Skip to main content


Compliance Regulations

Cybersecurity and data protection laws focus on protecting sensitive data, such as personally identifiable information (PII), protected health information (PHI), and financial data. As the frequency and impact of cyberattacks escalates, more regulations are being introduced to help protect organizations and their customers’ data. It’s important to understand the role of password and credential security within the regulatory landscape.


HIPPA is a framework for governing and safeguarding protected health information (PHI). Prevent data breaches and avoid HIPAA penalties by verifying that credentials within your systems have not been exposed. Ensure your sensitive information remains protected against unauthorized access.

More on HIPPA


HITRUST works with privacy, information security, and risk management leaders. Comply with HITRUST requirements by ensuring organizations have a dynamic list of commonly-used, expected, or compromised passwords. Confirm that when users update or create new passwords, those passwords are safe.



The CJIS framework offers guidelines for the security and privacy of criminal justice information. Enzoic facilitates the management of password changes and safeguards that the authenticator content (passwords) is protected from unauthorized disclosure and modification.

More on CJIS


The UK’s National Cyber Security Centre (NCSC) provides guidance and standards to help organizations improve their cybersecurity practices. The NCSC’s guidelines recommend password changes when there is evidence of compromise, which is a more secure alternative to periodic resets.


According to FINRA, “Protection of financial and personal customer information is a key responsibility and obligation of FINRA member firms.” Institutions are required to adhere to the SEC’s Regulation S-P, which states that companies must have policies and procedures designed to protect customer information and records.

More on FINRA


The PCI-DSS requires all organizations that accept, process, store, or transmit payment card information to ensure a secure environment that protects this data. Preserve the integrity of access to cardholder data by ensuring that passwords and user credentials have been exposed in data breaches.

More in PCI-DSS


While the Sarbanes-Oxley Act (SOX) as some important security considerations. A key component of securing financial reporting systems is confirming that only authorized users are able to access them. Companies must implement procedures to address this, with strengthening password security as a logical first step.


CMMC is mandated by the DoD for defense contractors and all entities operating in their supply chain. Outline the Access Control, Identification and Authentication and System and Information Integrity sections.


The CISA’s primary goal is to protect the country’s critical infrastructure from both physical and cyber threats. CISA’s warning about using MFA without improving password security.

More on CISA


The SHIELD law expands data security and breach notification requirements to cover any business that collects private data of New York residents, not just companies that conduct business in the state. Maintain the confidentiality and integrity of private information by receiving alerts to potential breaches in security and monitoring for compromised credentials.

Arrow Link


The NYDFS Cybersecurity Regulation requires New York companies to assess their cybersecurity risk profile. One notable requirement is the implementation of an automated method to block commonly used passwords for all accounts on information systems owned or controlled by Class A Companies, and wherever feasible, for all other accounts.

More on NYDFS


Requires companies to obtain explicit, informed consent before gathering personal data. In the event of a data breach, GDPR mandates that impacted individuals are notified immediately. Implementing a strong password policy is the best way for an organization to avoid issues with GDPR.

More on GDPR


NIST recommends eliminating periodic password change requirements, reducing algorithmic complexity, and screening new passwords against lists of commonly-used or compromised passwords. Create a more user-friendly and secure password environment. Frameworks include Control IA-5 in SP 800-53, NIST 800-171, NIST 800-63B

More on NIST

Frequently Asked Cybersecurity Compliance Questions

Enzoic's Role in Meeting HIPAA Requirements

HIPAA Compliance: Protecting Patient Health Information

HIPAA & HITECH Acts: Enzoic aids in protecting Patient Health Information by enhancing security measures against data breaches, a critical aspect under the HIPAA Security Rule and HITECH amendments. Enzoic specifically helps organizations address the requirements for protecting electronic PHI, directly impacting compliance with 45 CFR §164.308 (administrative safeguards) and §164.312 (technical safeguards) by ensuring the integrity and confidentiality of user credentials and access management.

HITRUST: Elevating Healthcare Cybersecurity

Control Reference 01.d: By maintaining an updated list of compromised passwords, Enzoic enables healthcare organizations to meet this HITRUST CSF control, crucial for managing access control and enhancing cybersecurity frameworks within healthcare settings.

PCI-DSS Compliance: Securing Cardholder Data

Requirements 7, 8, 10, and 11: Enzoic’s solutions support organizations in fulfilling PCI-DSS’s stringent access control and monitoring requirements. Specifically, Enzoic’s APIs helps organizations ensure that access to cardholder data is restricted to authorized individuals only, aligning with Requirement 7. By verifying that user credentials are not compromised, Enzoic addresses Requirement 8’s mandate for identifying and authenticating access to system components. Additionally, our capabilities in monitoring for compromised credentials bolster compliance with Requirements 10 and 11, focusing on tracking and testing security systems and processes.

GDPR Compliance: Upholding Data Protection

Article 33 Compliance: Enzoic’s proactive breach prevention measures help organizations comply with GDPR’s breach notification requirements by minimizing the risk of personal data breaches and thus eliminates the requirement to notify. Enzoic allows users to set secure passwords, directly contributing to the protection of personal data against unauthorized access, thus supporting organizations in their GDPR compliance efforts, particularly under Articles 32 and 33 regarding security of processing and notification of personal data breaches.

FINRA Compliance: Safeguarding Financial Integrity

FINRA & SEC Regulation S-P: Enzoic’s continuous monitoring for compromised credentials enables FINRA member firms to proactively address cybersecurity vulnerabilities, aligning with SEC’s Regulation S-P requirements for protecting customer records and information. This capability is crucial for meeting the expectations of robust cybersecurity practices in the financial industry.

CMMC Compliance: Defending the Defense Industrial Base

AC.1.001, AC.1.003, AC.2.005, IA.1.076, IA.2.079, SI.1.210: Enzoic directly supports defense contractors in adhering to the Cybersecurity Maturity Model Certification by enhancing access control and authentication. Our solutions verify the security of credentials, aligning with Access Control and Identification and Authentication practices, and contribute to System and Information Integrity, thereby ensuring compliance with crucial aspects of the CMMC framework.

Aligning with NCSC Guidelines

Adherence to Best Practices: By maintaining an updated list of compromised passwords and detecting compromise in your environment to prompt secure changes only when necessary, Enzoic aligns with the National Cyber Security Centre’s guidelines. This approach supports the NCSC’s recommendations against time-based password
resets and for the use of strong, unique passwords.

NYS SHIELD & NYDFS Compliance: Protecting New Yorkers

SHIELD Act and DFS Regulation: Enzoic aids organizations in complying with New York’s SHIELD Act and Department of Financial Services Cybersecurity Regulation by ensuring the security of user credentials and sensitive data. Our solutions help in fulfilling the requirements for a comprehensive cybersecurity program (Section 500.02) and robust access controls (Section 500.07), among others.

CJIS Compliance: Securing Criminal Justice Information

Authenticator Management (IA-5): Enzoic’s solutions enhance the integrity and strength of passwords, crucial for authenticator management under the Criminal Justice Information Services security policies. This support is vital for organizations handling criminal justice information, ensuring compliance with CJIS standards for authenticator management.

Sarbanes-Oxley Act (SOX)

Enzoic’s solutions reduce password reuse and ensure credentials are strong by prohibiting users from selecting common, weak, or compromised passwords—thereby helping to satisfy SOX password requirements to prevent unauthorized access.

Cybersecurity Compliance Resources


A Guide to GDPR Compliance

Ensure GDPR Compliance and Protect Your Organization from Costly Penalties. Learn the key steps to take when handling EU citizens' data in the event of a data breach.

Read More


A Keystone of Cybersecurity for Water and Wastewater Infrastructure:...

The White House put out an official letter warning of severe cyberattacks directed at water and wastewater infrastructure across the country.

Read More


CISA: The Risk of MFA Without Improving Password Security

CISA alert helps cybersecurity professionals understand that MFA alone is insufficient. Make sure to secure each authentication layer.

Read More