Five corporate compliance program traits you need to prevent breaches

If you look at news headlines, you’d think the sky were falling with all of the hack attacks and subsequent data breaches taking place. Just glancing at the Chronology of Data Breaches says it all. Every business is, arguably, a target, with both known and unknown vulnerabilities waiting to be exploited. But not every business is bleeding — you just have to be smart about how you approach a corporate compliance program. You can put years of work and hundreds of thousands of dollars into your compliance plan and one single oversight or misstep can cancel it all out.

Here are five things you can get started on today to ensure you don’t end up on the wrong side of a data breach:

1. I can’t stress enough the importance of getting the right people on board. You can’t manage compliance by yourself, and neither can any other individual in IT, security, internal auditing or management. All the right people need to aim for the right target at the same time, because every key player adds his or her own unique value to a corporate compliance program.

2. Understand what’s really at risk. Documentation isn’t enough, and neither is an IT controls audit. Many businesses haven’t even performed a basic security assessment. You have to dig in and see what can truly be exploited from the perspectives of a malicious insider and an external attacker.

3. Be careful how you approach management and “sell” corporate compliance. It’s not all about IT: It’s about the business and how you can best meet management’s needs, along with the needs of the regulators. Wherever possible, use technology to help continually keep all of the right people in the corporate compliance loop.

4. Have a plan. Imagine pilots and surgeons not having a Plan B when potential problems arise. Determine what “data breach” means to your business and then develop a basic incident response plan. You won’t regret having a contingency plan in place when data breaches occur.

5. Finally, remember that information security and risk management is not only about compliance and protecting personally identifiable information. This may be true for your specific job function, but not necessarily for the business as a whole. Most likely, there’s intellectual property that must be protected as well.

You’ve no doubt come across this advice before, but don’t dismiss it. It really works as long as you’re willing to put forth the effort. By focusing on what matters and being careful to avoid overlooking data protection in areas vital to your organization, you have the keys to a successful corporate compliance program.

A bit late: Wal-Mart to name new global compliance officer

Officials at Wal-Mart Stores Inc. said Tuesday they will appoint the retail giant’s first-ever global compliance officer (GCO). Right on time, guys.

As you probably know by now, Wal-Mart is embroiled in a scandal involving tens of millions of dollars in bribes paid to Mexican officials for zoning and building permits to perpetuate the company’s white-hot expansion throughout our neighbor to the south. Today, one in five Wal-Mart stores is in Mexico, according to the New York Times.

The as-yet-unnamed GCO will no doubt begin his or her tenure trying to explain to federal investigators how it is that Wal-Mart’s Mexican subsidiary knew of the bribes since 2004, but worked to cover them up until the activity was uncovered by the Times. By some accounts, the company has spent more than $24 million to grease the palms of local solons, which would be a gross violation of the U.S. Foreign Corrupt Practices Act (FCPA).

“Wal-Mart’s latest move — appointing a global compliance officer — is all well and good, but is like shutting the barn door after the horse ran out,” said Anthony Michael Sabino, a professor at St. John’s University’s Peter J. Tobin College of Business. “Notwithstanding how well behaved Wal-Mart may be going forward, they must still explain the alleged violations of the FCPA that have already occurred.

“This will be an interesting application of a four decades old law that prohibits American corporations from engaging in the bribery of foreign persons,” said Sabino. “To be sure, paying a ‘gratuity’ may be customary in some parts of the world, but the U.S. has outlawed such practices since the Watergate era.  And since that time, U.S. businesses have been hard pressed to obey American law yet get business done in places where a  little ‘grease’ is absolutely necessary and expected as a routine cost of doing business.”

According to the Associated Press, Wal-Mart’s new GCO will oversee compliance directors in five other markets. The world’s largest retailer has also established a new, dedicated FCPA compliance director in Mexico who will report to the new GCO.

“Walmart has been working diligently on FCPA compliance and has a rigorous process in place to quickly and aggressively manage issues like this when they arise,” said Wal-Mart spokesman David Tovar in a statement. “In the last year, we have taken a number of specific, concrete actions to investigate this matter and strengthen our global FCPA compliance processes and procedures around the world.

“We will not tolerate noncompliance with FCPA anywhere or at any level of the company,” Tovar said. “We are confident we are conducting a comprehensive investigation and if violations of our policies occurred, we will take appropriate action.”

All that said, I know our job here at SearchCompliance.com is to focus on the technologies that foster and enable good governance, risk management and compliance efforts in the enterprise, but this case is so egregious it bears mentioning on its face. And I honestly can’t think of a technology angle here. What GRC platform could have possibly rooted out the bad actors in Wal-Mart de Mexico over the last seven years? With the obfuscation documented by the Times happening at many levels in the company, I’m not sure the best armed CCO with the latest governance and compliance tools could have ever rooted it out…even if they wanted to.

Perhaps a Clippy-like office assistant? “You appear to be about to bribe a foreign planning board member. Would you like help with that?”

Got a better answer as to how enterprises can use technology to steer clear of FCPA violations in their global dealings? Let me know at cgonsalves@techtarget.com

First SOX, now a rollback of Dodd-Frank compliance regulations?

President Barack Obama recently signed the JOBS Act into law, cutting back Sarbanes-Oxley requirements for emerging companies. Next up? Dodd-Frank compliance regulations.

The House Financial Services Committee yesterday advanced legislation that reduces $35 billion from the deficit, while also cutting key portions of Dodd-Frank regulations. The Committee voted to eliminate the “Orderly Liquidation Authority” created under Dodd-Frank, and pointed to Congressional Budget Office reports stating its elimination creates $22 billion in savings over the next 10 years. The authority is designed to allow regulators to take control of large, failing organizations and wind them down in such a way that it does not create havoc on the economy.

Republicans argued this puts taxpayers at risk.

“Dodd-Frank, signed into law in July 2010, permanently established a bailout regime in which the federal government will expend considerable sums upfront to bailout creditors of failed firms,” according to a Financial Services Committee release.

The committee also approved an amendment that repeals the Office of Financial Research (OFR), created under Dodd-Frank to gather information on the financial system. Detractors were critical of the OFR’s ability to collect non-public information, and added that it “lacks accountability and transparency.”

Prior to the Financial Services Committee vote, Treasury Secretary Timothy Geithner warned lawmakers that reducing Dodd-Frank regulations under the committee’s proposals would “would critically undermine the government’s ability to limit the damage to the economy in the event of future financial crises.”

Geithner was also critical of the “number of proposals” pending before the House of Representatives that would amend portions of Dodd-Frank regulations that reform the derivatives market.

“If enacted, the proposed legislative changes would undermine the integrity of the rulemaking process, further complicate the work of the regulators, and increase uncertainty for firms,” Geithner wrote in the April 18 letter to House Financial Services Committee Chairman Spencer Bachus and Ranking Member Barney Frank.

The measure now goes to the full House, where it will no doubt continue to be argued along party lines. But the question is, with the economy finally showing signs of recovery (albeit slowly), is rolling back SOX and Dodd-Frank compliance regulations sending the right message? These regulations were put in place to prevent another economic crisis, and now we want to cut them back before we are even fully out of the woods?

The current crisis began only a few years ago — it’s hard to believe the fraud and lack of oversight is already forgotten. Legislators need to be careful about rolling back compliance, before they are left wondering why we are in another crisis due to unsavory practices created by a lack of rules.

Is the JOBS Act’s deregulation good or bad? Depends on whom you ask

So now that President Obama has signed the JOBS Act into law, will deregulating the emerging businesses increase jobs and jumpstart the economy as intended? Or will the financial deregulation simply increase the likelihood for fraud that caused the current economic malaise in the first place?

It depends on who you ask.

For example, you could read a recent opinion article on CNN.com by Amy M. Wilkinson, a senior fellow at the Harvard Kennedy School of Government and a public policy scholar at the Woodrow Wilson International Center for Scholars. Wilkinson praises the JOBS Act’s passage, noting that it will promote entrepreneurship and job creation.

“Sarbanes-Oxley compliance is much more onerous for smaller companies than it is for larger entities such as General Electric, Johnson & Johnson or IBM,” Wilkinson writes. “The JOBS Act helps smaller companies conserve resources.”

On the other side of the coin, you could read Matt Taibbi’s Rolling Stone blog post with the not-too-subtle headline “Why Obama’s JOBS Act Couldn’t Suck Worse.” And Taibbi’s criticism does get worse from there.

“In fact, one could say this law is not just a sweeping piece of deregulation that will have an increase in securities fraud as an accidental, ancillary consequence,” Taibbi writes. “No, this law actually appears to have been specifically written to encourage fraud in the stock markets.”

These are just two examples of the wide range of opinions on the matter. You also have the Washington Post’s article titled “JOBS Act could give some banks a boost.” The Post article points out that small banks will be allowed to raise additional capital without having to register with the SEC, a requirement that can cost “tens of thousands of dollars a year in compliance costs” each year. Then there are opinions like that of former New York Governor Eliot Spitzer, who suggested renaming the JOBS Act the “Return Fraud to Wall Street in One Easy Step Act.”

So what do you think of the JOBS Act passage? Is it a business boost that the United States has been clamoring for since the economic collapse? Or is it an invitation to create more fraud like the kind that got us in this mess in the first place? Or is it somewhere in between? Let SearchCompliance.com know in our comments section below, or hit us up on Twitter @ITCompliance to provide your opinion. We’d love to hear our readers’ thoughts on such a divisive issue.

Breach brings payment processing servers’ PCI compliance into question

Until recently, you may have not heard of Atlanta-based credit card payment processing server Global Payments Inc. On the other hand, it’s likely that you’re very familiar with two of the company’s main clients: Visa and MasterCard. But Global Payments was made instantly more recognizable when it announced last week that up to 1.5 million of its Visa and MasterCard accounts were potentially breached.

The data breach was confined to North America, according to a Global Payments statement. Track 2 card data may have been stolen, but cardholder names, addresses and Social Security numbers were not obtained during the breach, the statement said.

MasterCard and Visa made it very clear that their own systems were not compromised. This information, however, did not stop Visa from making a somewhat symbolic move surrounding its PCI compliance requirements for processors: After the breach, Visa announced it had removed Global Payments from a list of “compliant service providers.”

Global Payments has promised to recommit to PCI and other compliance standards in light of the breach. It is also working with “multiple information security firms and forensics firms to investigate and address” the issue.

But did Global Payments — or any other credit card payment processors — ever really commit to PCI compliance requirements in the first place?

In an interesting report following the Global Payments incident, a New York Times article stated that while financial service companies such as Visa and MasterCard have increased security in recent years, their payment processors have become more vulnerable. These payment processers are not held to the same compliance and security standards as the banks and retailers they serve … and hackers are starting notice.

Up until this week’s news of the Global Payments breach, perhaps processors thought they could slide under the radar. But now that Visa and MasterCard customers — as well as anyone else who reads the news — know exactly who they are, will they be held accountable for PCI and other compliance mandates? We’ll find out in the coming months if other payment processors are hacked. If it becomes a trend, these processors will likely be on notice to improve security and compliance processes before they’re in the news again.

As FTC pushes online privacy rules, JOBS Act lessens SMB regulation

It’s been an interesting week in the world of regulatory compliance: Within the span of a few days, the FTC released a report recommending online privacy rules and the House approved the JOBS Act, which reduces regulatory compliance obligations for small and emerging businesses.

The FTC’s recommendations are part of a privacy report that expands on one originally issued in December 2010. It recommends companies improve consumer privacy by implementing privacy protections at every stage of product development and increasing transparency around the collection and use of consumer information. The FTC also recommends Congress consider privacy legislation, data security notification legislation and mandating a “Do Not Track” option for consumers to opt out of online tracking.

In another big piece of regulatory compliance news, the House approved the JOBS Act and sent it to President Obama for his signature. Under the JOBS Act, emerging companies — defined as those with at most $1 billion a year in revenue — would be exempt for five years from external auditors’ review of internal controls as stipulated under Sarbanes-Oxley requirements. It also lessens other compliance regulations that JOBS Act critics say provide checks on corporate misconduct.

An interesting aspect is that both of these issues take into account the burden of small businesses. In the FTC’s preliminary report, it recommended the proposed online privacy rules apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer or other device. But after “recognizing the potential burden on small businesses,” the FTC’s report concludes that the final framework “should not apply to companies that collect and do not transfer only nonsensitive data from fewer than 5,000 consumers a year.” As for the JOBS Act, proponents say loosening compliance regulations for small and emerging companies would boost the economy.

It’s admirable (and necessary) that the federal government is taking small businesses and their limited resources into account when developing these rules. But there are a few questions: Don’t these small and emerging companies have potential infractions? If they don’t have the resources to comply with online privacy rules and compliance regulations, doesn’t this lack of resources make them even more vulnerable? Instead of excluding these smaller and emerging businesses from the rules altogether, perhaps catering regulations to take their plight into account is a better answer. If not, we could be back in the same boat again in a few years, after these types of businesses are found to be in violation of rules designed specifically to protect consumers.

European Union, U.S. promise continued online data privacy dialogue

In recent months, both the European Union and the United States have made strides to protect online data privacy: In January, the EU adopted legislative proposals to reform its online data protection rules. A month later, President Obama released a “Consumer Privacy Bill of Rights” proposal.

The two countries believe there’s strength in numbers when it comes to online data privacy: In a joint statement delivered Monday at a conference on online data privacy and protection, the European Union and the United States committed to work together to maintain it.

Doing so will enhance consumer trust and promote continued growth of the global Internet economy, they say. This last part is important — anytime there’s the potential for new regulations to comply with, be it privacy or otherwise, at least some companies cry foul about how it will ultimately affect the bottom line.

“Both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders,” according to a joint statement released by European Commission vice president Viviane Reding and U.S. Secretary of Commerce John Bryson.

And the two countries don’t want to stop there: They pledged to engage with other international partners to increase interoperability in privacy laws and regulations, as well as cooperate on enforcement. By creating “mutual recognition” privacy frameworks, the U.S. and EU hope they are just the beginning in steps toward privacy rules on a more global scale.

The two promised to build on the U.S.-EU Safe Harbor Framework, and the statement pointed out that since its inception in 2000, over 3,000 companies have self-certified to it. This demonstrates these companies’ “commitment to privacy protection and to facilitate transatlantic trade,” according to the joint statement.

The statement again mentioned the commitment to fostering business as well as privacy maintenance, and promised to use the Safe Harbor Network as a tool to promote economic growth.

As I stated before in this space, this buy-in and commitment to business is key to any privacy initiatives’ success. This is especially true if these online data privacy push continues to lack hard and fast privacy rules — and hefty fines for noncompliance. Until then, protecting consumer data privacy will largely be left up to the businesses themselves.

But judging by the U.S. and EU’s joint statement, universal online data privacy compliance may be on the horizon.

Reports show fragile state of electronic health record systems

Electronic health record systems are often touted as a way to reduce medical costs, make personal health information easily accessible for patients and increase quality of care.

Not so fast, according to recent reports.

The push for electronic health record adoption has increased the number of health care data breaches and the costs to clean up after them, according to a report released by the American National Standards Institute. The report notes that even if an organization has effective policies in place to meet electronic health records system compliance, a lack of both resources and leadership support is a barrier to security.

Complicating the problem is that it’s no longer just traditional health care providers and billing organizations handling the data. More entities outside of hospitals and doctor offices (such as urgent care facilities, retail store clinicians and telemedicine offices) are using patients’ personal health information, increasing the likelihood for a breach.

The impact of a data breach can include monetary damage not only to the individual patient but also to the facility where the breach occurred, if the victim seeks reimbursement or sues for damages. The health care facility can also be subject to huge fines for violating compliance regulations.

Another recently published study, this one from HealthAffairs, is also related to the unexpected costs surrounding electronic health records systems, but of a different sort. The study examined the assumption that electronic access to patient test results and medical records saves money by reducing diagnostic testing.

HealthAffairs researchers analyzed the records of 28,741 patient visits to a sample of 1,187 physicians. They found physicians’ access to computerized imaging results was associated with a 40% to 70% greater likelihood of ordering (often expensive) tests. HealthAffairs researchers said the findings raise the possibility that electronic access does not decrease test ordering and may even increase it — as well as costs — possibly because of system features that serve as enticements to ordering.

So which is it? Are electronic health records system mandates a way to decrease health care costs, or are they actually making health care more expensive and personal information more vulnerable? The answer is somewhere in between, but providers need to be more vigilant about making their systems more secure and compliant with regulations. If not, the push to digitize personal health records will continue to cost patients and providers privacy, a lot of money and, ultimately, their reputation.

Buy-in needed for Consumer Privacy Bill of Rights to have any teeth

On the heels of proposed data protection reforms in Europe and the recently unveiled Cybersecurity Act of 2012, President Obama hopped on the bandwagon and last week proposed a Consumer Privacy Bill of Rights to protect personal information online.

Previous online consumer privacy legislation (and many other Internet-related laws, for that matter) have faced much of the same criticism: They either do not do enough to protect online privacy, or when they do it is at the expense of businesses that will spend too much time, money and resources trying to comply with the new rules. The White House promises that its proposal takes into account both sides of the equation by protecting online consumer privacy and economic growth.

The White House’s bill of rights pushes for consumer control over what personal data organizations collect and how they use it; transparency surrounding privacy and security practices; and “reasonable limits” on the personal data that companies collect and retain. In addition, a White House statement accompanying the Consumer Privacy Bill of Rights announcement noted that companies representing the delivery of nearly 90% of online behavioral advertisements — including Google, Yahoo, Microsoft and AOL — have agreed to comply with “Do Not Track” technology.

Buy-in from big names such as these will be essential to any online consumer privacy effort. The New York Times already reported that a mandatory “Do Not Track” mechanism may not stop as much online tracking as some may think. Until hard and fast rules with legal ramifications are implemented surrounding online consumer privacy, it will largely be left up to online businesses to decide how much their customers’ privacy means to them. If consumer privacy concerns are outweighed by the effects on the bottom line? One can only guess which side of the debate they would land.

One other big question surrounding the White House’s Consumer Privacy Bill of Rights proposal is that, well, it’s just a proposal. Congress would have to pass legislation to implement the rules as a law, and this would require time-consuming back and forth to debate the issue. It will be interesting to see what happens if large Internet-based companies realize business will be negatively affected by the new rules and decide to use lobbying influence to fight them. If they do, it’s an easy bet that any new online consumer privacy rules would end up watered down and leave room for more still more targeted rules to be proposed in the future.

Cybersecurity Act of 2012 forges new path but faces old criticism

After three years of hearings and negotiations, a group of Senate Committee leaders unveiled the Cybersecurity Act of 2012.

Under the new Cybersecurity Act, the Department of Homeland Security would assess the cyber-related risks and vulnerabilities of “critical infrastructure systems” to determine which should be required to meet a set of risk-based security standards. This would include those systems that, should they be disrupted, would cause mass death, evacuation or major damage to the economy and national security.

The Cybersecurity Act outlines several characteristics that stress it’s a public/private partnership, including:

• DHS would work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements.
• The owners of a covered system would themselves determine how best to meet the performance requirements and then verify that they were compliant.
• The private sector and the federal government would actively share information surrounding threats, incidents, best practices and fixes, “while maintaining civil liberties and privacy.”

The senators were definitely not working in a vacuum — they made a conscious effort to curb criticism that plagued previous online security measures. The senators stressed that the Cybersecurity Act of 2012 “in no way” resembles the Stop Online Piracy Act (SOPA) or the Protect Intellectual Property Act (PIPA), and instead focuses on the “essential services that keep our nation running.” The Senators also omitted emergency authorities for the president, likely because of the backlash around the Internet “kill switch” proposed in an earlier version of the Cybersecurity Act.

But despite efforts to distance it from previous online security legislation, the new Cybersecurity Act is already facing criticism — some of it very familiar.

Opponents — including the Financial Services Roundtable and the U.S. Chamber of Commerce — have decried the act’s provisions and say it would create yet another burdensome, costly regulatory compliance mandate. Others are still concerned about the potential privacy implications the Cybersecurity Act could create — likely a hangover from the lengthy debate surrounding SOPA and PIPA from earlier this year.

So will the Cybersecurity Act of 2012 strike the right balance between protecting data and not hurt the companies it’s designed to help? The debate will begin in earnest tomorrow, when the Homeland Security & Governmental Affairs Committee will hold its first hearing on the Cybersecurity Act. The hearing is likely to address these questions and more, as it begins the latest chapter in the ongoing cybersecurity debate.