IT Compliance Advisor

December 14, 2012  5:10 PM

Facebook privacy policy receives a major overhaul

Ben Cole Ben Cole Profile: Ben Cole

Facebook rolled out a completely revamped privacy policy this week that promises users simplified tools to protect their personal information.  In a Dec. 12 blog post announcing the changes, Facebook’s director of product management Samuel W. Lessin said the updates are designed to help users control what they share on the site and provide tools to help them act on content they don’t want shared.

Some of the changes include:

Privacy shortcuts and apps permissions. Under the Facebook privacy policy revamp, key settings such as privacy and timeline controls are available on the site’s main toolbar, rather than forcing users to navigate separate pages. The changes also alter application permission settings, providing users more control over what they share on their Facebook page.

Updated user education and activity logs. Under the new privacy policy, Facebook will provide in-context notices to users throughout the site. “We’ve created a series of messages to help you understand, in context, that the content you hide from your timeline may still appear in news feed, search and other places,” Lessin wrote. Facebook’s “activity log” will feature new navigation interfaces as well, designed to ease users’ ability to review their Facebook activity and to help them decide what they want made public on the site.

New tools to manage content. In Facebook’s updated activity log, there will be a new “request and removal tool” that allows users to take action on photos they are tagged in. “If you spot things you don’t want on Facebook, now it’s even easier to ask the people who posted them to remove them,” Lessin wrote.

The Facebook policy updates are scheduled to roll out before the end of the year, and come as online
remains a hot topic in the IT world. Earlier this month, Delta Air Lines Inc. became the first organization to be sued for potential violations of California’s Internet privacy law. The suit claims the mobile phone application “Fly Delta” violates the law because it does not adequately disclose what personal information is being collected from users and how that information will be distributed.

The U.S. government is paying attention to online and mobile privacy as well: This week, the Senate Judiciary Committee voted in favor of the Location Privacy Protection Act, which would require companies to get customers’ consent before collecting or sharing mobile location data. The move came just weeks after the same committee approved a bill to update privacy safeguards for email and other electronic communications.

As the quest for consumer privacy online continues, the federal government will likely keep seeking regulatory requirements to protect personal information. After being criticized for their privacy rules in the past, perhaps the new privacy policy is a sign that Facebook is trying to take the initiative and revamp consumer protection policies before regulatory compliance rules become the norm.

November 15, 2012  5:11 PM

Will 2012 election results help push Dodd-Frank regulations forward?

Ben Cole Ben Cole Profile: Ben Cole

The Internet — and Wall Street — was abuzz this past week after the reelection of President Barack Obama and the election of newcomer Elizabeth Warren as the U.S. Senator in Massachusetts. Wall Street, in all likelihood, was hoping that Mitt Romney would unseat Obama -– as well as dismantle the Dodd-Frank Act regulations and cut back financial reform. Warren has also been outspoken in her disdain for Wall Street’s treatment of consumers, and can now cast financial regulation votes from her Senate seat.

Several bloggers and major newspapers speculated that Obama would target financial reform in his second term. The Washington Post stated that with the election behind him, Obama no longer needs to cater to special interests and can be more tenacious in attacking changes in the financial system. Bloomberg Businessweek reported that Warren’s Senate seat gives her “powerful tools” in the debate over whether and how to regulate the finance industry.

Some, however, remain skeptical that the new regime will have much of an influence on financial reform, especially when it comes to Dodd-Frank regulations. After all, the U.S. is still way behind in implementing most parts of the law. Only a third of the rules have been finalized, noted ProPublica reporter Jesse Eisinger in an article published in the New York Times online, and Eisinger is not sure Obama’s reelection will speed the process.

“The core problems with the financial system and its regulators are deeper than personnel and sadly impervious to which party occupies the White House,” Eisinger wrote. “They are bipartisan and structural.”

The question is: How much of the anti-Wall Street campaign talk was just that — campaign talk? After spouting “sticking up for the little guy” rhetoric on the campaign trails, both Warren and Obama may scale back to more moderate viewpoints after the election. It’s also going to take more than two people to overhaul the financial system — it requires a sea change in the political stance toward Wall Street, and the attitudes of Wall Streeters themselves.

What do you think? Will the 2012 election, particularly the victories by Obama and Warren, have an impact on Dodd-Frank regulations and financial reform? Or will it be business as usual on Wall Street?

October 5, 2012  5:01 PM

As user numbers increase, cloud security issues at the forefront

Ben Cole Ben Cole Profile: Ben Cole

Many companies are now seeing the benefits of cloud computing: cost savings, increased network accessibility and improved scalability, to name just a few. But cloud security issues, compliance and privacy are increasing concerns.

The Cloud Market Maturity study, a joint survey released by the Cloud Security Alliance and ISACA last month, revealed that government regulations, legal issues and international data privacy are among the top 10 areas ranked by respondents as “low confidence” when it comes to the cloud.

These concerns were echoed during the recent “Cloud 2.0” panel discussion held in Waltham, Mass., last week. Among the panelists was Judy Klickstein, CIO at Cambridge Health Alliance, who said that, ideally, the cloud provides the means to offer services to her company’s users in a very cost-competitive, secure environment. It’s that “secure environment” part that creates concern for organizations currently moving to the cloud — especially those in the health care field, Klickstein said.

“We have an obligation, and a duty, a judiciary responsibility at our organization to make sure that somebody’s personal information does not get hacked, stolen, shared or sent to the wrong place,” Klickstein said. “As part of that, there’s an enormous array of federal and state regulations guiding everything about what happens to you if you really screw it up.”

When these regulations are violated, it triggers a loss of patient trust, as well as severe financial penalties, Klickstein said. As a result, Cambridge Health Alliance is very conscious of these cloud security issues when working with providers, and looks closely to see how reliable and secure the platform is.

And, of course, alleviating these data security, privacy and compliance concerns more than likely will not come cheap. Even with the numerous benefits of the cloud, choosing which platform is best is still, ultimately, a business decision — and is treated as such.

“If the cloud was providing me with all the things that I feel we have to have for controlling my data center and my environment and they can do it more cheaply, that would be a terrific thing,” Klickstein said. “If there is a risk of doing that and it’s going to cost me three times as much, then do the math.”

Speaking of cloud-related business, a recent blog post from examined the possible investing possibilities when it comes to the cloud. While the bloggers state that there are many investment opportunities, there are still many questions around cloud security issues. Successful investing in cloud computing will require a thorough understanding of the technology and any potential regulatory issues that may surface, they added.

The phrase “potential regulatory issues” is interesting. One has to wonder, with increased cloud use, if we’re one major cloud security breach away from government-induced, cloud-specific regulations. After all, these regulations are usually not on the horizon until something goes wrong. It’s good that at least some companies are paying attention, and being proactive about the potential cloud security issues before they arise.

August 30, 2012  5:00 PM

White House releases directives for Obama record management initiative

Ben Cole Ben Cole Profile: Ben Cole

We’ve been talking a lot about records management here at this summer … perhaps President Barack Obama is a fan? Probably not, but last week the White House announced key dates and directives regarding his “Presidential Memorandum — Managing Government Records“, first unveiled in December 2011.

The directives were released in an Aug. 24 memo from Jeffrey D. Zients, acting director of the Office of Management and Budget, and David S. Ferriero, archivist at the United States National Archives and Records Administration.

“This Directive requires that to the fullest extent possible, agencies eliminate paper and use electronic recordkeeping,” Ferriero and Zients wrote in the memo. “It is applicable to all executive agencies and to all records, without regard to security classification or any other restriction.”

The goal of President Obama’s record management initiative is to “develop a 21st-century framework for the management of Government records.” Under the initiative, by the end of 2019, all federal agencies’ permanent records will be managed electronically to the “fullest extent possible.” The president has said the framework will ultimately reduce government costs and help agencies operate more efficiently, as well as improve federal transparency by better documenting actions and decisions.

Some other key dates that federal officials should mark on their calendars:

  • By Nov. 15 of this year, each agency should name its “senior agency official” who will oversee their records management program.
  • Although federal agencies have until 2019 to move records to an electronic format, they must have plans for how they will do so completed by Dec. 31, 2013.
  • Agencies must have records management training in place for appropriate staff by Dec. 31, 2014.

In a blog post following the memo’s release, Ferriero called President Obama’s record management strategy a “historic moment” that will “allow current and future generations to hold their government accountable and to learn from the past.”

Ferriero is correct — President Obama’s records management initiative is a step in the right direction for modernizing the federal government’s data management processes (although one does wonder why it took this long). As we have explored here recently at, sound records management can have many positive implications for entities: When done correctly, it can help boost the bottom line and aid adherence to compliance standards.

There no doubt will be, however, many data governance challenges to overcome as the initiative moves forward. The sheer complexity of federal records, coupled with their sensitive nature that necessitates proper security protocol, will no doubt cause hiccups for at least some agencies along the way. While 2019 sounds far off, it’s probably a good thing the fed has until the end of the decade to complete this initiative.

August 10, 2012  6:36 PM

As IT reliance expands, data management and security lapses loom

Ben Cole Ben Cole Profile: Ben Cole

Data management and security could create huge problems in our increasingly-connected world, as two recent events have made evident: Earlier this month, a Knight Capital computer program unleashed a series of erroneous stock orders that resulted in a $440 million loss for the trading firm. Last week, journalist Mat Honan described in length how hackers, taking advantage of security flaws at Apple, Amazon and Gmail, completely wiped several of his Apple devices and commandeered two of his Twitter accounts.

The two events show that data management and security is taking a backseat as businesses and consumers strive to stay connected. The New York Times reported that Knight Capital rushed to develop the faulty software to take advantage of computer-driven market and failed to work out problems with the system. In his frank, detailed description of the events that led to his “epic hacking,” Honan admits he is very much to blame for his inattention to security. But he also notes the apparent IT security disconnect that people — and corporations — often forget when technology is used across developers and platforms.

“Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information,” Honan wrote. “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.”

At least some are paying attention to the potential risks: Apple announced it had stopped allowing over the phone password resets, and Amazon announced fixes to its security policies after Honan’s hacking went public. In response to the Knight Capital debacle, SEC officials are pushing for new regulations around trading technology.

But more consumers and businesses need to realize these data management and security concerns are not going anywhere — and will likely get worse unless they take the necessary steps to protect themselves. In the struggle to stay ahead of the next guy when it comes to the latest IT gadgets and tools, security should stay a primary concern or, as Honan and Knight Capital can attest, more will suffer the personal and financial consequences.

June 22, 2012  4:24 PM

Prepare for the inevitable: Developing a data breach response plan

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Are you prepared for the inevitable? Odds are it’s merely a matter of time before your business experiences a computer security-related breach and you need a solid data breach response plan. How are you going to handle the situation? Especially if you’re a smaller business, your IT resources probably are minimal. But even your outside resources might not have the expertise to help when you’re in a data security bind. In today’s connected world, there’s a lot that can go wrong when it comes to technology.

Before the bits hit the fan, you need to understand what a breach really means to your business. What it means depends on the industry you’re in and the contracts and compliance regulations you’re held accountable for. Regardless of the type of sensitive information that’s exposed (credit cards, Social Security numbers or intellectual property, for example), you need to define what a “breach” means for your company so you’ll know when to enact your incident response plan. It might be a malware infection, a defaced website or a lost laptop. You also need to remain aware: Data breach statistics show that someone else probably will notify you before you even know about the breach.

Once you do discover a breach, your data breach response plan should allow you to respond quickly and wisely. You can’t just restore a system from backup, or sweep a loss or theft under the rug. You’re going to have to dig in deeper to see what actually happened (by hiring a forensics expert, for example, or calling law enforcement or hiring a technical resource to help), and determine any additional steps you might need to take. These include the way you will pursue the culprit and notify the affected parties based on what the data breach notification laws require.

Going forward, be smart about how you address the breach. That’s what regulators, business partners and customers (and their lawyers) are going to be looking at. Don’t expect perfection — but you do need to keep good notes on what has been done already, what you plan to do to remediate the problem and how you’ll prevent it from reoccurring.

Perhaps most importantly, get your lawyer involved. Even if he’s not tech-savvy, he needs to know about the data breach laws, the compliance regulations you face and how the breach affects your existing contracts.

In other words, don’t just react — respond. Being prepared is the best way to not drop the ball on incident response. When it comes to computers, business applications and sensitive information, something is bound to happen — eventually. This is true regardless of the size of your business. Even if you think you’re not a target or at risk, you are.

An employee is going to lose an unsecured smartphone — even though policy mandates that all smartphones are to be password-protected and that no business information should be stored on them. A contractor is going to lose an unencrypted backup tape — even though your contract says that all media shall be encrypted and transported securely via a third-party service. A cloud provider is going to overlook a SQL injection hole in their system — even though they passed their SAS 70 or SSAE 16 audit with flying colors.

When you prepare for the inevitable with a data breach response plan, you can respond to these problems and more in a professional way, and minimize the impact on your information systems. This should be your ultimate goal.

May 29, 2012  3:47 PM

Planning, foresight needed to address long-term compliance strategy

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Remember the law of inertia from physics class? It says that a body at rest tends to remain at rest unless acted upon by an outside force. Well, compliance is the law of inertia-type catalyst when it comes to information security strategy. Over the past decade, I’ve seen many businesses remain complacent when it comes to information security until they’re forced to pay more attention in the name of compliance. They end up spending a few months documenting policies, tightening passwords, creating antivirus processes and, voila, the business is compliant. And secure, right? Well, not really.

A question in the recent Ponemon Institute State of Global IT Security survey asked nearly 1,900 participants in 12 countries, “Are you taking appropriate steps to improve your organization’s information security posture…If no, why?” The No. 1 answer was “insufficient resources” (39%), followed by “not a priority issue” and “lack of clear leadership.” This begs the question: If information security strategy is being undervalued and overlooked, then how can these businesses possibly be compliant? There’s hardly any business I’ve seen that’s not required to comply with an information security-related regulation either directly or indirectly. I’m confident you could ask most executives how their IT governance program is working and they’ll proudly say “we’re compliant.” But compliant with what?

To me, there’s the good, the bad and the ugly side of compliance strategy:

  • The good: Solid control, visibility and automation are present. These traits facilitate not only compliance but also help manage information risk.
  • The bad: Duplicated technical controls, multiple sets of policies/procedures and overlapping security evaluations that only make it appear that work is getting done.
  • The ugly: When management and other key players assume that compliance strategy has created a strong, impenetrable infrastructure.

With compliance, you don’t need to spend a ton of money completely revamping the way you do business, but you do need to be mindful of what’s at stake so you don’t end up at the back of the herd. Speaking of which, there’s the spirit of the law and the letter of the law, and savvy executives and their legal counsel will likely focus on the former. Odds are the businesses that strive for perfection will end up wasting time, money and resources on compliance strategy. Still, there are many businesses in operation today that have yet to even acknowledge they have a problem, much less have developed a plan for how they’re going to move towards any semblance of reasonable IT governance.

Most importantly, make sure you’re addressing compliance for the long-term benefit of the business rather than to simply complete a one-time checkbox and move on. Sadly, too many people are doing the latter, and the long-term consequences will eventually be evident. Don’t fall into this trap.

May 8, 2012  6:37 PM

Five corporate compliance program traits you need to prevent breaches

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

If you look at news headlines, you’d think the sky were falling with all of the hack attacks and subsequent data breaches taking place. Just glancing at the Chronology of Data Breaches says it all. Every business is, arguably, a target, with both known and unknown vulnerabilities waiting to be exploited. But not every business is bleeding — you just have to be smart about how you approach a corporate compliance program. You can put years of work and hundreds of thousands of dollars into your compliance plan and one single oversight or misstep can cancel it all out.

Here are five things you can get started on today to ensure you don’t end up on the wrong side of a data breach:

1. I can’t stress enough the importance of getting the right people on board. You can’t manage compliance by yourself, and neither can any other individual in IT, security, internal auditing or management. All the right people need to aim for the right target at the same time, because every key player adds his or her own unique value to a corporate compliance program.

2. Understand what’s really at risk. Documentation isn’t enough, and neither is an IT controls audit. Many businesses haven’t even performed a basic security assessment. You have to dig in and see what can truly be exploited from the perspectives of a malicious insider and an external attacker.

3. Be careful how you approach management and “sell” corporate compliance. It’s not all about IT: It’s about the business and how you can best meet management’s needs, along with the needs of the regulators. Wherever possible, use technology to help continually keep all of the right people in the corporate compliance loop.

4. Have a plan. Imagine pilots and surgeons not having a Plan B when potential problems arise. Determine what “data breach” means to your business and then develop a basic incident response plan. You won’t regret having a contingency plan in place when data breaches occur.

5. Finally, remember that information security and risk management is not only about compliance and protecting personally identifiable information. This may be true for your specific job function, but not necessarily for the business as a whole. Most likely, there’s intellectual property that must be protected as well.

You’ve no doubt come across this advice before, but don’t dismiss it. It really works as long as you’re willing to put forth the effort. By focusing on what matters and being careful to avoid overlooking data protection in areas vital to your organization, you have the keys to a successful corporate compliance program.

April 24, 2012  7:01 PM

A bit late: Wal-Mart to name new global compliance officer

Cgonsalves Chris Gonsalves Profile: Cgonsalves

Officials at Wal-Mart Stores Inc. said Tuesday they will appoint the retail giant’s first-ever global compliance officer (GCO). Right on time, guys.

As you probably know by now, Wal-Mart is embroiled in a scandal involving tens of millions of dollars in bribes paid to Mexican officials for zoning and building permits to perpetuate the company’s white-hot expansion throughout our neighbor to the south. Today, one in five Wal-Mart stores is in Mexico, according to the New York Times.

The as-yet-unnamed GCO will no doubt begin his or her tenure trying to explain to federal investigators how it is that Wal-Mart’s Mexican subsidiary knew of the bribes since 2004, but worked to cover them up until the activity was uncovered by the Times. By some accounts, the company has spent more than $24 million to grease the palms of local solons, which would be a gross violation of the U.S. Foreign Corrupt Practices Act (FCPA).

“Wal-Mart’s latest move — appointing a global compliance officer — is all well and good, but is like shutting the barn door after the horse ran out,” said Anthony Michael Sabino, a professor at St. John’s University’s Peter J. Tobin College of Business. “Notwithstanding how well behaved Wal-Mart may be going forward, they must still explain the alleged violations of the FCPA that have already occurred.

“This will be an interesting application of a four decades old law that prohibits American corporations from engaging in the bribery of foreign persons,” said Sabino. “To be sure, paying a ‘gratuity’ may be customary in some parts of the world, but the U.S. has outlawed such practices since the Watergate era.  And since that time, U.S. businesses have been hard pressed to obey American law yet get business done in places where a  little ‘grease’ is absolutely necessary and expected as a routine cost of doing business.”

According to the Associated Press, Wal-Mart’s new GCO will oversee compliance directors in five other markets. The world’s largest retailer has also established a new, dedicated FCPA compliance director in Mexico who will report to the new GCO.

“Walmart has been working diligently on FCPA compliance and has a rigorous process in place to quickly and aggressively manage issues like this when they arise,” said Wal-Mart spokesman David Tovar in a statement. “In the last year, we have taken a number of specific, concrete actions to investigate this matter and strengthen our global FCPA compliance processes and procedures around the world.

“We will not tolerate noncompliance with FCPA anywhere or at any level of the company,” Tovar said. “We are confident we are conducting a comprehensive investigation and if violations of our policies occurred, we will take appropriate action.”

All that said, I know our job here at is to focus on the technologies that foster and enable good governance, risk management and compliance efforts in the enterprise, but this case is so egregious it bears mentioning on its face. And I honestly can’t think of a technology angle here. What GRC platform could have possibly rooted out the bad actors in Wal-Mart de Mexico over the last seven years? With the obfuscation documented by the Times happening at many levels in the company, I’m not sure the best armed CCO with the latest governance and compliance tools could have ever rooted it out…even if they wanted to.

Perhaps a Clippy-like office assistant? “You appear to be about to bribe a foreign planning board member. Would you like help with that?”

Got a better answer as to how enterprises can use technology to steer clear of FCPA violations in their global dealings? Let me know at

April 19, 2012  5:43 PM

First SOX, now a rollback of Dodd-Frank compliance regulations?

Ben Cole Ben Cole Profile: Ben Cole

President Barack Obama recently signed the JOBS Act into law, cutting back Sarbanes-Oxley requirements for emerging companies. Next up? Dodd-Frank compliance regulations.

The House Financial Services Committee yesterday advanced legislation that reduces $35 billion from the deficit, while also cutting key portions of Dodd-Frank regulations. The Committee voted to eliminate the “Orderly Liquidation Authority” created under Dodd-Frank, and pointed to Congressional Budget Office reports stating its elimination creates $22 billion in savings over the next 10 years. The authority is designed to allow regulators to take control of large, failing organizations and wind them down in such a way that it does not create havoc on the economy.

Republicans argued this puts taxpayers at risk.

“Dodd-Frank, signed into law in July 2010, permanently established a bailout regime in which the federal government will expend considerable sums upfront to bailout creditors of failed firms,” according to a Financial Services Committee release.

The committee also approved an amendment that repeals the Office of Financial Research (OFR), created under Dodd-Frank to gather information on the financial system. Detractors were critical of the OFR’s ability to collect non-public information, and added that it “lacks accountability and transparency.”

Prior to the Financial Services Committee vote, Treasury Secretary Timothy Geithner warned lawmakers that reducing Dodd-Frank regulations under the committee’s proposals would “would critically undermine the government’s ability to limit the damage to the economy in the event of future financial crises.”

Geithner was also critical of the “number of proposals” pending before the House of Representatives that would amend portions of Dodd-Frank regulations that reform the derivatives market.

“If enacted, the proposed legislative changes would undermine the integrity of the rulemaking process, further complicate the work of the regulators, and increase uncertainty for firms,” Geithner wrote in the April 18 letter to House Financial Services Committee Chairman Spencer Bachus and Ranking Member Barney Frank.

The measure now goes to the full House, where it will no doubt continue to be argued along party lines. But the question is, with the economy finally showing signs of recovery (albeit slowly), is rolling back SOX and Dodd-Frank compliance regulations sending the right message? These regulations were put in place to prevent another economic crisis, and now we want to cut them back before we are even fully out of the woods?

The current crisis began only a few years ago — it’s hard to believe the fraud and lack of oversight is already forgotten. Legislators need to be careful about rolling back compliance, before they are left wondering why we are in another crisis due to unsavory practices created by a lack of rules.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: