governance

Coming: State privacy laws run amok

As business owners are preparing for the new Massachusetts data protection law, also known as 201 CMR 17: Standards for The Protection of Personal Information of Residents of the Commonwealth, due next year, a potential quagmire is building.

Speaking at the TechTarget Compliance Decisions Summit March 12, Laurence Anker, engagement manager, technology risk management for Jefferson Wells International, said the coming influx of state privacy laws will create “a mess.”

Only about half of the states have laws governing personally identifiable information, but several more, including Massachusetts, are crafting tough laws that will put new burdens on businesses, especially SMBs, and businesses outside of the state that employ Massachusetts residents.

These laws will cover areas such as secure storage of data, encryption of data and access controls, as well as require businesses to create written, comprehensive security and privacy policies for personal data.

Such tasks are formidable, but not impossible, but multiply the Massachusetts law by 50 and it’s easy to see how difficult it will become for some businesses to make sure they are in compliance with every state’s privacy law.

Anker said that he does not foresee new state laws as they come on the books to be in direct conflict with one another. Rather, business entities will have to make decisions on how to manage compliance with state privacy laws with different degrees of requirements. Most likely businesses with a widespread employee base will standardize and comply with the state with the toughest privacy policy.

Or, Anker said, there could be a day when state privacy regulators will join an organization similar to the National Association of Insurance Commissioners, which will seek to normalize the state privacy laws and help the states enforce them.

Risk-based approach to information governance at Compliance Decisions

As I wrote yesterday, the Compliance Decisions Summit got off to a great start when Eric Holmquist and Richard Mackey considered the future of compliance in their talks before a crowded hall of auditors, compliance officers, CIOs and information security professionals.

The second half of the day featured Holmquist again, this time exploring a risk-based approach to information security governance, and Laurence Anker, speaking about managing the cost and complexity of compliance through governance.

We posted the following Twitter on our ITCompliance account over the course of the afternoon. The #CSD09 you see below is a hashtag we chose to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s digest of compliance headlines from Twitter.

All four seminars from Compliance Decisions will be available soon from SearchSecurity.com and SearchCompliance.com, along with an exclusive interview with Mackey exploring the ramifications of virtualization to compliance management.

A Risk-Based Approach to Information Security Governance

Lunch over, video recorded w/Mackey on #virtualization & #compliance. Next: Holmquist on a risk-based approach to infosec governance. #CSD09

Information security must be approached as a business issue, not an IT issue. Then we can consider risk mgmt practices.” -Holmquist | #CSD09

“You can’t buy your way out of a data breach.” -Holmquist | #CSD09 | #riskmanagement

RT @ scotpe Adding: “chief security officer does not belong in IT.” Where does s/he belong? [ <-- Good question. Any answers? ]

Lundquist recommends forming a #security council. Give it authority, include senior execs, make cross-disciplinary, safe & visible. #CSD09

Key insight for creating a culture of cooperation vs. risk: “Make it safe to fail” -Holmquist | Don’t underestimate “gut feelings” #CSD09

Back to #compliance basics: “Everything starts with a risk assessment, not controls. Manage to assessed risk, not perceived risk.” | #CSD09

“Insiders are exponentially more of a threat than outsiders. The ability to respond quickly & effectively is critical” -Holmquist | #CSD09

“You can approach assessing risk in 4 ways: IT systems, electronic data, physical files & third parties. Focus on accountability.” #CSD09

“Risk is quantified in 4 broad categories: What’s at risk? What would be the impact? What could be the source? What can we mitigate?” #CSD09

RT @ scotpe Scare the CEO: Statistically speaking, “someone is planning to steal your data right now, thinking about it or doing it” #CSD09

Paused for another message from another sponsor of #CSD09 & a networking break. Door prize drawing up next for a Flip, iPod & a GPS unit.

Managing the Cost and Complexity of Compliance through Governance

Now up at #CSD09: Anker on managing the cost & complexity of #compliance through #governance. Session info: http://bit.ly/J9OP

Anker began his seminar at #CSD09 talking about the importance of IT governance. @ rlebeaux just reported on that: | #TTGT

@ rlebeaux that reported on aligning IT governance & corporate governance in an economic #recession -> http://bit.ly/PDfkk

Insurance for IT risk? Anker notes standard policies may not address IT exposures like a data breach or reputational damage. #CSD09

“An organization’s info & other intangible assets account for 80%+ of its market value.” -IT Governance Institute (ITGI) | #CSD09

In discussing key requirements of the new MA data protection law, Anker notes WISP: written information security policy | #CSD09 | #acronym

Great Q&A on provisions of the MA data protection law w/Anker to end. @rwestervelt reported on its extension: http://bit.ly/yMBgP #CSD09

Conclusions from Compliance Decisions

You’ll be reading, hearing more and seeing more of Holmquist, Anker and Mackey on SearchCompliance.com. All three men will be contributing experts in upcoming articles, podcasts or video.

Writers from both SearchSecurity.com and SearchCompliance.com will continue reporting on the Massachusetts data protection law and its ramifications for IT professionals and businesses nationwide. Clearly, many questions remain about the regulatory impact of the law on IT operations.

As Robert Westervelt reported, the deadline for the Massachusetts data protection and encryption law was extended to Jan. 1.

“We understand the impact of the current business environment and feel this is an appropriate time frame for companies to implement the necessary protections,” Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation, said in a statement.

Westervelt noted a key change in the updated version of the regulation: “The extension includes a revision to the rules relaxing a requirement holding third parties accountable to the security rules. Under the original law, companies had to attest that a third-party provider was compliant with the regulations.”

As noted to the audience during the question-and-answer session with Anker, SearchCompliance.com recorded a podcast last month with Gerry Young and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation. The CIO and general counsel, respectively, discuss the details of the new data protection rules:

Massachusetts data protection law mandates IT compliance [Download the MP3]

The provision of third-party compliance as proven by a “WISP” came up during the course the interview, if not under that name. Regardless of the documentation requirements, small businesses and enterprises alike considering outsourcing data protection and encryption compliance will need to make sure that service providers, VARs and consultants certify and appropriately explain where and how their work brings an organization into compliance with the Massachusetts statute.

On a final note, we picked up dozens of followers on Twitter yesterday and earned two kind endorsements of our coverage from PrivacyProf and DanPhilpott. Thank you, Dan and Rebecca!

Corporate reporting: The next information governance frontier?

This is a guest post from Barclay T. Blair, author of Information Nation and head of the information governance practice at Forensics Consulting Solutions LLC.

“[S]unlight remains the best disinfectant for problems in our capital markets.”

- Christopher Cox, former chairman of the Securities and Exchange Commission (SEC), June 2008

Back before the failure of Lehman Brothers, the ouster of John Thain from a combined Bank of America/Merrill Lynch, and before a new president said we were “facing the greatest economic challenge of our lifetime,” the SEC began working on an initiative to improve public company “transparency by making disclosure information more accessible and easier to use.”

This 21^st Century Disclosure Initiative published a report in January that proposes, among other things, requiring “tagging” of financial information so it is more interactive and useful, and moving away from a document-centric paradigm. The intent is to modernize the way that investors receive information about the companies in which they invest.

This initiative, which may or may not have legs under a new SEC commissioner, raises some interesting issues for information management and corporate governance.

It will be difficult for the SEC — or anyone else — to “shine some sunlight” onto the financial and governance practices of corporations until the corporations themselves take control of their information.

Most organizations today struggle to understand where all their information resides, what it is, how to get to it, or how long to keep it. Witness the astounding numbers and ugly battles (like the e-discovery dispute centered around the SEC’s delivery of 1.7 million documents involving the SEC) that routinely arise when organizations are asked to dig up digital information — especially email and office documents — in the context of electronic discovery.

The reality for most institutions is that the most valuable information resides in the least managed locations. How many companies still rely largely on spreadsheets and email to comply with the Sarbanes-Oxley Act?

If my practice is any gauge, most of them.

Regardless of what happens with the SEC’s initiative, most politicos seem to agree that we are heading into an era of increased regulation under the Obama administration. I would recommend that organizations try to get ahead of what’s coming by looking at their current information governance practices with an eye to improving internal transparency — before someone steps in to make them do it.

To this end, perhaps it is time to revisit document retention and management practices. Here are some questions to think about:

• Are your valuable financial records being maintained in appropriate systems, or are there unmanaged copies in poorly controlled network drives and “drop boxes”?
• What do your email practices look like? Is email retention controlled? Do your employees export email out of the email system into unmanaged locations?
• How much important financial information (including the records that underpin financial information) resides in unmanaged, unsecured locations?
• Are you using your backup tapes for archiving purposes? If so, do you understand the potential cost and risk should those tapes need to searched for SEC investigations or litigation?

Barclay T. Blair is a consultant to Fortune 500 companies, software and hardware vendors and government institutions, and is an author, speaker and internationally recognized authority on a broad range of policy, compliance and management issues related to information governance and IT. Blair heads the information governance practice at Forensics Consulting Service LLC, and can be reached at bblair@fcsig.com or (403) 638-9302.

Blogroll: IT Governance, Risk, and Compliance

Earlier today,  we added Charles Denyer’s Regulatory Compliance, Governance and Security to the blogroll.

Next up: Robert E. Davis, at IT Governance, Risk, and Compliance.

As a CISA, Davis has provided data security consulting and information systems auditing services to the Securities and Exchange Commission, the United States Enrichment Corporation, Raytheon Co., the Interstate Commerce Commission, Dow Jones & Co. and Fidelity/First Fidelity (Wachovia) corporations.

Davis joined ITKE recently and has focused initially on a series of blog posts that offer guidance on protecting critical data, noting how an information security governance framework can provide “essential information asset coverage.”

• Safeguarding Information Assets - Part I
• Safeguarding Information Assets - Part II
• Safeguarding Information Assets - Part III

You can subscribe to IT Governance, Risk and Compliance here.

Blogroll: Regulatory Compliance, Governance and Security

Just as the IT Compliance Advisor will introduce more bloggers as the weeks pass, we’ll also add more relevant blogs to our blogroll.

Today, we’ve added Regulatory Compliance, Governance and Security, an ITKE blog maintained by Charles Denyer.

Denyer is an Atlanta-based IT director. As his biography notes, he possesses “a keen understanding and sound interpretation of compliance regulations and associated standards or frameworks.”

You’ll find Denyer has posted many times on IT compliance-related topics, focusing in particular on SAS 70 audits and PCI DSS. Recent posts include:

• SAS 70 Audits and PCI DSS Compliance | A Two for One Audit? Not Quite
• PCI DSS Requirement 1.1.2 | Network Diagrams | Easier Said Than Done
• PCI DSS Compliance | Understanding Cardholder Data and What Information to Store
• Payment Card Compliance | PCI DSS | Tips on Passing your PCI DSS Assessment
• PCI DSS Compliance for Merchants and Service Providers | Compliance is MANDATORY
• SAS 70 Audits & Data Centers | Tips on Preparing for the Audit
• SAS 70 Audits | Understanding PRICING for SAS 70 Engagements
• SAS 70 Audits and PCI DSS Compliance |What you NEED to Know
• SAS 70 and Regulatory Audits | What is the Impact to our Economy?
• SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist

You can subscribe to Regulatory Compliance, Governance, and Security here.