on effective risk management practices but can also be mitigated by complying with industries’ or governments’ framed regulations and standards. The authors in [ 37 ] examine the effectiveness of regulations applied in different industries to analyze whether the information breach impact is reduced. Information security regulations and standards to avoid data breaches vary among industries and businesses.…”

“…These framed standards and regulations provide a checklist for compliance. To understand how standards and regulations can provide prevention, the literature provides an overview of different standards, such as ISO 270012013: [ 38 ], PCI DSS [ 39 ], FISMA with FIPS 200 [ 40 ], and HIPAA administrated by HHS [ 37 , 44 ].…”

“…The impact of data breaches stated above necessitates focused strategies to overcome this problem, for which various laws, regulations, policies, procedures, and best practices are being enforced. These principles ensure information security by compliance to avoid data breaches that vary in impact among various industries and businesses [ 37 ]. The aforementioned principles are framed to provide a checklist for compliance, which includes: ➊ ISO 27001 standard, which is used to regulate information security and management systems for mitigating and minimizing data breaches by providing a mechanism for the identification, assessment, and controlling the risk of these incidents [ 38 ]; ➋ Payment Card Industry Data Security Standard (PCI DSS) is an industry-standard used by credit card service providers for protecting the cardholder data by practising the 12-prescribed requirements [ 39 ]; ➌ US Government has framed a regulatory framework called the Federal Information Security Management Act (FISMA), which is used to protect US Government Information Systems.…”

“…The aforementioned principles are framed to provide a checklist for compliance, which includes: ➊ ISO 27001 standard, which is used to regulate information security and management systems for mitigating and minimizing data breaches by providing a mechanism for the identification, assessment, and controlling the risk of these incidents [ 38 ]; ➋ Payment Card Industry Data Security Standard (PCI DSS) is an industry-standard used by credit card service providers for protecting the cardholder data by practising the 12-prescribed requirements [ 39 ]; ➌ US Government has framed a regulatory framework called the Federal Information Security Management Act (FISMA), which is used to protect US Government Information Systems. Federal agencies are required to ensure continuous system monitoring and each agency receives annual grade on FISMA compliance [ 40 ]; ➍ An integration to FISMA, National Institute of Standards and Technology (NIST) provides the implementation guidance for Federal Information Processing Standard (FIPS 200) by addressing seventeen control areas for risk management [ 37 , 39 , 40 ]; ➎ Graham-Leach-Bliley Act 1999 is one of the major requirements for financial institutions known as the safeguard rule, which protects the customer’s information including confidentiality, security and integrity [ 41 ]; ➏ Financial institutions are bound to develop and apply an information security program under the Federal Trade Commission (FTC) [ 42 , 43 ]; and ➐ Health Insurance Portability and Accountability Act (HIPAA) 1996 [ 44 ], administered by the Health and Human Services (HHS) Department, provides two main rules to address security concerns, such as, privacy and security. The privacy rules address that only individual identity information can flow for research purposes, whereas the security rules address certain controls for electronically protected health information.…”

“…Besides that, HHS guides entities on how to comply with security requirements [ 44 , 45 ]. The impact of compliance with these principles can be judged by the reports, such as the Romansky report, which concludes a 6.1 percent reduction in data breach incidents, and the Verizon 2010 report concludes that PCI compliant organizations are 50 percent less vulnerable to attacks [ 37 , 39 , 40 , 41 , 42 , 45 ].…”

Getting Smarter about Smart Cities: Improving Data Security and Privacy through Compliance

Factors Influencing Security Incidents on Personal Computing Devices