Posted by: David Schneier
assessment, Audit, CISO, compliance, compliance officer, HIPAA, ISO, PII, regulatory, Regulatory Compliance
I recently decided to establish an automatic link between my personal checking account and a mutual fund account that was established for my son years ago when he was a baby. The account was originally funded with a gift from a family member and while it’s grown reasonably well percentage-wise, its overall numbers remain low because we’ve never added to it. So I thought now would be a good time to do something about it.
It’s a custodial account because of his age and my wife is designated as the custodian of record. As a result, I’m not supposed to be able to conduct any manner of business with the account because my name doesn’t appear anywhere. However, of the five phone calls I’ve needed to make to the fund company’s offices over the past few weeks, I’ve only been asked to have my wife authorize the conversation twice. That means that in 60% of my calls, I was able to present myself as someone with legitimate privileges to conduct business with the account and was successful. And while you can slice and dice the numbers and draw the conclusion that the fund company’s compliance efforts are partially effective, the truth is that they’re completely useless.
Being a little bit compliant is akin to being a little bit pregnant; you either are or you aren’t. There’s no gray area in between to take credit for.
Now take into account that I didn’t go looking for this; it just fell into my lap. I wasn’t researching anything, trying to test a theory or uncover a topic for a new blog post — I was just trying conduct a simple transaction. And so my first thought upon reflection was that this was too easy. What if I was really trying to do something I wasn’t supposed to be doing? What if I’d found a neighbor’s statement in my mailbox and decided to try and access their account? What if I did some good old-fashioned dumpster diving around town and found a few discarded statements (trust me on this, that’s easier to do than you’d ever believe) and tried to get money out of someone’s account? Statistically you’d have to figure I could get pretty far without getting caught.
What I find truly amazing is that we’re in the age of compliance. I receive pamphlets and inserts in my mailings all the time from banks, credit card companies and anyone else I share PII with about how they have an obligation to protect my information. Every time you visit a doctor for the first time, half the paper work is specific to HIPAA. And yet in the middle of this sand storm of compliance activity, I was able to bypass the rules three times in five attempts and I wasn’t even trying to break any rule.
They say a chain is only as strong as its weakest link. The same is true of compliance; if it fails in any measurable way it fails — pure and simple. And if the compliance folks at these companies can’t keep up, how are they going to adjust as we keep moving more and more onto the lightning fast pathways of the Internet?