Are you prepared for the inevitable? Odds are it’s merely a matter of time before your business experiences a computer security-related breach and you need a solid data breach response plan. How are you going to handle the situation? Especially if you’re a smaller business, your IT resources probably are minimal. But even your outside resources might not have the expertise to help when you’re in a data security bind. In today’s connected world, there’s a lot that can go wrong when it comes to technology.
Before the bits hit the fan, you need to understand what a breach really means to your business. What it means depends on the industry you’re in and the contracts and compliance regulations you’re held accountable for. Regardless of the type of sensitive information that’s exposed (credit cards, Social Security numbers or intellectual property, for example), you need to define what a “breach” means for your company so you’ll know when to enact your incident response plan. It might be a malware infection, a defaced website or a lost laptop. You also need to remain aware: Data breach statistics show that someone else probably will notify you before you even know about the breach.
Once you do discover a breach, your data breach response plan should allow you to respond quickly and wisely. You can’t just restore a system from backup, or sweep a loss or theft under the rug. You’re going to have to dig in deeper to see what actually happened (by hiring a forensics expert, for example, or calling law enforcement or hiring a technical resource to help), and determine any additional steps you might need to take. These include the way you will pursue the culprit and notify the affected parties based on what the data breach notification laws require.
Going forward, be smart about how you address the breach. That’s what regulators, business partners and customers (and their lawyers) are going to be looking at. Don’t expect perfection — but you do need to keep good notes on what has been done already, what you plan to do to remediate the problem and how you’ll prevent it from reoccurring.
Perhaps most importantly, get your lawyer involved. Even if he’s not tech-savvy, he needs to know about the data breach laws, the compliance regulations you face and how the breach affects your existing contracts.
In other words, don’t just react — respond. Being prepared is the best way to not drop the ball on incident response. When it comes to computers, business applications and sensitive information, something is bound to happen — eventually. This is true regardless of the size of your business. Even if you think you’re not a target or at risk, you are.
An employee is going to lose an unsecured smartphone — even though policy mandates that all smartphones are to be password-protected and that no business information should be stored on them. A contractor is going to lose an unencrypted backup tape — even though your contract says that all media shall be encrypted and transported securely via a third-party service. A cloud provider is going to overlook a SQL injection hole in their system — even though they passed their SAS 70 or SSAE 16 audit with flying colors.
When you prepare for the inevitable with a data breach response plan, you can respond to these problems and more in a professional way, and minimize the impact on your information systems. This should be your ultimate goal.
Remember the law of inertia from physics class? It says that a body at rest tends to remain at rest unless acted upon by an outside force. Well, compliance is the law of inertia-type catalyst when it comes to information security strategy. Over the past decade, I’ve seen many businesses remain complacent when it comes to information security until they’re forced to pay more attention in the name of compliance. They end up spending a few months documenting policies, tightening passwords, creating antivirus processes and, voila, the business is compliant. And secure, right? Well, not really.
A question in the recent Ponemon Institute State of Global IT Security survey asked nearly 1,900 participants in 12 countries, “Are you taking appropriate steps to improve your organization’s information security posture…If no, why?” The No. 1 answer was “insufficient resources” (39%), followed by “not a priority issue” and “lack of clear leadership.” This begs the question: If information security strategy is being undervalued and overlooked, then how can these businesses possibly be compliant? There’s hardly any business I’ve seen that’s not required to comply with an information security-related regulation either directly or indirectly. I’m confident you could ask most executives how their IT governance program is working and they’ll proudly say “we’re compliant.” But compliant with what?
To me, there’s the good, the bad and the ugly side of compliance strategy:
- The good: Solid control, visibility and automation are present. These traits facilitate not only compliance but also help manage information risk.
- The bad: Duplicated technical controls, multiple sets of policies/procedures and overlapping security evaluations that only make it appear that work is getting done.
- The ugly: When management and other key players assume that compliance strategy has created a strong, impenetrable infrastructure.
With compliance, you don’t need to spend a ton of money completely revamping the way you do business, but you do need to be mindful of what’s at stake so you don’t end up at the back of the herd. Speaking of which, there’s the spirit of the law and the letter of the law, and savvy executives and their legal counsel will likely focus on the former. Odds are the businesses that strive for perfection will end up wasting time, money and resources on compliance strategy. Still, there are many businesses in operation today that have yet to even acknowledge they have a problem, much less have developed a plan for how they’re going to move towards any semblance of reasonable IT governance.
Most importantly, make sure you’re addressing compliance for the long-term benefit of the business rather than to simply complete a one-time checkbox and move on. Sadly, too many people are doing the latter, and the long-term consequences will eventually be evident. Don’t fall into this trap.
If you look at news headlines, you’d think the sky were falling with all of the hack attacks and subsequent data breaches taking place. Just glancing at the Chronology of Data Breaches says it all. Every business is, arguably, a target, with both known and unknown vulnerabilities waiting to be exploited. But not every business is bleeding — you just have to be smart about how you approach a corporate compliance program. You can put years of work and hundreds of thousands of dollars into your compliance plan and one single oversight or misstep can cancel it all out.
Here are five things you can get started on today to ensure you don’t end up on the wrong side of a data breach:
1. I can’t stress enough the importance of getting the right people on board. You can’t manage compliance by yourself, and neither can any other individual in IT, security, internal auditing or management. All the right people need to aim for the right target at the same time, because every key player adds his or her own unique value to a corporate compliance program.
2. Understand what’s really at risk. Documentation isn’t enough, and neither is an IT controls audit. Many businesses haven’t even performed a basic security assessment. You have to dig in and see what can truly be exploited from the perspectives of a malicious insider and an external attacker.
3. Be careful how you approach management and “sell” corporate compliance. It’s not all about IT: It’s about the business and how you can best meet management’s needs, along with the needs of the regulators. Wherever possible, use technology to help continually keep all of the right people in the corporate compliance loop.
4. Have a plan. Imagine pilots and surgeons not having a Plan B when potential problems arise. Determine what “data breach” means to your business and then develop a basic incident response plan. You won’t regret having a contingency plan in place when data breaches occur.
5. Finally, remember that information security and risk management is not only about compliance and protecting personally identifiable information. This may be true for your specific job function, but not necessarily for the business as a whole. Most likely, there’s intellectual property that must be protected as well.
You’ve no doubt come across this advice before, but don’t dismiss it. It really works as long as you’re willing to put forth the effort. By focusing on what matters and being careful to avoid overlooking data protection in areas vital to your organization, you have the keys to a successful corporate compliance program.
As you probably know by now, Wal-Mart is embroiled in a scandal involving tens of millions of dollars in bribes paid to Mexican officials for zoning and building permits to perpetuate the company’s white-hot expansion throughout our neighbor to the south. Today, one in five Wal-Mart stores is in Mexico, according to the New York Times.
The as-yet-unnamed GCO will no doubt begin his or her tenure trying to explain to federal investigators how it is that Wal-Mart’s Mexican subsidiary knew of the bribes since 2004, but worked to cover them up until the activity was uncovered by the Times. By some accounts, the company has spent more than $24 million to grease the palms of local solons, which would be a gross violation of the U.S. Foreign Corrupt Practices Act (FCPA).
“Wal-Mart’s latest move — appointing a global compliance officer — is all well and good, but is like shutting the barn door after the horse ran out,” said Anthony Michael Sabino, a professor at St. John’s University’s Peter J. Tobin College of Business. “Notwithstanding how well behaved Wal-Mart may be going forward, they must still explain the alleged violations of the FCPA that have already occurred.
“This will be an interesting application of a four decades old law that prohibits American corporations from engaging in the bribery of foreign persons,” said Sabino. “To be sure, paying a ‘gratuity’ may be customary in some parts of the world, but the U.S. has outlawed such practices since the Watergate era. And since that time, U.S. businesses have been hard pressed to obey American law yet get business done in places where a little ‘grease’ is absolutely necessary and expected as a routine cost of doing business.”
According to the Associated Press, Wal-Mart’s new GCO will oversee compliance directors in five other markets. The world’s largest retailer has also established a new, dedicated FCPA compliance director in Mexico who will report to the new GCO.
“Walmart has been working diligently on FCPA compliance and has a rigorous process in place to quickly and aggressively manage issues like this when they arise,” said Wal-Mart spokesman David Tovar in a statement. “In the last year, we have taken a number of specific, concrete actions to investigate this matter and strengthen our global FCPA compliance processes and procedures around the world.
“We will not tolerate noncompliance with FCPA anywhere or at any level of the company,” Tovar said. “We are confident we are conducting a comprehensive investigation and if violations of our policies occurred, we will take appropriate action.”
All that said, I know our job here at SearchCompliance.com is to focus on the technologies that foster and enable good governance, risk management and compliance efforts in the enterprise, but this case is so egregious it bears mentioning on its face. And I honestly can’t think of a technology angle here. What GRC platform could have possibly rooted out the bad actors in Wal-Mart de Mexico over the last seven years? With the obfuscation documented by the Times happening at many levels in the company, I’m not sure the best armed CCO with the latest governance and compliance tools could have ever rooted it out…even if they wanted to.
Perhaps a Clippy-like office assistant? “You appear to be about to bribe a foreign planning board member. Would you like help with that?”
Got a better answer as to how enterprises can use technology to steer clear of FCPA violations in their global dealings? Let me know at firstname.lastname@example.org
The House Financial Services Committee yesterday advanced legislation that reduces $35 billion from the deficit, while also cutting key portions of Dodd-Frank regulations. The Committee voted to eliminate the “Orderly Liquidation Authority” created under Dodd-Frank, and pointed to Congressional Budget Office reports stating its elimination creates $22 billion in savings over the next 10 years. The authority is designed to allow regulators to take control of large, failing organizations and wind them down in such a way that it does not create havoc on the economy.
Republicans argued this puts taxpayers at risk.
“Dodd-Frank, signed into law in July 2010, permanently established a bailout regime in which the federal government will expend considerable sums upfront to bailout creditors of failed firms,” according to a Financial Services Committee release.
The committee also approved an amendment that repeals the Office of Financial Research (OFR), created under Dodd-Frank to gather information on the financial system. Detractors were critical of the OFR’s ability to collect non-public information, and added that it “lacks accountability and transparency.”
Prior to the Financial Services Committee vote, Treasury Secretary Timothy Geithner warned lawmakers that reducing Dodd-Frank regulations under the committee’s proposals would “would critically undermine the government’s ability to limit the damage to the economy in the event of future financial crises.”
Geithner was also critical of the “number of proposals” pending before the House of Representatives that would amend portions of Dodd-Frank regulations that reform the derivatives market.
“If enacted, the proposed legislative changes would undermine the integrity of the rulemaking process, further complicate the work of the regulators, and increase uncertainty for firms,” Geithner wrote in the April 18 letter to House Financial Services Committee Chairman Spencer Bachus and Ranking Member Barney Frank.
The measure now goes to the full House, where it will no doubt continue to be argued along party lines. But the question is, with the economy finally showing signs of recovery (albeit slowly), is rolling back SOX and Dodd-Frank compliance regulations sending the right message? These regulations were put in place to prevent another economic crisis, and now we want to cut them back before we are even fully out of the woods?
The current crisis began only a few years ago — it’s hard to believe the fraud and lack of oversight is already forgotten. Legislators need to be careful about rolling back compliance, before they are left wondering why we are in another crisis due to unsavory practices created by a lack of rules.
So now that President Obama has signed the JOBS Act into law, will deregulating the emerging businesses increase jobs and jumpstart the economy as intended? Or will the financial deregulation simply increase the likelihood for fraud that caused the current economic malaise in the first place?
It depends on who you ask.
For example, you could read a recent opinion article on CNN.com by Amy M. Wilkinson, a senior fellow at the Harvard Kennedy School of Government and a public policy scholar at the Woodrow Wilson International Center for Scholars. Wilkinson praises the JOBS Act’s passage, noting that it will promote entrepreneurship and job creation.
“Sarbanes-Oxley compliance is much more onerous for smaller companies than it is for larger entities such as General Electric, Johnson & Johnson or IBM,” Wilkinson writes. “The JOBS Act helps smaller companies conserve resources.”
On the other side of the coin, you could read Matt Taibbi’s Rolling Stone blog post with the not-too-subtle headline “Why Obama’s JOBS Act Couldn’t Suck Worse.” And Taibbi’s criticism does get worse from there.
“In fact, one could say this law is not just a sweeping piece of deregulation that will have an increase in securities fraud as an accidental, ancillary consequence,” Taibbi writes. “No, this law actually appears to have been specifically written to encourage fraud in the stock markets.”
These are just two examples of the wide range of opinions on the matter. You also have the Washington Post’s article titled “JOBS Act could give some banks a boost.” The Post article points out that small banks will be allowed to raise additional capital without having to register with the SEC, a requirement that can cost “tens of thousands of dollars a year in compliance costs” each year. Then there are opinions like that of former New York Governor Eliot Spitzer, who suggested renaming the JOBS Act the “Return Fraud to Wall Street in One Easy Step Act.”
So what do you think of the JOBS Act passage? Is it a business boost that the United States has been clamoring for since the economic collapse? Or is it an invitation to create more fraud like the kind that got us in this mess in the first place? Or is it somewhere in between? Let SearchCompliance.com know in our comments section below, or hit us up on Twitter @ITCompliance to provide your opinion. We’d love to hear our readers’ thoughts on such a divisive issue.
Until recently, you may have not heard of Atlanta-based credit card payment processing server Global Payments Inc. On the other hand, it’s likely that you’re very familiar with two of the company’s main clients: Visa and MasterCard. But Global Payments was made instantly more recognizable when it announced last week that up to 1.5 million of its Visa and MasterCard accounts were potentially breached.
The data breach was confined to North America, according to a Global Payments statement. Track 2 card data may have been stolen, but cardholder names, addresses and Social Security numbers were not obtained during the breach, the statement said.
MasterCard and Visa made it very clear that their own systems were not compromised. This information, however, did not stop Visa from making a somewhat symbolic move surrounding its PCI compliance requirements for processors: After the breach, Visa announced it had removed Global Payments from a list of “compliant service providers.”
Global Payments has promised to recommit to PCI and other compliance standards in light of the breach. It is also working with “multiple information security firms and forensics firms to investigate and address” the issue.
But did Global Payments — or any other credit card payment processors — ever really commit to PCI compliance requirements in the first place?
In an interesting report following the Global Payments incident, a New York Times article stated that while financial service companies such as Visa and MasterCard have increased security in recent years, their payment processors have become more vulnerable. These payment processers are not held to the same compliance and security standards as the banks and retailers they serve … and hackers are starting notice.
Up until this week’s news of the Global Payments breach, perhaps processors thought they could slide under the radar. But now that Visa and MasterCard customers — as well as anyone else who reads the news — know exactly who they are, will they be held accountable for PCI and other compliance mandates? We’ll find out in the coming months if other payment processors are hacked. If it becomes a trend, these processors will likely be on notice to improve security and compliance processes before they’re in the news again.
It’s been an interesting week in the world of regulatory compliance: Within the span of a few days, the FTC released a report recommending online privacy rules and the House approved the JOBS Act, which reduces regulatory compliance obligations for small and emerging businesses.
The FTC’s recommendations are part of a privacy report that expands on one originally issued in December 2010. It recommends companies improve consumer privacy by implementing privacy protections at every stage of product development and increasing transparency around the collection and use of consumer information. The FTC also recommends Congress consider privacy legislation, data security notification legislation and mandating a “Do Not Track” option for consumers to opt out of online tracking.
In another big piece of regulatory compliance news, the House approved the JOBS Act and sent it to President Obama for his signature. Under the JOBS Act, emerging companies — defined as those with at most $1 billion a year in revenue — would be exempt for five years from external auditors’ review of internal controls as stipulated under Sarbanes-Oxley requirements. It also lessens other compliance regulations that JOBS Act critics say provide checks on corporate misconduct.
An interesting aspect is that both of these issues take into account the burden of small businesses. In the FTC’s preliminary report, it recommended the proposed online privacy rules apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer or other device. But after “recognizing the potential burden on small businesses,” the FTC’s report concludes that the final framework “should not apply to companies that collect and do not transfer only nonsensitive data from fewer than 5,000 consumers a year.” As for the JOBS Act, proponents say loosening compliance regulations for small and emerging companies would boost the economy.
It’s admirable (and necessary) that the federal government is taking small businesses and their limited resources into account when developing these rules. But there are a few questions: Don’t these small and emerging companies have potential infractions? If they don’t have the resources to comply with online privacy rules and compliance regulations, doesn’t this lack of resources make them even more vulnerable? Instead of excluding these smaller and emerging businesses from the rules altogether, perhaps catering regulations to take their plight into account is a better answer. If not, we could be back in the same boat again in a few years, after these types of businesses are found to be in violation of rules designed specifically to protect consumers.
In recent months, both the European Union and the United States have made strides to protect online data privacy: In January, the EU adopted legislative proposals to reform its online data protection rules. A month later, President Obama released a “Consumer Privacy Bill of Rights” proposal.
The two countries believe there’s strength in numbers when it comes to online data privacy: In a joint statement delivered Monday at a conference on online data privacy and protection, the European Union and the United States committed to work together to maintain it.
Doing so will enhance consumer trust and promote continued growth of the global Internet economy, they say. This last part is important — anytime there’s the potential for new regulations to comply with, be it privacy or otherwise, at least some companies cry foul about how it will ultimately affect the bottom line.
“Both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders,” according to a joint statement released by European Commission vice president Viviane Reding and U.S. Secretary of Commerce John Bryson.
And the two countries don’t want to stop there: They pledged to engage with other international partners to increase interoperability in privacy laws and regulations, as well as cooperate on enforcement. By creating “mutual recognition” privacy frameworks, the U.S. and EU hope they are just the beginning in steps toward privacy rules on a more global scale.
The two promised to build on the U.S.-EU Safe Harbor Framework, and the statement pointed out that since its inception in 2000, over 3,000 companies have self-certified to it. This demonstrates these companies’ “commitment to privacy protection and to facilitate transatlantic trade,” according to the joint statement.
The statement again mentioned the commitment to fostering business as well as privacy maintenance, and promised to use the Safe Harbor Network as a tool to promote economic growth.
As I stated before in this space, this buy-in and commitment to business is key to any privacy initiatives’ success. This is especially true if these online data privacy push continues to lack hard and fast privacy rules — and hefty fines for noncompliance. Until then, protecting consumer data privacy will largely be left up to the businesses themselves.
But judging by the U.S. and EU’s joint statement, universal online data privacy compliance may be on the horizon.
Electronic health record systems are often touted as a way to reduce medical costs, make personal health information easily accessible for patients and increase quality of care.
Not so fast, according to recent reports.
The push for electronic health record adoption has increased the number of health care data breaches and the costs to clean up after them, according to a report released by the American National Standards Institute. The report notes that even if an organization has effective policies in place to meet electronic health records system compliance, a lack of both resources and leadership support is a barrier to security.
Complicating the problem is that it’s no longer just traditional health care providers and billing organizations handling the data. More entities outside of hospitals and doctor offices (such as urgent care facilities, retail store clinicians and telemedicine offices) are using patients’ personal health information, increasing the likelihood for a breach.
The impact of a data breach can include monetary damage not only to the individual patient but also to the facility where the breach occurred, if the victim seeks reimbursement or sues for damages. The health care facility can also be subject to huge fines for violating compliance regulations.
Another recently published study, this one from HealthAffairs, is also related to the unexpected costs surrounding electronic health records systems, but of a different sort. The study examined the assumption that electronic access to patient test results and medical records saves money by reducing diagnostic testing.
HealthAffairs researchers analyzed the records of 28,741 patient visits to a sample of 1,187 physicians. They found physicians’ access to computerized imaging results was associated with a 40% to 70% greater likelihood of ordering (often expensive) tests. HealthAffairs researchers said the findings raise the possibility that electronic access does not decrease test ordering and may even increase it — as well as costs — possibly because of system features that serve as enticements to ordering.
So which is it? Are electronic health records system mandates a way to decrease health care costs, or are they actually making health care more expensive and personal information more vulnerable? The answer is somewhere in between, but providers need to be more vigilant about making their systems more secure and compliant with regulations. If not, the push to digitize personal health records will continue to cost patients and providers privacy, a lot of money and, ultimately, their reputation.