Navigating the maze of regulatory compliance
Once upon a time, being an IT professional was relatively simple – and not just in terms of the technology itself. Today it’s a maze of complexity on several levels. This new monthly blog post will delve into the compliance issues that are facing IT today and attempt to help you sort through the legalese, the jurisdictional issues, and the ever-changing legislative addendums so you can avoid the practical, reputational, and financial consequences of failing to follow all the guidelines.
The evolution of the compliance era
Those of us who have been around for a long time remember when the IT world was a bit like the old west: freewheeling, exciting, a little dangerous. Companies set their own policies and there were few standardized practices, much less hard-and-fast rules. But just as the practice of medicine and law once was open to anyone with few restrictions but later came to be strictly regulated, those who are responsible for the vast amounts of electronic data collected and processed today are increasingly falling under the province of governmental and industry rules and regulations.
When most networks were isolated LANs, the consequences of misconfiguration or lax security measures was confined mostly to the individual organization. With almost all networks now connected to all others through the global Internet, and organizations keeping more and more personal data about customers, employees, and business associates on those networks, one org’s poor IT practices can impact many other companies and individuals.
Thus both private industry associations and international, federal, state and sometimes local governments have gotten into the picture, enacting both voluntary guidelines and mandatory rules and laws with the goal of ensuring safe and ethical behavior and protecting the rights of individuals in regard to the data that flows around the world.
A brief history of data security regulation
If information is power, securing that information is vital to maintaining power and control – whether over state secrets or one’s own personal identity data. The U.S. government began by regulating itself; the Privacy Act of 1974 was designed to be “code of fair information practices that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies.”
This was followed by more legislation, including the Computer Security Act of 1987, which established an external agency, the National Institute of Standards and Technology (NIST) as defining the security standards for protecting non-classified federal data. Over the years, many more laws have come along that address security of government data, such as the Patriot Act, the Homeland Security Act, the e-Government Act (more specifically Title III, The Federal Information Security Management Act a.k.a. FISMA).
Meanwhile, over in Europe, the EU was concerned with protection of private data as it moved between member countries, and enacted the Data Protection Directive in 1995. This was the predecessor of today’s much-feared and oft-misunderstood General Data Protection Regulation (GDPR), which was enacted in 2016 and became enforceable in 2018.
Back at home, the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect the security of patient privacy and healthcare information and mirrored many of the provisions of the DPD. The next year, FDA CFR Part 11 imposed similar regulations on the pharmaceutical industry.
In 1998, Congress passed the Children’s Online Privacy Protection Act (COPPA) in response to growing concerns about collection and use of personally identifiable information about children under the age of thirteen.
As the 90s drew to a close, the legislative focus turned to financial services and the Gramm-Leach-Bliley Act (GLBA) created new regulations for protecting the privacy of customers of banks, security brokerages, and other financial services companies.
In 2002, after the Enron scandal, the Sarbanes-Oxley Act (SOX or SARBOX) was enacted to regulate corporate governance and financial reporting and establish auditing requirements. The controls framework requires appropriate levels of security.
Other countries have established their own regulations. These include Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Personal Information Protection Act (PIPA), Australia’s Federal Privacy Act, Germany’s Bundesdatenschutzgesetz (BDSG) a.k.a. Federal Data Protection Act, Japan’s APPI Amendment, Russia’s Federal Law on Personal Data 2006, Sweden’s Personal Data Act, and many more.
Privacy is a priority
Although regulatory compliance, in general, addresses many different aspects of how organizations must operate, many/most of the laws pertaining to IT have as their goal the protection of electronic data, the disclosure of which would violate the personal privacy of individuals. This is evident in the names of those laws and guidelines.
With the advent of the Internet and web-based purchasing, online banking, social networking, and a myriad of other ways we leave bits and pieces of our personal information strewn across cyberspace, privacy has become both a major concern and a difficult challenge.
Exposure of such information as social security numbers, credit card and bank account numbers, and even innocuous-seeming data such as favorite colors or pets’ names or vehicle models (often used in passwords or as identity-verification questions) can result in identity theft. Disclosure of home addresses and phone numbers can aid stalkers, harassers, or impersonators.
Consequences to businesses and non-profits when their databases are breached accidentally or intentionally include loss of customer/client trust that can impact revenues, censure by industry associations or governing agencies, loss of licenses, suspension of privileges, hefty fines, or in some cases even criminal charges. The Ponemon Institute estimated the average cost of a data breach to a business in 2018 to be $3.86 million.
Despite all this, we continue to hear about new data breaches on an almost daily basis. According to the Privacy Rights web site, 222 breaches have been reported thus far in 2019 (as of this writing), with the total number of records affected totaling an astounding 9,727,276. Is it any wonder governments have felt it necessary to step in and create laws to protect the privacy of our data?
While the necessity of rules and regulations is obvious, compliance can be expensive and frustrating for those who must implement the measures needed to comply with them. Sometimes it’s difficult to determine even what you need to do, much less how to accomplish it. In each installment of Compliance Matters, we’ll try to answer some of the most common questions and share some of the solutions that can make compliance a little easier.