The FTC’s recommendations are part of a privacy report that expands on one originally issued in December 2010. It recommends companies improve consumer privacy by implementing privacy protections at every stage of product development and increasing transparency around the collection and use of consumer information. The FTC also recommends Congress consider privacy legislation, data security notification legislation and mandating a “Do Not Track” option for consumers to opt out of online tracking.
In another big piece of regulatory compliance news, the House approved the JOBS Act and sent it to President Obama for his signature. Under the JOBS Act, emerging companies — defined as those with at most $1 billion a year in revenue — would be exempt for five years from external auditors’ review of internal controls as stipulated under Sarbanes-Oxley requirements. It also lessens other compliance regulations that JOBS Act critics say provide checks on corporate misconduct.
An interesting aspect is that both of these issues take into account the burden of small businesses. In the FTC’s preliminary report, it recommended the proposed online privacy rules apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer or other device. But after “recognizing the potential burden on small businesses,” the FTC’s report concludes that the final framework “should not apply to companies that collect and do not transfer only nonsensitive data from fewer than 5,000 consumers a year.” As for the JOBS Act, proponents say loosening compliance regulations for small and emerging companies would boost the economy.
It’s admirable (and necessary) that the federal government is taking small businesses and their limited resources into account when developing these rules. But there are a few questions: Don’t these small and emerging companies have potential infractions? If they don’t have the resources to comply with online privacy rules and compliance regulations, doesn’t this lack of resources make them even more vulnerable? Instead of excluding these smaller and emerging businesses from the rules altogether, perhaps catering regulations to take their plight into account is a better answer. If not, we could be back in the same boat again in a few years, after these types of businesses are found to be in violation of rules designed specifically to protect consumers.]]>
Regulatory compliance was predicted to be the top business issue affecting enterprise information technology in the next 12 months, according to ISACA’s Top Business/Technology Issues Survey Results 2011 report.
“The increase in regulations, data breaches and new technologies such as cloud computing and the rise of personal technology in the workplace are accelerating complexity and risk,” according to an ISACA statement. The problem is exacerbated as enterprises try to manage growth while dealing with the growing number of compliance regulations and standards.
The key business issues affecting IT, according to the survey’s findings, are:
ISACA also noted that new or changed regulations expected to impact enterprise IT in the next 12 to 18 months include the Basel standard for internationally active banks; the Dodd-Frank Wall Street Reform and Consumer Protection Act; regulations related to personally identifiable information; Do Not Track mechanisms for consumers; Solvency II regulatory requirements for insurance firms; and meaningful use standards established by the Health Information Technology for Economic and Clinical Health Act. The report also pointed to “an overall tightening of tax and privacy regulations worldwide.”
The key technology areas that respondents felt would be most important to regulatory compliance include the implementation of technology to support segregation of duties, privileged access monitoring and management of the compliance process.
As enterprises face the need to comply with multiple regulations and standards, they implement automated solutions to track and report upon the varying compliance controls in an attempt to make the compliance process more efficient, according to ISACA. This can cause headaches: The costs associated with managing and implementing systems to protect companies from the loss of personally identifiable information were among the top concerns mentioned by survey respondents.
And the concerns don’t end there: Technology trends such as cloud computing, mobile devices and social media will also impact the issues discussed above. As ISACA noted, these technologies will increasingly become part of an enterprise’s architecture and surely impact areas such as business continuity, IT risk, regulatory compliance and information security.
The number of data breaches still in the news shows that, despite the increase in regulations, not enough is being done. The slew of new regulations is ultimately aimed at trying to help protect companies and their customers — and having a sound compliance management strategy in place would benefit both of these groups.]]>
Trying to meet regulatory compliance requirements for many user organizations, at least from an IT governance point of view, is a complicated and costly process. Novell is looking to put some salve on those wounds with the next version of its Novell Access Governance Suite, a set of software products that simplify how customers govern users’ access to corporate resources and manage regulatory compliance.
Version 4.1 now includes Novell Access Request and Change Manager, a new solution intended to simplify granting user access to information, as well as closing the compliance gaps caused by multiple methods of requesting access.
Governance would appear to be Novell’s path back into the enterprise by managing the weakest part of the compliance chain: controlling user access to data. The concept is a relatively simple one: If you can control user access, then you can control the flow of data. However, in reality it is not that simple. Not only do you have to worry about user access, but you also need to worry about what users can potentially do with that access. Legitimate access can still lead to compliance violations, whether it is accidental or malicious.
Is governance the answer to that problem? Or does data leakage protection become the solution to that problem? At this stage, it’s hard to tell. Novell is seeking to cover all bases by injecting its technology into the flow and access of data.
This question begs a couple more: How are corporations dealing with data leakage issues today? Are current solutions delivering the protection needed, or is Novell really on to something here? I guess it’s going to take audits and e-discovery requests to truly find out how compliant a particular enterprise is. Until then, one may want to consider what Novell is proposing and see if an answer exists that can address thorny compliance issues.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.]]>
In this podcast, SearchCompliance.com associate editor Alexander B. Howard interviews Christofer Hoff, director of cloud and virtualization solutions at Cisco Systems, and one of Cloud Audit’s organizers. Prior to his work at Cisco, he was Unisys Corp.’s systems and technology division’s chief security architect. Hoff continues to participate in the Cloud Security Alliance. You can find Hoff’s blog at Rationalsurvivability.com/blog and follow him on Twitter as @Beaker.
Hoff says that forming A6 came out of the need for enterprise security professionals to have better tools for confirming security and cloud computing compliance at providers of these services.
When you listen to this podcast, you’ll learn:
• What Cloud Audit is.
• What problems A6 could solve for CISOs and CIOs faced with ensuring cloud computing compliance challenges.
• How Cloud Audit would map to compliance, regulatory, service-level, configuration, security and assurance frameworks, or third-party trust brokers.
For more information, visit CloudAudit.org, the relevant Google Group or the Cloud Audit code base at Google Code. Hoff has also collected recent press coverage and other information about A6 at his blog.
As senior writer Linda Tucci recently reported, IT is increasingly turning to enterprise risk management as uncertainty in the macroeconomic climate continues. Even as some enterprises have held off on further investments in GRC software, she observed, “the more budgets tightened, the more imperative it became that both IT and the business target their biggest exposures and eliminate redundant controls and audits.” For instance, in some areas, like carbon compliance, specialized GRC software has the potential to help turn carbon footprint management into cost savings.
Given continued interest in the potential of GRC software, we published a new governance, risk and compliance FAQ yesterday. If you know of neutral, useful governance, risk and compliance resources online that should be added to the FAQ, please let us know in the comments or by sending an email to firstname.lastname@example.org. As we add more resources to SearchCompliance.com, you’ll be able to find them at our IT governance, risk and compliance topic page. Also, make sure to check in throughout the week here on the IT Knowledge Exchange, which features two GRC blogs: “Regulatory Compliance, Governance and Security,” by Charles Denyer, and “IT Governance, Risk, and Compliance,” by Robert E. Davis.
They included former SEC Chairman Harvey Pitt; FINRA president and CEO Richard Ketchum; current SEC Commissioner Luis A. Aguilar; Deputy Attorney General Dave Ogden, and former Deputy Attorney General Paul McNulty.
What they had to say was anything but upbeat. There was no backslapping or self-congratulation, as perhaps one would expect of a gathering of lawmakers, regulators and auditors, such as there was at the Compliance Week 2009 conference last week. What they had to say was simple: Regulatory and Sarbanes-Oxley (SOX) compliance is broken, and we need to fix it.
Pitt, the former SEC chairman who oversaw much of the implementation of SOX, said the bill was too reactionary and not well enough thought out. “SOX was hastily and badly drafted,” he said. “If SOX was really effective, would we have seen the subprime crisis in corporate America?”
Many companies embraced SOX not only as a means to compliance, but also to create efficiencies in reporting that could actually generate some return on investment. However, Pitt said, “I believe it’s generally ineffective. Lawyers and companies approach SOX with a ‘check the box’ mentality. Success requires that you get behind the requirements, understand why they’re there and implement the concept, not the literal words.”
FINRA’s Ketchum and the SEC’s Aguilar are both calling for regulatory reform, especially of financial services. “The real problem is that we didn’t have anyone willing to exercise existing authority to look deeply into questionable industry practices — and to just say no when needed,” Aguilar said. “Instead, we seemed to have had decision makers that weakened regulators and otherwise fostered ‘unregulated’ markets.”
Obviously this means that more regulations — and stricter regulations — are coming. Deputy Attorney General Ogden said that prosecuting financial crimes aggressively will receive “renewed emphasis in months ahead.”
Though it could be viewed as “too much” regulation, there is an opportunity to get it right this time, and craft regulations that are tough but fair, and that do not leave U.S. businesses spending all their time in compliance mode.
What would you do? Write me at email@example.com.]]>
We wrote about it last week in “Mass. Senate seeks to amend, weaken data breach notification law.” As you know, we’ve been covering news on the nation’s most comprehensive data protection law since the beginning of the year, including a podcast with the OCABR CIO and general counsel:
• Podcast: New Massachusetts data protection law mandates IT compliance
• Panels describe risks of noncompliance with Mass. data protection law
Kevin Beaver, a contributor to SearchCompliance.com, offered his commentary on the situation nationally: “Are you out of the loop on state data breach notification laws?“
Sarah Cortes reminded the readers of SearchCompliance.com last week of the risk of penalties for violating data privacy laws.
Anne McCrory, editorial director for the CIO/IT Strategy Media Group at TechTarget, also has rung in with her view: “It’s time for a federal data protection act,” following Scot Petersen’s take: “Red Flags Rule delay reveals troubling pattern developing.”
Our sister site, SearchSecurity.com, posted some additional advice: Encrypt now to meet new Mass. data protection law.
So with all that out there, here’s what I’m wondering:
What do you think of the law?
What are your thoughts on the proposed revisions?
How are you approaching compliance with the regulation?
Do you have clients or partners that you are advising on the topic? What do they think?
I’ve been interviewing many of our readers on precisely these questions, including many thought leaders, CISOs, privacy officers and CIOs. I’d be grateful for your thoughts as well.
Please write to editor@SearchCompliance.com or directly to me at firstname.lastname@example.org.
As you know, you can also find us @ITCompliance on Twitter
But not everyone is laughing. In April 2008, Andrea Smith, age 25, of Trumann, Ark., was convicted of privacy violations under HIPAA, as was Fernando Ferrer Jr., of Naples, Fla., in January 2007. As of today, a total of eight cases have resulted in criminal convictions with jail time for data privacy violations under HIPAA.
The U.S. Department of Health and Human Services (HHS) has served notice (as of Feb. 18) that organizations can also expect substantial fines like the one extracted from CVS. That $2.5 million fine, coupled with others won by OCR or the FTC against Providence Health & Services, demonstrate that the risk of penalties is significantly more realistic going forward.
The probability of criminal convictions and risk of substantial penalties doesn’t, however, correlate to the likelihood of other serious compliance issues. “Stricter internal controls mandated by Sarbanes-Oxley have made it more difficult for improper payments to be concealed,” notes CorpWatch.
Consider the case of Richard Scrushy, founder of HealthSouth. Although theoretically acquitted of Sarbanes-Oxley (SOX) charges, he nevertheless sits in a Birmingham, Ala., prison. Although Scrushy was technically jailed for probation violations related to a vacation on a Miami yacht when he was supposed to be under house arrest in Birmingham, SOX materially contributed to Scrushy’s imprisonment. Some commentators have pointed to the few convictions under SOX when dismissing likelihood of consequences. But, as anyone involved with the legal system can attest, likelihood of conviction and fines barely begin to measure likelihood of serious problems. Let’s look at some other data:
HIPAA Enforcement Results by Year
Source: U.S. Department of Health and Human Services
Simply receiving notice of an investigation requires firms and individuals to incur the costs of retaining counsel and allocating time, energy and resources to preparation. That’s a nerve-racking process with an unsure outcome. The investigation alone can be a big headache. And while only 10 cases have resulted in major fines or jail time, significantly more cases were prosecuted.
Preparing and presenting a criminal or civil defense in a legal case is, again, a costly undertaking with an unsure outcome, where even acquittal can leave an organization or an individual at a huge financial loss for attorney’s fees and energy, resources and the uncertainty that legal action causes.
How about nonconviction convictions? Plea deals can result in CWOF results, or Continued Without a Finding, and result in probation. Home-free, right? That’s what Richard Scrushy thought. The reality is that each step along the legal path increases the likelihood that subsequent or related, seemingly minor developments will result in jail time or fines. Organizations and individuals amass track records, which work against them over time.
SOX and HIPAA are only two of dozens of statutes under which privacy violations can be prosecuted. Try these for a few:
Health privacy laws
1974—The National Research Act
1996—Health Insurance Portability and Accountability Act (HIPAA)
Financial privacy laws
1970—Bank Secrecy Act
1998—Federal Trade Commission
1999—Gramm-Leach-Bliley Act (GLB)
2002—Sarbanes-Oxley Act (SOX)
2003—Fair and Accurate Credit Transactions Act
Online privacy laws
1986—Electronic Communications Privacy Act (ECPA), pen registers
1986—Stored Communications Act (SCA)
Communication privacy laws
1978—Foreign Intelligence Surveillance Act (FISA)
1984—Cable Communications Policy Act
1986—Electronic Communications Privacy Act (ECPA)
1994—Digital Telephony Act – Communications Assistance for Law Enforcement Act (CALEA), 18 USC 2510-2522
Education privacy laws
1974—Family Educational Rights and Privacy Act (FERPA)
Information privacy laws
2001—USA Patriot Act, expanded pen registers
2005—Privacy Act, sale of online PII data for marketing
Still skeptical? California alone has over 88 data privacy laws — and it actively investigates and prosecutes violations.
Twenty-three thousand HIPAA investigations over five years x 100 laws = over 2 million investigations. Your chances are looking worse and worse. And the cost of voluntary compliance is looking cheaper and cheaper by comparison.
c) “Best practices”
d) Secret things
e) How well they like you
f) None of the above
How did you do? The correct answer, as those of you know who have the scars to prove it, is f, “none of the above.” That’s right, not even COBIT. And “F” is what you may be about to get until you know how compliance auditors operate.
They’re actually auditing you against you and your company’s own standards and policies. Yup, that’s it. No, they’re not auditing you “against” a COBIT checklist. They’re looking at your own policies and standards and comparing your actual operation to what is stated in those policies.
So, Step 1: Get ahold of those policies and standards.
Step 2: Reality check. Do they represent TODAY’s state of your IT operation? Or are they aspirational? Do they say, for example, “Terminate access rights for all users within 24 hours of employment termination?” Is that really happening, 365 days a year? How about over weekends? Do your security staffers ever have delays getting lists of terminated employees from HR? Do they ever have a gap in coverage due to an unexpected absence? How often do you run a reconciliation report of terminated employees from the last 12 months vs. active usernames? Does HR have the ability to run regular reports of transferred employees, whose access needs to be handled as if they were terminated?
All operations, no matter how large or professional, can have gaps of greater than 24 hours between terminations and access cutoff. And if your operation is NOT among the largest, with a significant access control staff, chances are good you‘ve got terminated employees with access going 48 hours to one week or longer before it’s taken care of. Here’s a secret: Everyone does. The auditors know it, if you don’t.
I’ll cover Step 3 in a future post. In the meantime, let me know in the comments if you have any questions so far.
Speaking at the TechTarget Compliance Decisions Summit March 12, Laurence Anker, engagement manager, technology risk management for Jefferson Wells International, said the coming influx of state privacy laws will create “a mess.”
Only about half of the states have laws governing personally identifiable information, but several more, including Massachusetts, are crafting tough laws that will put new burdens on businesses, especially SMBs, and businesses outside of the state that employ Massachusetts residents.
These laws will cover areas such as secure storage of data, encryption of data and access controls, as well as require businesses to create written, comprehensive security and privacy policies for personal data.
Such tasks are formidable, but not impossible, but multiply the Massachusetts law by 50 and it’s easy to see how difficult it will become for some businesses to make sure they are in compliance with every state’s privacy law.
Or, Anker said, there could be a day when state privacy regulators will join an organization similar to the National Association of Insurance Commissioners, which will seek to normalize the state privacy laws and help the states enforce them.]]>