Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,300 --> 00:00:05,640 In this lecture, we are going to discuss some popular compliance laws and regulations. The compliance 2 00:00:05,640 --> 00:00:12,480 landscape has evolved significantly during the recent years, and now companies are obligated to protect 3 00:00:12,480 --> 00:00:16,590 the integrity and confidentiality of information that they gather. 4 00:00:17,160 --> 00:00:20,660 We are also going to have a look at some intellectual property instruments. 5 00:00:21,900 --> 00:00:27,210 Before we delve into details of compliance, there are some key terms which you must understand, the 6 00:00:27,210 --> 00:00:31,440 first of these is PII or personally identifiable information. 7 00:00:32,040 --> 00:00:37,110 Now, this is information that can be used to identify, contact or locate someone. 8 00:00:37,590 --> 00:00:43,680 And this includes things like full name, driver's license number, Social Security number, home address and 9 00:00:43,680 --> 00:00:44,640 contact numbers. 10 00:00:46,420 --> 00:00:53,080 Any organisation that collects, stores and processes this information must be protected, and they are 11 00:00:53,080 --> 00:00:57,290 also obligated to announce the breaches that pass a certain threshold. 12 00:00:58,090 --> 00:01:02,610 There are also some penalties that are applied for organizations that do not comply. 13 00:01:04,330 --> 00:01:10,220 The next important term that we need to understand is PHI, which is Protected Health Information. 14 00:01:10,930 --> 00:01:16,930 Now, this refers to health information, including health care plans, payment and history that can 15 00:01:16,930 --> 00:01:18,470 be linked to an individual. 16 00:01:18,910 --> 00:01:24,400 This includes things like names and addresses, health records such as medical or dental, full face 17 00:01:24,400 --> 00:01:27,970 scans and biometric data and health insurance numbers. 18 00:01:28,180 --> 00:01:35,020 The primary difference between PII and PHI is that PHI caters specifically to health related information. 19 00:01:35,590 --> 00:01:40,390 Similar to PII, every organisation that collects, stores and processes 20 00:01:40,390 --> 00:01:42,590 this kind of information must protect it. 21 00:01:42,970 --> 00:01:48,310 There are laws and regulations in place which we are going to discuss shortly, and there are penalties 22 00:01:48,310 --> 00:01:51,760 applied if organizations do not comply with these regulations. 23 00:01:54,410 --> 00:02:00,290 Let's have a look at some of the popular compliance regulations, so the first one is GDP or general 24 00:02:00,290 --> 00:02:01,720 data protection regulation. 25 00:02:02,000 --> 00:02:08,360 This was introduced by the European Union in order to protect the personal data of EU citizens worldwide. 26 00:02:08,880 --> 00:02:13,760 An important point to note here is that an organization can be located anywhere in the world, even 27 00:02:13,760 --> 00:02:14,720 outside EU. 28 00:02:15,200 --> 00:02:21,530 But if they collect, process and store the data of EU citizens, then GDPR applies to them as well. 29 00:02:22,220 --> 00:02:28,320 The next one is HIPAA, which stands for Health Insurance Portability and Accountability Act. 30 00:02:28,910 --> 00:02:31,910 Now this is aimed at protecting health care information. 31 00:02:33,440 --> 00:02:39,050 And the third one is PCI-DSS, which is payment card industry data security standard protection 32 00:02:39,050 --> 00:02:42,930 regulation, and it is aimed at protecting credit card data. 33 00:02:43,250 --> 00:02:46,520 We are now going to have a more detailed look at each of these regulations. 34 00:02:47,730 --> 00:02:53,610 Let's start with GDPR or the General Data Protection Regulation, and here are the salient features. 35 00:02:54,180 --> 00:02:59,770 So the first is purpose limitation. Data should be collected and used only for the stated purposes. 36 00:03:00,240 --> 00:03:05,280 So an organization cannot use data for purposes it has not explicitly declared. 37 00:03:07,210 --> 00:03:10,390 Data breaches must be reported within 72 hours. 38 00:03:10,750 --> 00:03:17,800 Failure to do so may incur penalties and penalties are huge in GDPR. So fines can go up to four million 39 00:03:17,800 --> 00:03:20,650 euros or four percent of annual turnover. 40 00:03:22,910 --> 00:03:29,760 GDPR also mandates ensuring the integrity of the data, so data must be safeguarded, encryption 41 00:03:29,780 --> 00:03:32,890 should be employed and privacy should be enforced. 42 00:03:34,280 --> 00:03:39,230 Storage limitation states that only data that is needed should be stored and other data should be 43 00:03:39,230 --> 00:03:39,760 deleted. 44 00:03:40,040 --> 00:03:45,920 So if a company has collected data about an individual and they're only using part of their data, so 45 00:03:45,920 --> 00:03:50,780 the rest of the data should be deleted, they cannot just stored it indefinitely in the hopes of using 46 00:03:50,780 --> 00:03:51,650 it in the future. 47 00:03:53,480 --> 00:03:59,660 GDPR also provides the "right to be forgotten", which basically means that organisations need to provide 48 00:03:59,660 --> 00:04:05,270 individuals the option of selecting whether they want their data to remain indefinitely with the company 49 00:04:05,270 --> 00:04:06,980 or whether they want it to be deleted. 50 00:04:07,260 --> 00:04:10,760 And if they choose so, the company must delete the data. 51 00:04:11,400 --> 00:04:17,660 Now, this gives tremendous powers to individuals because they can opt whether the data lives indefinitely 52 00:04:17,660 --> 00:04:20,120 with the company or whether they want it to be deleted. 53 00:04:22,350 --> 00:04:27,430 So next is HIPAA - Health Insurance Portability and Accountability Act. 54 00:04:27,660 --> 00:04:29,790 And here are the salient features of HIPAA. 55 00:04:30,480 --> 00:04:32,750 So the first one is physical protection. 56 00:04:33,270 --> 00:04:39,330 Companies must control and monitor access to systems and track electronic personal health information 57 00:04:39,330 --> 00:04:39,990 devices. 58 00:04:41,520 --> 00:04:48,240 Second one is admin production. Companies must manage risk, they must block unauthorised access and 59 00:04:48,240 --> 00:04:49,980 train staff in order to do so. 60 00:04:51,060 --> 00:04:56,560 Companies must immediately notify patients, health authorities and possibly media, about breaches. 61 00:04:57,360 --> 00:05:01,010 It should be noted that breaches need to pass a certain threshold. 62 00:05:01,620 --> 00:05:08,460 So if the breach passes 500 or more records, then the company is obligated to make these announcements. 63 00:05:08,940 --> 00:05:13,860 If the breach is very small, then they do not need to actually notify media, for example. 64 00:05:15,900 --> 00:05:21,070 The privacy rule states that a company must respond to patient's request for information. 65 00:05:21,390 --> 00:05:26,730 So basically a patient can request a company to share all of the information that they have collected 66 00:05:26,730 --> 00:05:27,270 about him. 67 00:05:29,150 --> 00:05:35,360 HIPAA has different years of penalties which range from hundred dollars per violation of up to 68 00:05:35,360 --> 00:05:40,520 1.5 million dollars per year if the company is shown to wilfully neglect HIPAA regulation. 69 00:05:41,620 --> 00:05:48,100 HIPAA also enforces technical protection, which means the need to protect the confidentiality and integrity 70 00:05:48,100 --> 00:05:55,000 of data so companies must encrypt electronic personal health information and they must control and log 71 00:05:55,000 --> 00:05:57,130 any access to EPHI. 72 00:05:58,940 --> 00:06:05,930 The third one is PCI-DSS, which is aimed at protecting credit card data. Companies, which want to 73 00:06:05,930 --> 00:06:09,260 be compliant with PCI-DSS must do the following. 74 00:06:10,450 --> 00:06:16,720 The first one is vulnerability management, which means that companies should have an appropriate vulnerability 75 00:06:16,720 --> 00:06:23,050 management program in place, which basically scans for any possible vulnerabilities and addresses them. 76 00:06:23,890 --> 00:06:25,090 The second one is Secure 77 00:06:25,090 --> 00:06:31,540 network and communication. Companies must employ appropriate tools in order to encrypt and secure their 78 00:06:31,540 --> 00:06:32,800 end-to-end communication. 79 00:06:34,120 --> 00:06:39,970 The third one is network monitoring and testing, so companies must have mechanisms which ensure that 80 00:06:39,970 --> 00:06:44,940 the network is properly monitored and any breaches or malware infections are detected. 81 00:06:46,060 --> 00:06:48,790 The fourth one is authentication and access security. 82 00:06:49,210 --> 00:06:54,940 So companies must have appropriate mechanisms which ensure that end users are properly authenticated. 83 00:06:55,570 --> 00:07:01,390 A simple example could be that a client wants to make a credit card payment and if it is doing so on 84 00:07:01,390 --> 00:07:07,870 HTTP, then it means the company has breached PCI-DSS because the end-to-end connection is not encrypted. 85 00:07:08,140 --> 00:07:13,380 It is being done in plain text, which can lead to possible compromise of the credit card data. 86 00:07:14,410 --> 00:07:15,790 So they should always use HTTPS 87 00:07:16,360 --> 00:07:20,470 for instance, in order to ensure that the end to end payment channel is encrypted. 88 00:07:22,580 --> 00:07:27,530 Here are some tips on being compliant with these regulations, as the old saying goes, prevention is 89 00:07:27,530 --> 00:07:28,310 better than cure. 90 00:07:28,730 --> 00:07:35,090 If your company can conduct business without extensively collecting personally identifiable information 91 00:07:35,090 --> 00:07:37,750 and protected health information, you should do that. 92 00:07:37,910 --> 00:07:42,200 And even if you have to collect it, then it should be the minimal set that is required. 93 00:07:43,160 --> 00:07:46,730 An example could be if you want to enable online payments on your website. 94 00:07:46,760 --> 00:07:51,410 So one option could be that you collect all of the information, including clients name, address, 95 00:07:52,190 --> 00:07:54,530 credit card information, phone numbers and so on. 96 00:07:55,010 --> 00:07:57,020 And then you also store payment information. 97 00:07:57,650 --> 00:08:03,230 Another option could be you could use third party things like PayPal and you just redirect the client 98 00:08:03,230 --> 00:08:03,680 to them. 99 00:08:04,220 --> 00:08:06,890 And from there you just get a confirmation of the payment. 100 00:08:07,960 --> 00:08:13,240 So if payment confirmation is the only thing required for conducting your business, you should definitely 101 00:08:13,240 --> 00:08:13,750 do that. 102 00:08:14,260 --> 00:08:19,990 There is no point in collecting extensive information, which is only going to increase your exposure 103 00:08:19,990 --> 00:08:20,440 factor. 104 00:08:21,780 --> 00:08:27,030 You should always use encryption both at rest, so for example, your database should be encrypted, 105 00:08:27,420 --> 00:08:31,540 in transit when you're sending your data over the public Internet, for example. 106 00:08:31,830 --> 00:08:34,650 So you should use, for example, IPSec or TLS. 107 00:08:34,799 --> 00:08:40,260 You should also implement a security framework for controlling access to data, so your data should be 108 00:08:40,260 --> 00:08:41,520 properly classified. 109 00:08:41,610 --> 00:08:43,799 For example, it is private, 110 00:08:43,799 --> 00:08:45,540 is it confidential, is it public? 111 00:08:45,840 --> 00:08:49,050 And then you should assign access to different users based on that. 112 00:08:50,070 --> 00:08:55,230 Let's discuss intellectual property, a concept that is increasingly becoming important in the world. 113 00:08:57,200 --> 00:09:02,600 So today, the focus of wealth creation is increasingly moving away from tangible assets such as real 114 00:09:02,600 --> 00:09:05,960 estate to intangible assets such as intellectual capital. 115 00:09:06,410 --> 00:09:13,340 The problem is that we have extensive tools and laws in order to protect tangible assets, but we also 116 00:09:13,340 --> 00:09:16,610 need similar tools to protect these intangible assets. 117 00:09:17,270 --> 00:09:23,450 So intellectual property is an intangible type of property that has been created using the human intellect. 118 00:09:24,110 --> 00:09:29,210 Some of the popular tools that are used to protect intellectual property include trademark. 119 00:09:30,110 --> 00:09:34,900 So which gives the owner exclusive right to the use of phrase, symbol or design. 120 00:09:35,510 --> 00:09:39,440 And this prevents companies from selling products using similar logos. 121 00:09:39,470 --> 00:09:45,020 So, for example, these trademarks are used by McDonald's and Nestlé and other companies are not allowed 122 00:09:45,020 --> 00:09:45,680 to use them. 123 00:09:47,270 --> 00:09:52,580 The next is copyright, which basically protects the creative or intellectual work such as images, 124 00:09:52,580 --> 00:09:54,330 music and other works of art. 125 00:09:55,040 --> 00:09:58,010 Now copyright is valid for the life of the author, 126 00:09:58,100 --> 00:10:04,640 and then an additional 70 years after that. An important point to note is that for copyright, it is 127 00:10:04,640 --> 00:10:06,080 nice to get it registered. 128 00:10:06,320 --> 00:10:11,930 But even if it is not registered, and you can show the date of publication, whether it's online or in 129 00:10:11,930 --> 00:10:17,360 the form of a book or anything, if you can prove the date of publication, then you already own the 130 00:10:17,360 --> 00:10:18,270 copyright to that. 131 00:10:18,800 --> 00:10:23,900 So whatever you publish, if it is original and you can prove the date of publication, then it means 132 00:10:23,900 --> 00:10:25,850 that it is automatically copyrighted. 133 00:10:27,110 --> 00:10:33,260 The third one is patent, which prevents anyone from making, using or selling the patented invention. 134 00:10:33,710 --> 00:10:37,910 This is extensively used by commercial enterprises to launch specific products. 135 00:10:38,960 --> 00:10:44,820 Now patent is valid for 20 years, and it is also only applicable in the country 136 00:10:44,840 --> 00:10:45,510 it was filed. 137 00:10:45,530 --> 00:10:49,340 So if you want an international patent, you have to apply in different countries. 138 00:10:49,790 --> 00:10:51,170 This concludes our lecture. 139 00:10:51,560 --> 00:10:52,820 I'll see you in the next one. 15417