top of page

Regulatory Compliance


Many government entities on federal and state levels now require for-profit, non-profit and government organizations to comply with a patchwork of laws and other restrictions when collecting, storing, using, and disclosing Personally Identifiable Information (PII) and other types of sensitive information.  As part of these compliance requirements, quarterly and annual regulatory assessments are required.  


At Clarus Tech Partners, we specialize in guiding our clients through the intricate landscape of regulatory compliance.  We help you figure out the right strategy for your organization, then support you through all steps of implementation. 

data security auditing


The Health Insurance Portability and Accountability Act (HIPAA), is a U.S. federal law that establishes standards for the privacy and security of individuals' health information. HIPAA mandates healthcare entities to ensure the confidentiality, integrity, and availability of protected health information (PHI). It requires the implementation of administrative, technical, and physical safeguards, including secure data storage, access controls, and comprehensive risk assessments. 


The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that regulates the collection and disclosure of individuals' personal financial information by financial institutions. 

Under GLBA, financial institutions must develop and maintain information security programs to safeguard customers' nonpublic personal information and includes implementing measures for risk assessments, data encryption, and ensuring the secure storage and transmission of sensitive financial data. 


Payment Card Industry (PCI) Compliance Scans identify the security vulnerabilities within your network. The Data Security Standards (DSS) set by the Payment Card Industry (PCI) requires companies with internet-facing systems that accept, process, transmit, or store credit card data to provide a PCI Scan report every 90 days by an Approved Scanning Vendor (ASV). 


Additionally, our expert team provides PCI DSS SAQ and AOC compliance services. 


The General Data Protection Regulation (GDPR) is a comprehensive European Union (EU) regulation that establishes rules and standards for the protection of individuals' personal data.  Requirements for GDPR include ensuring lawful and transparent processing of personal data, implementing data protection measures, respecting individuals' rights, and establishing mechanisms for data breach notification and compliance documentation. GDPR applies to any organization operating within the EU and for any organization outside of the EU which offers goods or services to customers or businesses in the European Union.  


The California Privacy Rights Act (CPRA) enhances privacy protections compared to the California Consumer Privacy Act (CCPA) and expands the scope of “personal information” to include additional categories such as precise geolocation data, biometric information & inferred information.


Applicable to organizations operating in California or having employees or contractors in the state, CPRA introduces enhanced consumer rights, establishes the California Privacy Protection Agency (CPPA) for enforcement, and imposes stricter regulations on businesses, particularly concerning sensitive personal information and data retention. 


The New York Department of Financial Services (NYDFS) 23 NYCRR 500 regulation requires banks, financial services institutions, and insurance companies to create cybersecurity and data privacy compliance programs. 


Requirements include conducting regular security risk assessments, keeping asset use audit trails, providing defensive infrastructures, maintaining cybersecurity policies and procedures, and creating an incident response plan.



If your organization provides products or services for the Department of Defense (DoD), you will need to meet new cybersecurity standards and certification set by the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS provides a set of security controls to safeguard information systems where contractor data resides.  


Currently, cybersecurity is based on the National Institute of Standards and Technology (NIST), the NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations” and organizations need to implement the security controls through all levels of their supply chain. CMMC should be finalized and begin showing up in contracts in Q1 2025 


The Stop Hacks and Improve Electronic Data Security (SHIELD) Act safeguards personal data and applies to all New York businesses, irrespective of size or location, if they have employees or customers in the state. 


Requirements include establishing a cybersecurity program, conducting regular security risk assessments, due diligence on all third-party vendors, testing and monitoring cybersecurity controls, maintaining cybersecurity policies and procedures, and training employees in cybersecurity awareness. 

Complete Approach to GDPR Compliance

Image by Guillaume Périgois

To fully meet all the Regulations of GDPR, organizations need to include the Technical, Legal and Organizational aspects of compliance.  If not fully compliant, you may be at risk of partial compliance and penalties.

Clarus Tech Partners offers comprehensive GDPR Compliance Readiness solutions to help your organization. 


Assess your current data compliance exposure

Build a readiness plan

Implement and test the policies and processes

Manage and control ongoing GDPR compliance


DFARS Interim Rule

Effective since November 30, 2020, the Defense Acquisitions Regulation System released a new DFARs Interim Rule to supplement the current DFARS regulation 7012 as a procedure that helps bridge the gap between NIST 800-171 while CMMC is still being enacted. Organizations need to meet the DoD Self-Assessment and Supplier Performance Risk System (SPRS) Score reporting requirements.


Recently, the DoD decided to revise the rules for its Cybersecurity Maturity Model Certification (CMMC) program and a new version, CMMC 2.0 will reduce the requirements. The revisions are intended to carry forward the original intent of the program to ensure contractors are following best practices for protecting sensitive information on their networks, while also making it easier for small businesses to comply with the mandates.  Stay tuned on these developments – we’ll keep you updated.

We provide a comprehensive program to help your organization meet the DoD Self-Assessment and Supplier Performance Risk System (SPRS) Score reporting requirements.

The Clarus Tech Partners’ team helps companies navigate these global complex compliance requirements.  We develop solutions specific for your organization – assess your requirements and regulatory obligations then establish a compliance strategy to align your applicable state, federal and international data privacy laws and regulations. 

bottom of page