SOX

Jun 23 2009   11:13AM GMT

Should data security and privacy laws specify data encryption?

Posted by: Sarah Cortes
Privacy Law, Health Insurance Portability and Accountability Act, Massachusetts Senate, Information security, Cryptography, business, Security, Data Security, privacy, HIPAA, SOX, GLB, Massachusetts Data Security and Privacy Law, California Data Security and Privacy Law, data encryption, IT security, compliance, consumer protection, civil liberties, MGL 93H, Massachusetts’ Data Privacy Law, 201 CMR 17.00, Massachusetts SB 173, Technology

The proliferation of data security and privacy laws from state and federal agencies has created challenges and complexities for all entities that store and use data. One of the most controversial areas for these laws is whether or not they should specify data encryption as a requirement.

Issues currently confronting lawmakers, IT security, privacy and compliance professionals, businesses, and consumer protection and civil liberties groups include:

1. Which laws currently specify encryption and which do not? What, exactly, do they specify?
2. Should encryption be included at all in these laws?
3. If so, what, exactly, should be specified?
4. If not, what should the laws require?

One viewpoint holds that data encryption is a fundamental protection and strengthens consumer protection and privacy. From this viewpoint, laws that fail to specify encryption are weak, overly slanted toward business’ interests and inadequately protective of consumers and individuals’ privacy rights.

The counterpoint to that view, held by others, is that:

• Encryption as specified in current laws is a vague term, and thus somewhat meaningless.
• Specifying current encryption standards more concretely likely ensures the laws will quickly become outdated as technology advances.
• Mentioning encryption vaguely, without clear standards, creates business risk and uncertainty for those doing business in the commonwealth.
• Deviating so far from legislation in other states and federal approaches, in areas such as encryption and certification of third-party vendors, creates a situation where those third-party vendors may find it not worth implementing these capabilities just to do business in Massachusetts, leaving organizations at a competitive disadvantage without providing real benefit to consumers and individuals.

M.G.L. 93H, Massachusetts’ Data Privacy Law currently seems to specify encryption:

“Encrypted” transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.

However, this definition does not set forth any circumstances under which data must actually be encrypted. When detailed regulations were issued in the form of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, regulators further specified that:

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall [include] the following elements: Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks.

An amendment currently under consideration in the Massachusetts Senate, SB 173, would seem to reverse that:

The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

What do you think? Should data security and privacy laws specify data encryption?

Jun 17 2009   7:16PM GMT

Don’t forget business model risk in your risk management strategy

Posted by: Scot Petersen
CIO, risk management, business model risk, MIT, podcast, SOX, business process automation, ERP, IT

The MIT Sloan CIO Symposium on May 20 in Cambridge, Mass., featured several panels on the top issues affecting CIOs. But one panel on governance, risk and compliance afterwards produced the most interesting discussion of the day, for me at least, when I caught up with two Patni Americas Inc. directors, Amit Sen and John Vaughan, also in attendance.

The two management consultants are proponents of expanding the definition and practice of risk management to include business model risk — that is, risk introduced into your company by new or changed capital ventures or business processes. In their view, business process automation has run amok, leaving the business (as well as the IT organization), exposed to risks that it might not be aware of.

“What we need to understand is where are we are introducing risks, and the risk is understood and planned and not a byproduct of a lack of knowledge or visibility into what actually goes on in the organization,” said Sen in the following podcast, recorded this week. In the podcast, Sen and Vaughan explain what business model risk is, how to measure and understand it, and how to make business model risk a key part of any risk management and IT governance strategy.

Jun 10 2009   7:59PM GMT

Regulatory, Sarbanes-Oxley compliance reform is coming

Posted by: Scot Petersen
SOX, regulations, regulatory compliance, SEC

It seems that there is much discontent among our leaders in Washington over the state of regulatory compliance, in particular Sarbanes-Oxley compliance, and of risk management in general. SearchCompliance.com Associate Editor Alexander Howard spent a few days in Washington last week and heard from many of those leaders.

They included former SEC Chairman Harvey Pitt; FINRA president and CEO Richard Ketchum; current SEC Commissioner Luis A. Aguilar; Deputy Attorney General Dave Ogden, and former Deputy Attorney General Paul McNulty.

What they had to say was anything but upbeat. There was no backslapping or self-congratulation, as perhaps one would expect of a gathering of lawmakers, regulators and auditors, such as there was at the Compliance Week 2009 conference last week. What they had to say was simple: Regulatory and Sarbanes-Oxley (SOX) compliance is broken, and we need to fix it.

Pitt, the former SEC chairman who oversaw much of the implementation of SOX, said the bill was too reactionary and not well enough thought out. “SOX was hastily and badly drafted,” he said. “If SOX was really effective, would we have seen the subprime crisis in corporate America?”

Many companies embraced SOX not only as a means to compliance, but also to create efficiencies in reporting that could actually generate some return on investment. However, Pitt said, “I believe it’s generally ineffective. Lawyers and companies approach SOX with a ‘check the box’ mentality. Success requires that you get behind the requirements, understand why they’re there and implement the concept, not the literal words.”

FINRA’s Ketchum and the SEC’s Aguilar are both calling for regulatory reform, especially of financial services. “The real problem is that we didn’t have anyone willing to exercise existing authority to look deeply into questionable industry practices — and to just say no when needed,” Aguilar said. “Instead, we seemed to have had decision makers that weakened regulators and otherwise fostered ‘unregulated’ markets.”

Obviously this means that more regulations — and stricter regulations — are coming. Deputy Attorney General Ogden said that prosecuting financial crimes aggressively will receive “renewed emphasis in months ahead.”

Though it could be viewed as “too much” regulation, there is an opportunity to get it right this time, and craft regulations that are tough but fair, and that do not leave U.S. businesses spending all their time in compliance mode.

What would you do? Write me at  spetersen at techtarget.com.

Feb 3 2009   3:12PM GMT

Corporate reporting: The next information governance frontier?

Posted by: Alexander Howard
corporate reporting, SEC, transparency, governance, SOX, e-discovery

This is a guest post from Barclay T. Blair, author of Information Nation and head of the information governance practice at Forensics Consulting Solutions LLC.

“[S]unlight remains the best disinfectant for problems in our capital markets.”

- Christopher Cox, former chairman of the Securities and Exchange Commission (SEC), June 2008

Back before the failure of Lehman Brothers, the ouster of John Thain from a combined Bank of America/Merrill Lynch, and before a new president said we were “facing the greatest economic challenge of our lifetime,” the SEC began working on an initiative to improve public company “transparency by making disclosure information more accessible and easier to use.”

This 21^st Century Disclosure Initiative published a report in January that proposes, among other things, requiring “tagging” of financial information so it is more interactive and useful, and moving away from a document-centric paradigm. The intent is to modernize the way that investors receive information about the companies in which they invest.

This initiative, which may or may not have legs under a new SEC commissioner, raises some interesting issues for information management and corporate governance.

It will be difficult for the SEC — or anyone else — to “shine some sunlight” onto the financial and governance practices of corporations until the corporations themselves take control of their information.

Most organizations today struggle to understand where all their information resides, what it is, how to get to it, or how long to keep it. Witness the astounding numbers and ugly battles (like the e-discovery dispute centered around the SEC’s delivery of 1.7 million documents involving the SEC) that routinely arise when organizations are asked to dig up digital information — especially email and office documents — in the context of electronic discovery.

The reality for most institutions is that the most valuable information resides in the least managed locations. How many companies still rely largely on spreadsheets and email to comply with the Sarbanes-Oxley Act?

If my practice is any gauge, most of them.

Regardless of what happens with the SEC’s initiative, most politicos seem to agree that we are heading into an era of increased regulation under the Obama administration. I would recommend that organizations try to get ahead of what’s coming by looking at their current information governance practices with an eye to improving internal transparency — before someone steps in to make them do it.

To this end, perhaps it is time to revisit document retention and management practices. Here are some questions to think about:

• Are your valuable financial records being maintained in appropriate systems, or are there unmanaged copies in poorly controlled network drives and “drop boxes”?
• What do your email practices look like? Is email retention controlled? Do your employees export email out of the email system into unmanaged locations?
• How much important financial information (including the records that underpin financial information) resides in unmanaged, unsecured locations?
• Are you using your backup tapes for archiving purposes? If so, do you understand the potential cost and risk should those tapes need to searched for SEC investigations or litigation?

Barclay T. Blair is a consultant to Fortune 500 companies, software and hardware vendors and government institutions, and is an author, speaker and internationally recognized authority on a broad range of policy, compliance and management issues related to information governance and IT. Blair heads the information governance practice at Forensics Consulting Service LLC, and can be reached at bblair@fcsig.com or (403) 638-9302.