If you are a CIO, CTO or compliance officer tasked with evaluating a cloud vendor, give Linda Tucci’s excellent new SearchCIO.com article a read: “Addressing compliance requirements in cloud computing contracts.”
In the piece, Tucci reports on interviews with Debra Logan, an enterprise content management analyst at Stamford, Conn.-based Gartner Inc, and Tom McHale, vice president of product management for CA’s GRC Manager suite, to gain answers to the following questions:
- Who has access to sensitive data in the cloud?
- Data backup: How often, how long, how well?
- How will you manage e-discovery requests and satisfy different retention laws?
“Even before price negotiations begin, CIOs must understand that data backup and storage in the cloud does not remove a company’s responsibility for the legal, regulatory and audit obligations attached to that information,” Tucci writes. “CIOs should be ready with a list of compliance questions for cloud vendors. But don’t expect their answers to suffice.”
Gartner recommends, in fact, getting a security assessment from a neutral third party before committing to a specific vendor of cloud computing, In a report released in June, entitled “Assessing the Security Risks of Cloud Computing,” Gartner analysts and write that cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing.”
As noted in Tucci’s article, however, Logan is skeptical about adoption, especially for companies in heavily regulated industries. In Logan’s view, “If legal departments are paying attention when companies are adopting cloud services, they will put the brakes on fast. Early adoption of cloud services will be significantly inhibited by cloud providers’ failure to adequately address security, privacy and risk concerns, especially among highly regulated industries.”
It seems that there is much discontent among our leaders in Washington over the state of regulatory compliance, in particular Sarbanes-Oxley compliance, and of risk management in general. SearchCompliance.com Associate Editor Alexander Howard spent a few days in Washington last week and heard from many of those leaders.
They included former SEC Chairman Harvey Pitt; FINRA president and CEO Richard Ketchum; current SEC Commissioner Luis A. Aguilar; Deputy Attorney General Dave Ogden, and former Deputy Attorney General Paul McNulty.
What they had to say was anything but upbeat. There was no backslapping or self-congratulation, as perhaps one would expect of a gathering of lawmakers, regulators and auditors, such as there was at the Compliance Week 2009 conference last week. What they had to say was simple: Regulatory and Sarbanes-Oxley (SOX) compliance is broken, and we need to fix it.
Pitt, the former SEC chairman who oversaw much of the implementation of SOX, said the bill was too reactionary and not well enough thought out. “SOX was hastily and badly drafted,” he said. “If SOX was really effective, would we have seen the subprime crisis in corporate America?”
Many companies embraced SOX not only as a means to compliance, but also to create efficiencies in reporting that could actually generate some return on investment. However, Pitt said, “I believe it’s generally ineffective. Lawyers and companies approach SOX with a ‘check the box’ mentality. Success requires that you get behind the requirements, understand why they’re there and implement the concept, not the literal words.”
FINRA’s Ketchum and the SEC’s Aguilar are both calling for regulatory reform, especially of financial services. “The real problem is that we didn’t have anyone willing to exercise existing authority to look deeply into questionable industry practices — and to just say no when needed,” Aguilar said. “Instead, we seemed to have had decision makers that weakened regulators and otherwise fostered ‘unregulated’ markets.”
Obviously this means that more regulations — and stricter regulations — are coming. Deputy Attorney General Ogden said that prosecuting financial crimes aggressively will receive “renewed emphasis in months ahead.”
Though it could be viewed as “too much” regulation, there is an opportunity to get it right this time, and craft regulations that are tough but fair, and that do not leave U.S. businesses spending all their time in compliance mode.
What would you do? Write me at email@example.com.
Earlier today, the White House released a long-awaited cybersecurity report, including a video (below) featuring commentary and perspective from officials and experts:
“The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security. The United States is one of the global leaders on embedding technology into our daily lives and this technology adoption has transformed the global economy and connected people in ways never imagined. My boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and email their mom; it is second nature to them. My mom and dad can read the newspapers about their daughter on-line and can reach me anywhere in the world from their cell phone to mine. And people all over the world can post and watch videos and read our blogs within minutes of completion. I can’t imagine my world without this connectivity and I would bet that you cannot either. Now consider that the same networks that provide this connectively also increasingly help control our critical infrastructure. These networks deliver power and water to our households and businesses, they enable us to access our bank accounts from almost any city in the world, and they are transforming the way our doctors provide healthcare. For all of these reasons, we need a safe Internet with a strong network infrastructure and we as a nation need to take prompt action to protect cyberspace for what we use it for today and will need in the future. Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law.
The 60-day cyberspace policy review summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. There are opportunities for everyone — individuals, academia, industry, and governments — to contribute toward this vision. During the review we engaged in more than 40 meetings and received and read more than 100 papers that informed our recommendations.”
We’ll have more perspective and commentary next week on what this report will mean for compliance and security professionals. In the meantime, you can read the Cyberspace Policy Review for yourself.
The recent dismissal of lawsuits against retailer Hannaford raises questions about what recourse consumers have if they are victims of a credit card data breach.
In this Compliance Advisor podcast, PCI expert and ecommerce writer Evan Schuman, of Storefrontbacktalk.com discusses the “zero-liability domino effect” that protects the retailers in the case of a data breach.
Meanwhile, Heartland Payment Systems is continuing to fight back against its data breach, and recently announced an aggressive transaction encryption plan, though it still may not prevent thefts of internal data.
Get used to it. Regardless of what you may think about Al Gore or climate change, if you are running a business you are going to have to start paying attention to your carbon footprint.
Governments and businesses around the world already think quite a bit about it. Tough, enforceable regulations are coming to govern greenhouse gas and carbon emissions, and there’s nothing you can do about it.
The challenge for IT is simple, yet daunting: Collect all relevant emissions data and report it to such entities as The Climate Registry. Given the amount of work to be done, John Niemoller, president and COO of Perillon, equates the data collection work to be done as “IT’s next Y2K event,” he said at this week’s MIT Sloan CIO Symposium.
And if you think it’s just governments that will be issuing all of the sustainable business mandates , think again. At the same “Green IT Matters: Green is In” panel, Kevin Coyne, president and CEO of e3 Solutions, relates a story from one of his customers, FedEx, which started monitoring its carbon footprint because its customers were demanding it. Likewise Wal-Mart.
When companies that large and powerful are behind the effort, being green means more than just good public relations: Compliance with greenhouse gas laws really becomes an issue of sustainability. And, as Gartner analyst John Van Decker put it at a recent Gartner conference, sustainability is going to become your “license to operate.”
Don’t get left behind. Watch for continuing coverage of sustainable business issues on SearchCompliance.com and on the IT Compliance Advisor blog. And tell me what you think at firstname.lastname@example.org.
A bill being discussed in the Massachusetts Senate proposes major changes to MA GL 93H, the Data Breach Notification Act. These changes could in turn result in revisions to 201 CMR 17.00, the data protection regulation promulgated by the Office of Consumer Affairs and Business Regulation (OCABR), including removal of specific encryption requirements and deference to federal statutes.
We wrote about it last week in “Mass. Senate seeks to amend, weaken data breach notification law.” As you know, we’ve been covering news on the nation’s most comprehensive data protection law since the beginning of the year, including a podcast with the OCABR CIO and general counsel:
Kevin Beaver, a contributor to SearchCompliance.com, offered his commentary on the situation nationally: “Are you out of the loop on state data breach notification laws?“
Sarah Cortes reminded the readers of SearchCompliance.com last week of the risk of penalties for violating data privacy laws.
Anne McCrory, editorial director for the CIO/IT Strategy Media Group at TechTarget, also has rung in with her view: “It’s time for a federal data protection act,” following Scot Petersen’s take: “Red Flags Rule delay reveals troubling pattern developing.”
Our sister site, SearchSecurity.com, posted some additional advice: Encrypt now to meet new Mass. data protection law.
So with all that out there, here’s what I’m wondering:
What do you think of the law?
What are your thoughts on the proposed revisions?
How are you approaching compliance with the regulation?
Do you have clients or partners that you are advising on the topic? What do they think?
I’ve been interviewing many of our readers on precisely these questions, including many thought leaders, CISOs, privacy officers and CIOs. I’d be grateful for your thoughts as well.
As you know, you can also find us @ITCompliance on Twitter
Today’s episode features an interview with Georg Hess about Web application security and compliance in the cloud. Hess is the founder of application security provider Art of Defence and current German chapter head of the Open Web Application Security Project (OWASP).
The OWASP membership includes corporations, educational organizations and individuals from around the world. OWASP’s community works to create freely available articles, methodologies, documentation, tools and technologies.
When you listen to the podcast, recorded by associate editor Alexander B. Howard, you’ll learn the answers to the following questions:
- How are the security challenges that OWASP advises others on changing?
- OWASP recently published an Application Security Verification Standard. What does the standard mean?
- What does establishing such a standard mean for chief information security (CISO) and compliance officers who are considering cloud computing?
- What other security standards are being established for the cloud or need to be created?
- What compliance issues do companies face when implementing cloud computing?
- How can cloud providers offer secure cloud offerings?
- How can security and compliance officers confirm that they are doing so?
- What do banking and health care CISOs who are considering adopting cloud models need to know?
- How are threats to Web application security evolving?
- What do compliance and security officers need to know — and do — to respond?
- What other regulations do compliance officers need to be aware of in 2009?
The “Massachusetts Data Privacy Law? We call it ‘the toothless wonder,'” laughed one smug senior technology executive from a prominent high-tech firm at a MIT industry gathering April 30 in Cambridge, Mass.
But not everyone is laughing. In April 2008, Andrea Smith, age 25, of Trumann, Ark., was convicted of privacy violations under HIPAA, as was Fernando Ferrer Jr., of Naples, Fla., in January 2007. As of today, a total of eight cases have resulted in criminal convictions with jail time for data privacy violations under HIPAA.
The U.S. Department of Health and Human Services (HHS) has served notice (as of Feb. 18) that organizations can also expect substantial fines like the one extracted from CVS. That $2.5 million fine, coupled with others won by OCR or the FTC against Providence Health & Services, demonstrate that the risk of penalties is significantly more realistic going forward.
The probability of criminal convictions and risk of substantial penalties doesn’t, however, correlate to the likelihood of other serious compliance issues. “Stricter internal controls mandated by Sarbanes-Oxley have made it more difficult for improper payments to be concealed,” notes CorpWatch.
Consider the case of Richard Scrushy, founder of HealthSouth. Although theoretically acquitted of Sarbanes-Oxley (SOX) charges, he nevertheless sits in a Birmingham, Ala., prison. Although Scrushy was technically jailed for probation violations related to a vacation on a Miami yacht when he was supposed to be under house arrest in Birmingham, SOX materially contributed to Scrushy’s imprisonment. Some commentators have pointed to the few convictions under SOX when dismissing likelihood of consequences. But, as anyone involved with the legal system can attest, likelihood of conviction and fines barely begin to measure likelihood of serious problems. Let’s look at some other data:
- 2008 HIPAA investigations – 3,373
- 2008 HIPAA cases resulting in a requirement for corrective actions – 2,210
- Total HIPAA investigations 2003-2008 – over 11,000
- Total HIPAA cases resulting in a requirement for corrective actions – over 7,000
Source: U.S. Department of Health and Human Services
Simply receiving notice of an investigation requires firms and individuals to incur the costs of retaining counsel and allocating time, energy and resources to preparation. That’s a nerve-racking process with an unsure outcome. The investigation alone can be a big headache. And while only 10 cases have resulted in major fines or jail time, significantly more cases were prosecuted.
Preparing and presenting a criminal or civil defense in a legal case is, again, a costly undertaking with an unsure outcome, where even acquittal can leave an organization or an individual at a huge financial loss for attorney’s fees and energy, resources and the uncertainty that legal action causes.
How about nonconviction convictions? Plea deals can result in CWOF results, or Continued Without a Finding, and result in probation. Home-free, right? That’s what Richard Scrushy thought. The reality is that each step along the legal path increases the likelihood that subsequent or related, seemingly minor developments will result in jail time or fines. Organizations and individuals amass track records, which work against them over time.
SOX and HIPAA are only two of dozens of statutes under which privacy violations can be prosecuted. Try these for a few:
Health privacy laws
1974—The National Research Act
1996—Health Insurance Portability and Accountability Act (HIPAA)
Financial privacy laws
1970—Bank Secrecy Act
1998—Federal Trade Commission
1999—Gramm-Leach-Bliley Act (GLB)
2002—Sarbanes-Oxley Act (SOX)
2003—Fair and Accurate Credit Transactions Act
Online privacy laws
1986—Electronic Communications Privacy Act (ECPA), pen registers
1986—Stored Communications Act (SCA)
Communication privacy laws
1978—Foreign Intelligence Surveillance Act (FISA)
1984—Cable Communications Policy Act
1986—Electronic Communications Privacy Act (ECPA)
1994—Digital Telephony Act – Communications Assistance for Law Enforcement Act (CALEA), 18 USC 2510-2522
Education privacy laws
1974—Family Educational Rights and Privacy Act (FERPA)
Information privacy laws
2001—USA Patriot Act, expanded pen registers
2005—Privacy Act, sale of online PII data for marketing
Still skeptical? California alone has over 88 data privacy laws — and it actively investigates and prosecutes violations.
Twenty-three thousand HIPAA investigations over five years x 100 laws = over 2 million investigations. Your chances are looking worse and worse. And the cost of voluntary compliance is looking cheaper and cheaper by comparison.
May 1 passed without the raising of the Red Flags: The Federal Trade Commission announced a delay in the enforcement of the Red Flags Rule, which requires companies to come up with programs to detect and respond to financial data breaches or identity theft.
Last week, the FTC said it will delay enforcement until Aug. 1, “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.”
This is the second enforcement delay of a major data protection law. Massachusetts extended enforcement of its 201 CMR 17.00 law until Jan. 1, from the original enforcement date of May 2009, also to give constituents more time to get into compliance.
Security expert and SearchCompliance.com contributor Paul Roberts of The 451 Group sees a pattern developing, which he relayed in an email:
I think the decision to delay Red Flag Rule enforcement is yet more evidence that the public sector has a lot to learn about formulating and then implementing data privacy regulations. What’s so interesting is how closely the FTC’s Red Flag Rule headache parallels Massachusetts regulators’ headaches trying to implement their “toughest in the nation” data privacy laws.
“The lesson in both cases is that regulators need to put down the sledgehammer when writing these new rules and spend more time refining their scope and soliciting input from the private sector so that they understand the practical impact of new requirements on businesses, nonprofits and individuals. Practically: Some kind of phased-in approach to enforcement would seem to make sense. And, as with the PCI regulations, it might be smarter to have an iterative process to writing these kinds of regulations, rather than trying to fix a complex problem (data theft, data privacy) in one fell swoop. So you might start with small-bore regulations that have teeth, but are focused on clear problems and easy to implement, then expand and refine them over time, as conditions change.
Seems like smart advice. Perhaps security, compliance and risk managers from corporate America should start calling for a change of strategy from federal and state lawmakers. But on the other hand, he’s also right about the fact that the “public sector has a lot to learn about formulating and then implementing data privacy regulations.” As we have also pointed out, many compliance, security and risk managers are finding themselves out of the loop, creating a major disconnect between the new laws and the efforts many companies are putting forth to get into compliance.
We noticed a new blogger joined ITKE this May Day: Matthew Barach, Esq. CIPP/G.
As his bio notes, Barach, is the founder of Boston Privacy Group, a privacy consulting firm, and the former Internet and Information Privacy Counsel for the New York State Consumer Protection Board (CPB).
Barach will be writing the Think Privacy blog, which will address “timely privacy topics including behavioral advertising, Red Flag Rules, the new Massachusetts regulations, HIPAA, GLBA, data transfer, cloud computing and other emerging privacy issues, laws, regulations and challenges that organizations will continue to face.”
|Since those are all issues and areas we cover, you can expect his posts to show up in our RSS reader. His first post, “The Red Flags Rules are coming, the Red Flags are coming – NOT,” addresses the recent announcement by the FTC that they “will grant a three-month delay of enforcement of ‘Red Flags’ Rule requiring creditors and financial institutions to adopt identity theft prevention programs.” Baruch helpfully linked to the FTC announcement.|
As readers of SearchCompliance.com know, enforcement of the Red Flags Rule has been approaching for some time. Compliance and security professionals alike will now have three more months to get their regulatory ducks in a row.