The red letter year for IT regulatory compliance is 1999. Both the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Modernization Act (the Gramm-Leach-Bliley Act or GLBA) were passed that year, unleashing the compliance genie for sensitive healthcare and consumer financial information, and setting in motion a privacy tsunami of future requirements. Redundant Regulatory Landscape Compliance has matured over the past 10 years, weighted with redundant and overlapping privacy and data integrity regulations, and guidance from a litany of public and private promulgators, including:
Financial Services Financial services historically have been among the biggest IT spenders. Financial service companies typically spend almost 10% of revenues on large and varied front-office and back-office products and services, making it the largest market for many major IT vendors. Financial services led the movement to outsourcing and off-shoring for many core functions, from check and credit card processing to customer service. Approximately 40% of India's $17 billion annual outsourcing business was with financial services in 2006.(2) Outsourcing increases the compliance issues faced by financial services firms who own all the protected account information being transmitted, processed and stored regardless of location. The owners of the covered information must perform due diligence of their data custodians providing services, to insure they are exercising due care to meet compliance requirements. The risks posed to financial services companies are real. They are the top target of cyber criminals worldwide, discovering that compliance does not always mean security. They experience the largest number of breaches, many from internal sources. A recent survey of 43 U.S. companies found that 44% of all data breaches occurred in services provided by third-party data custodians, an increase from 40% in 2007 and 29% in 2006.(3) They see the most fraud, and financial services breach victims are more likely to move their accounts.(4) As perennial early adopters of technology to cut costs, financial services companies now are ramping up new technologies that complicate compliance - virtualization and cloud computing. Assessing compliance for virtual processing environments can be a costly brute force exercise to secure the entire virtual infrastructure. Similarly, assessing external risk in cloud-based service providers starts with service agreements guaranteeing the access and cooperation needed to properly assess a third-party's policies, procedures and countermeasures. Remediation can pose a particularly thorny issue with service providers. Using private cloud computing may ease the compliance burden on financial services companies, since they own and manage that service and can theoretically better control the compliance infrastructure, and how it is assessed. One new technology that poses thorny problems for financial services is mobile wireless devices. Despite their efficiency promises, the users of the devices, the mobile platform itself, and the wireless sessions must be secured before accessing covered information. This is a costly solution. Healthcare Healthcare is the second most regulated industry, also covered by a variety of regulations. Covered entities are doctors, hospitals, dentists, medical labs, insurance companies, pharmaceuticals - anybody who touches information defined by HIPAA or other regulations as protected. Healthcare has one big compliance benefit over finance - HIPAA language only authorizes privacy assessments only after a violation is reported. Healthcare IT infrastructure is split between business and clinical-laboratory applications. Most healthcare concerns spend more on clinical technology used in patient care, making them early medical technology adopters but less so for business IT. This historic IT spending relationship may change with government attempts to wring medical efficiencies. Healthcare also is a large user of outsourced services, much of it for clinical applications. Healthcare generally has less security awareness than finance, but health information is not targeted at the same level by information criminals. However, patient information has been stolen and sold by internal employees to perpetrate fraud. Like all owners of sensitive information, healthcare must manage internal and external risk to maintain privacy of healthcare records, including regular assessments of the adequacy of a service provider's compliance infrastructure. Public Companies Public companies are a big category, overlapping with financial services and healthcare and extending to any enterprise with exchange-traded securities. Covered information adds integrity to the privacy of all information impacting financial reporting. This is all general ledger information and transactions consolidated into income statements and balance sheets. The validity of all transactions for supply chains, revenues from distribution chains and direct sales, employee and contractor salaries and wages, physical plant expenses - the list of transactions that are consolidated into core financials is extensive. The Sarbanes-Oxley Act of 2002, the applicable compliance regulation, was very costly to implement because of the confidentially requirement and the added quarterly integrity attestations required of key executives. IT infrastructures used by public companies varies widely between industries and the size of company, from large and distributed to small and centralized. The use of third-party and cloud-based services also varies widely in public companies, but generally is increasing with the 27% growth seen in the software-as-a-service market from 2007-2008.(5) Privacy and integrity of transactions and records pose an external and internal security risk for all public companies because fraud has been perpetuated by employees altering records and submitting false transactions. Many public companies, such as retail, travel and leisure, also are covered by other regulations, such as PCI. They too must manage redundant compliance mandates and audit schedules. Conclusion There is no place for covered entities with protected information to hide in today's heavily regulated marketplace. Data owners are responsible for ensuring the privacy of sensitive information used in their businesses, regardless of where it is processed, transmitted or stored. This has been true for outsourced business processes across a variety of industries, and it will be true for cloud computing as well. The cost of non-compliance is increasing as well, with million-dollar penalties now commonplace. Businesses in many industries will be wise to fully consider how they will assess and manage risks, and ensure that adequate security protections are provided for their data, in cloud computing arrangements. (1) http://infotech.aicpa.org/ (2) Indian National Association of Software and Service Companies (3) Ponemon Institute, 2008 (4) Ponemon Institute, 2008 (5) Gartner, Growth in Saas, 2007-2012 www.complianceresearchgroup.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it This e-mail address is being protected from spambots. You need JavaScript enabled to view it |
 |
|
|
|
