IT Compliance Advisor


April 11, 2012  7:39 PM

Is the JOBS Act’s deregulation good or bad? Depends on whom you ask

Ben Cole Ben Cole Profile: Ben Cole

So now that President Obama has signed the JOBS Act into law, will deregulating the emerging businesses increase jobs and jumpstart the economy as intended? Or will the financial deregulation simply increase the likelihood for fraud that caused the current economic malaise in the first place?

It depends on who you ask.

For example, you could read a recent opinion article on CNN.com by Amy M. Wilkinson, a senior fellow at the Harvard Kennedy School of Government and a public policy scholar at the Woodrow Wilson International Center for Scholars. Wilkinson praises the JOBS Act’s passage, noting that it will promote entrepreneurship and job creation.

“Sarbanes-Oxley compliance is much more onerous for smaller companies than it is for larger entities such as General Electric, Johnson & Johnson or IBM,” Wilkinson writes. “The JOBS Act helps smaller companies conserve resources.”

On the other side of the coin, you could read Matt Taibbi’s Rolling Stone blog post with the not-too-subtle headline “Why Obama’s JOBS Act Couldn’t Suck Worse.” And Taibbi’s criticism does get worse from there.

“In fact, one could say this law is not just a sweeping piece of deregulation that will have an increase in securities fraud as an accidental, ancillary consequence,” Taibbi writes. “No, this law actually appears to have been specifically written to encourage fraud in the stock markets.”

These are just two examples of the wide range of opinions on the matter. You also have the Washington Post’s article titled “JOBS Act could give some banks a boost.” The Post article points out that small banks will be allowed to raise additional capital without having to register with the SEC, a requirement that can cost “tens of thousands of dollars a year in compliance costs” each year. Then there are opinions like that of former New York Governor Eliot Spitzer, who suggested renaming the JOBS Act the “Return Fraud to Wall Street in One Easy Step Act.”

So what do you think of the JOBS Act passage? Is it a business boost that the United States has been clamoring for since the economic collapse? Or is it an invitation to create more fraud like the kind that got us in this mess in the first place? Or is it somewhere in between? Let SearchCompliance.com know in our comments section below, or hit us up on Twitter @ITCompliance to provide your opinion. We’d love to hear our readers’ thoughts on such a divisive issue.

April 4, 2012  9:16 PM

Breach brings payment processing servers’ PCI compliance into question

Ben Cole Ben Cole Profile: Ben Cole

Until recently, you may have not heard of Atlanta-based credit card payment processing server Global Payments Inc. On the other hand, it’s likely that you’re very familiar with two of the company’s main clients: Visa and MasterCard. But Global Payments was made instantly more recognizable when it announced last week that up to 1.5 million of its Visa and MasterCard accounts were potentially breached.

The data breach was confined to North America, according to a Global Payments statement. Track 2 card data may have been stolen, but cardholder names, addresses and Social Security numbers were not obtained during the breach, the statement said.

MasterCard and Visa made it very clear that their own systems were not compromised. This information, however, did not stop Visa from making a somewhat symbolic move surrounding its PCI compliance requirements for processors: After the breach, Visa announced it had removed Global Payments from a list of “compliant service providers.”

Global Payments has promised to recommit to PCI and other compliance standards in light of the breach. It is also working with “multiple information security firms and forensics firms to investigate and address” the issue.

But did Global Payments — or any other credit card payment processors — ever really commit to PCI compliance requirements in the first place?

In an interesting report following the Global Payments incident, a New York Times article stated that while financial service companies such as Visa and MasterCard have increased security in recent years, their payment processors have become more vulnerable. These payment processers are not held to the same compliance and security standards as the banks and retailers they serve … and hackers are starting notice.

Up until this week’s news of the Global Payments breach, perhaps processors thought they could slide under the radar. But now that Visa and MasterCard customers — as well as anyone else who reads the news — know exactly who they are, will they be held accountable for PCI and other compliance mandates? We’ll find out in the coming months if other payment processors are hacked. If it becomes a trend, these processors will likely be on notice to improve security and compliance processes before they’re in the news again.


March 28, 2012  7:32 PM

As FTC pushes online privacy rules, JOBS Act lessens SMB regulation

Ben Cole Ben Cole Profile: Ben Cole

It’s been an interesting week in the world of regulatory compliance: Within the span of a few days, the FTC released a report recommending online privacy rules and the House approved the JOBS Act, which reduces regulatory compliance obligations for small and emerging businesses.

The FTC’s recommendations are part of a privacy report that expands on one originally issued in December 2010. It recommends companies improve consumer privacy by implementing privacy protections at every stage of product development and increasing transparency around the collection and use of consumer information. The FTC also recommends Congress consider privacy legislation, data security notification legislation and mandating a “Do Not Track” option for consumers to opt out of online tracking.

In another big piece of regulatory compliance news, the House approved the JOBS Act and sent it to President Obama for his signature. Under the JOBS Act, emerging companies — defined as those with at most $1 billion a year in revenue — would be exempt for five years from external auditors’ review of internal controls as stipulated under Sarbanes-Oxley requirements. It also lessens other compliance regulations that JOBS Act critics say provide checks on corporate misconduct.

An interesting aspect is that both of these issues take into account the burden of small businesses. In the FTC’s preliminary report, it recommended the proposed online privacy rules apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer or other device. But after “recognizing the potential burden on small businesses,” the FTC’s report concludes that the final framework “should not apply to companies that collect and do not transfer only nonsensitive data from fewer than 5,000 consumers a year.” As for the JOBS Act, proponents say loosening compliance regulations for small and emerging companies would boost the economy.

It’s admirable (and necessary) that the federal government is taking small businesses and their limited resources into account when developing these rules. But there are a few questions: Don’t these small and emerging companies have potential infractions? If they don’t have the resources to comply with online privacy rules and compliance regulations, doesn’t this lack of resources make them even more vulnerable? Instead of excluding these smaller and emerging businesses from the rules altogether, perhaps catering regulations to take their plight into account is a better answer. If not, we could be back in the same boat again in a few years, after these types of businesses are found to be in violation of rules designed specifically to protect consumers.


March 20, 2012  5:04 PM

European Union, U.S. promise continued online data privacy dialogue

Ben Cole Ben Cole Profile: Ben Cole

In recent months, both the European Union and the United States have made strides to protect online data privacy: In January, the EU adopted legislative proposals to reform its online data protection rules. A month later, President Obama released a “Consumer Privacy Bill of Rights” proposal.

The two countries believe there’s strength in numbers when it comes to online data privacy: In a joint statement delivered Monday at a conference on online data privacy and protection, the European Union and the United States committed to work together to maintain it.

Doing so will enhance consumer trust and promote continued growth of the global Internet economy, they say. This last part is important — anytime there’s the potential for new regulations to comply with, be it privacy or otherwise, at least some companies cry foul about how it will ultimately affect the bottom line.

“Both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders,” according to a joint statement released by European Commission vice president Viviane Reding and U.S. Secretary of Commerce John Bryson.

And the two countries don’t want to stop there: They pledged to engage with other international partners to increase interoperability in privacy laws and regulations, as well as cooperate on enforcement. By creating “mutual recognition” privacy frameworks, the U.S. and EU hope they are just the beginning in steps toward privacy rules on a more global scale.

The two promised to build on the U.S.-EU Safe Harbor Framework, and the statement pointed out that since its inception in 2000, over 3,000 companies have self-certified to it. This demonstrates these companies’ “commitment to privacy protection and to facilitate transatlantic trade,” according to the joint statement.

The statement again mentioned the commitment to fostering business as well as privacy maintenance, and promised to use the Safe Harbor Network as a tool to promote economic growth.

As I stated before in this space, this buy-in and commitment to business is key to any privacy initiatives’ success. This is especially true if these online data privacy push continues to lack hard and fast privacy rules — and hefty fines for noncompliance. Until then, protecting consumer data privacy will largely be left up to the businesses themselves.

But judging by the U.S. and EU’s joint statement, universal online data privacy compliance may be on the horizon.


March 6, 2012  9:19 PM

Reports show fragile state of electronic health record systems

Ben Cole Ben Cole Profile: Ben Cole

Electronic health record systems are often touted as a way to reduce medical costs, make personal health information easily accessible for patients and increase quality of care.

Not so fast, according to recent reports.

The push for electronic health record adoption has increased the number of health care data breaches and the costs to clean up after them, according to a report released by the American National Standards Institute. The report notes that even if an organization has effective policies in place to meet electronic health records system compliance, a lack of both resources and leadership support is a barrier to security.

Complicating the problem is that it’s no longer just traditional health care providers and billing organizations handling the data. More entities outside of hospitals and doctor offices (such as urgent care facilities, retail store clinicians and telemedicine offices) are using patients’ personal health information, increasing the likelihood for a breach.

The impact of a data breach can include monetary damage not only to the individual patient but also to the facility where the breach occurred, if the victim seeks reimbursement or sues for damages. The health care facility can also be subject to huge fines for violating compliance regulations.

Another recently published study, this one from HealthAffairs, is also related to the unexpected costs surrounding electronic health records systems, but of a different sort. The study examined the assumption that electronic access to patient test results and medical records saves money by reducing diagnostic testing.

HealthAffairs researchers analyzed the records of 28,741 patient visits to a sample of 1,187 physicians. They found physicians’ access to computerized imaging results was associated with a 40% to 70% greater likelihood of ordering (often expensive) tests. HealthAffairs researchers said the findings raise the possibility that electronic access does not decrease test ordering and may even increase it — as well as costs — possibly because of system features that serve as enticements to ordering.

So which is it? Are electronic health records system mandates a way to decrease health care costs, or are they actually making health care more expensive and personal information more vulnerable? The answer is somewhere in between, but providers need to be more vigilant about making their systems more secure and compliant with regulations. If not, the push to digitize personal health records will continue to cost patients and providers privacy, a lot of money and, ultimately, their reputation.


February 27, 2012  9:58 PM

Buy-in needed for Consumer Privacy Bill of Rights to have any teeth

Ben Cole Ben Cole Profile: Ben Cole

On the heels of proposed data protection reforms in Europe and the recently unveiled Cybersecurity Act of 2012, President Obama hopped on the bandwagon and last week proposed a Consumer Privacy Bill of Rights to protect personal information online.

Previous online consumer privacy legislation (and many other Internet-related laws, for that matter) have faced much of the same criticism: They either do not do enough to protect online privacy, or when they do it is at the expense of businesses that will spend too much time, money and resources trying to comply with the new rules. The White House promises that its proposal takes into account both sides of the equation by protecting online consumer privacy and economic growth.

The White House’s bill of rights pushes for consumer control over what personal data organizations collect and how they use it; transparency surrounding privacy and security practices; and “reasonable limits” on the personal data that companies collect and retain. In addition, a White House statement accompanying the Consumer Privacy Bill of Rights announcement noted that companies representing the delivery of nearly 90% of online behavioral advertisements — including Google, Yahoo, Microsoft and AOL — have agreed to comply with “Do Not Track” technology.

Buy-in from big names such as these will be essential to any online consumer privacy effort. The New York Times already reported that a mandatory “Do Not Track” mechanism may not stop as much online tracking as some may think. Until hard and fast rules with legal ramifications are implemented surrounding online consumer privacy, it will largely be left up to online businesses to decide how much their customers’ privacy means to them. If consumer privacy concerns are outweighed by the effects on the bottom line? One can only guess which side of the debate they would land.

One other big question surrounding the White House’s Consumer Privacy Bill of Rights proposal is that, well, it’s just a proposal. Congress would have to pass legislation to implement the rules as a law, and this would require time-consuming back and forth to debate the issue. It will be interesting to see what happens if large Internet-based companies realize business will be negatively affected by the new rules and decide to use lobbying influence to fight them. If they do, it’s an easy bet that any new online consumer privacy rules would end up watered down and leave room for more still more targeted rules to be proposed in the future.


February 15, 2012  9:18 PM

Cybersecurity Act of 2012 forges new path but faces old criticism

Ben Cole Ben Cole Profile: Ben Cole

After three years of hearings and negotiations, a group of Senate Committee leaders unveiled the Cybersecurity Act of 2012.

Under the new Cybersecurity Act, the Department of Homeland Security would assess the cyber-related risks and vulnerabilities of “critical infrastructure systems” to determine which should be required to meet a set of risk-based security standards. This would include those systems that, should they be disrupted, would cause mass death, evacuation or major damage to the economy and national security.

The Cybersecurity Act outlines several characteristics that stress it’s a public/private partnership, including:

  • DHS would work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements.
  • The owners of a covered system would themselves determine how best to meet the performance requirements and then verify that they were compliant.
  • The private sector and the federal government would actively share information surrounding threats, incidents, best practices and fixes, “while maintaining civil liberties and privacy.”

The senators were definitely not working in a vacuum — they made a conscious effort to curb criticism that plagued previous online security measures. The senators stressed that the Cybersecurity Act of 2012 “in no way” resembles the Stop Online Piracy Act (SOPA) or the Protect Intellectual Property Act (PIPA), and instead focuses on the “essential services that keep our nation running.” The Senators also omitted emergency authorities for the president, likely because of the backlash around the Internet “kill switch” proposed in an earlier version of the Cybersecurity Act.

But despite efforts to distance it from previous online security legislation, the new Cybersecurity Act is already facing criticism — some of it very familiar.

Opponents — including the Financial Services Roundtable and the U.S. Chamber of Commerce — have decried the act’s provisions and say it would create yet another burdensome, costly regulatory compliance mandate. Others are still concerned about the potential privacy implications the Cybersecurity Act could create — likely a hangover from the lengthy debate surrounding SOPA and PIPA from earlier this year.

So will the Cybersecurity Act of 2012 strike the right balance between protecting data and not hurt the companies it’s designed to help? The debate will begin in earnest tomorrow, when the Homeland Security & Governmental Affairs Committee will hold its first hearing on the Cybersecurity Act. The hearing is likely to address these questions and more, as it begins the latest chapter in the ongoing cybersecurity debate.


February 13, 2012  7:13 PM

EPIC pushes for more investigation surrounding Google privacy policy

Ben Cole Ben Cole Profile: Ben Cole

Since January, the Electronic Privacy Information Center (EPIC) has pushed for further Federal Trade Commission (FTC) investigation into Google’s online consumer privacy practices. The sometimes testy back and forth got testier last week, when EPIC sued the FTC in an unusual effort to prevent implementation of a new Google privacy policy.

EPIC requested a federal judge issue a temporary restraining order and injunction requiring the FTC to enforce a consent order that Google agreed to last year. The issue has a sense of urgency, considering the new Google privacy policy (which EPIC says violates the consent order) is scheduled to go into effect March 1.

To speed the process, a federal district court judge has ordered an accelerated briefing schedule in response to EPIC’s complaint. The court gave the FTC until Friday to respond to EPIC’s complaints, and EPIC is required to respond to that by Feb. 21.

But Google has already started defending its compliance with the FTC’s original consent order: In a lengthy January self-assessment submitted to the FTC, Google’s legal counsel reported the company “is acting in a manner consistent with its public representations regarding the privacy and confidentiality of its covered information.”

So the question remains: Are the efforts surrounding the new Google privacy policy on the up-and-up, or a case of bait and switch?

Google insists the new privacy policy increases transparency and user control surrounding information tracking. EPIC and other critics, however, contend the privacy policy changes will end up helping Google’s bottom line: They say the new policy allows Google to comb user data without consent, and will unethically assist Google’s advertising by violating online consumer privacy.

What do you think? Is the new Google privacy policy more of the same, making user information available to outside parties without proper user consent? Or is Google taking the necessary steps to comply with FTC mandates to protect online consumer privacy? Or is it somewhere in between, with Google taking steps in the right direction on its privacy policy, but steps that are not nearly big enough?

Until these questions are answered, the questions surrounding Google’s online privacy practices remain.


February 6, 2012  9:42 PM

Like SOPA, Anti-Counterfeiting Trade Agreement draws ire

Ben Cole Ben Cole Profile: Ben Cole

After shooting down the Stop Online Piracy Act (SOPA), protesters opposing broad online antipiracy legislation have a new target: the Anti-Counterfeiting Trade Agreement. And this time, the protests are on a global scale.

The Anti-Counterfeiting Trade Agreement is designed to establish international standards for intellectual property rights enforcement. It establishes legal frameworks for targeting counterfeit goods, generic medicines and Internet copyright infringement. The agreement was signed by Australia, Canada, Japan, Morocco, New Zealand, Singapore, South Korea and the United States in late 2011. Last month, the European Union and 22 of its member states joined them.

But protesters — perhaps bolstered by the shelving of SOPA of Project IP — are not allowing the Anti-Counterfeiting Trade Agreement to go through without a fight. The international citizens group Avaaz is seeking 2 million signatures for a petition to drop the agreement (it already has 1.75 million). Last weekend, thousands of people marched in the Slovenian capital of Ljubljana to protest it. The worldwide protests have led some countries, including Poland, to delay the agreements ratification process.

Supporters of the Anti-Counterfeiting Trade Agreement say it would decrease pirating of copyrighted works. Intellectual property-based organizations such as the Motion Picture Association of America helped with its development. Protesters, however, say it is an assault on freedom of expression and that opinions from all sides were not considered in the negotiation process.

Do these traits sound familiar?

Protesters showed what can be done after legislators backed off of SOPA and Project IP following public outcry. Now, with the whole world watching, they’re trying to get their voices heard again.


January 30, 2012  6:36 PM

Online privacy policies take over antipiracy as top Internet headline

Ben Cole Ben Cole Profile: Ben Cole

After weeks of nonstop talk (including a lot of criticism) of SOPA and other antipiracy legislation, protecting online privacy is back in the news. The switch in focus came as the European Union announced sweeping changes to its data protection rules and Google released details of its new privacy policy, which goes into effect March 1.

Both the EU and Google insist that they are making the changes to streamline online privacy policies. The European commission said its 27 member states have implemented its data protection rules differently, “resulting in divergences in enforcement.” The EU changes incorporate a single set of data protection rules that will be valid across all member countries. The changes to the online privacy policy will reduce unnecessary administrative requirements, saving businesses around €2.3 billion a year, according to the EU.

When announcing its changes, Google said it was replacing 60 different privacy policies with “one that’s a lot shorter and easier to read.” Under the new policy, for the first time Google Account users could have their information cross-referenced among several of Google’s sites. By treating users as a single entity across Google products, Google said it can provide better search results, ads and other content.

Of course, like everything else surrounding big online security and privacy changes, these two announcements were not without controversy. Critics of the EU’s new data protection rules say complying would hinder Internet innovation and create expensive, unnecessary new regulations for companies. (These criticisms were similar to those surrounding SOPA and antipiracy legislation, and we all know how well that turned out.)

Speaking of legislators, some were quick to point out detriments to Google’s new privacy rules. Reps. Edward J. Markey (D-Mass) and Joe Barton (R-Texas) have already sent a letter to the FTC saying Google’s new policy violates the agreement the company came to last year after privacy questions arose around Google Buzz.

So it sounds like these two big announcements are just the start of what will likely be a lengthy discussion of the best way to protect online privacy. In both the EU data protection revamp and Google’s new privacy policy, the two entities are trying to bolster business while at the same time protecting online privacy. It will be interesting to see if online privacy regulators and business can meet in the middle and best protect both commerce and the personal information of users. It definitely won’t be easy.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: