Data Security and Compliance

Data security is seeing increased attention these days. Wide spread media coverage coupled with mounting losses due to fraud and identity theft has increased the pressure being brought to bear on this problem. At last count there are over 100 different regulations pertaining to data protection and security breaches. All these overlapping regulations and the blur surrounding jurisdictional authority have increased the complexity of compliance.

The government is getting tough on organizations that are not in compliance. Two areas of compliance that touches a very broad group of organizations are HIPAA and SOX.   Both of these areas are currently seeing stepped up auditing and compliance enforcement.

HIPAA--The Centers for Medicare & Medicaid Services (CMS) has authority to investigate complaints of non-compliance related to all of the HIPAA regulations other than the Privacy Rule. In the first half of 2008, CMS received nearly 1,000 complaints. Not surprising given one insider that did not want to be identified said, “It was strongly suggested to me that I not bring up the areas of non-compliance because it would delay software development and cost the company money.”   This is just opening up the company’s liability because it is not a question of if a data breach will occur, but when!

SOX--Multiple high profile financial scandals, accounting errors and fraudulent practices drove the enactment of the Public Company Accounting Reform and Investor Protection Act of 2002 that is commonly referred to as SOX. Information Security is tightly coupled with SOX due to the fact that virtually all corporate information is electronic. Compromising a company’s computer system can have a direct impact on its financial performance. In one case, a security auditor and consultancy discovered that their client had experienced a security breach that compromised its product costing and pricing information. A company’s competitive position is compromised if your competitors know your costs and pricing.  Given the sensitivity of that specific information, the security auditors had informed the company’s CIO that they needed to disclose this to the SOX compliance team.  The CIO refused to do so. The consultants insisted on internal disclosure and interestingly enough, they had their consulting contract cancelled. When they contacted me and asked me what to do I suggested they leave noisily! In a similar incident I had the CIO of one company that wanted to try and force non-disclosure agreement that stated I could not disclose the results of the security audit/investigation to anyone other than him.

A report recently released by the Identity Theft Resource Center (ITRC), stated that the data breach incidents have reached an all-time high.   “Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69 percent greater than the same time period in 2007.” If that is not bad enough, insiders and security experts all say that many organizations fail to comply with regulations governing disclosure and data protection.

Data Security and compliance is essential!  In one study, 79 percent of survey respondents said regulatory mandates are a major influence on data security. Over 40 percent of the professionals surveyed said that the board of directors is now getting involved and driving increased security measures and compliance with data breach regulations. This coupled with external auditors concern over separation of duties with the CISO reporting to the CIO is pushing a change in the reporting relationship of CISOs. The current thinking is that the CISO should report directly to the board of directors or at least to the audit committee. This transition is also a factor that is changing what organizations are looking for when they hire a CISO.

While SOX and HIPAA provide compelling arguments for improving security controls around data, they are only a small part of a larger quandary - compliance or risk the consequences.  Given all that is at stake you would think organizations would be forthcoming with breach information and embrace compliance, but that is not always the case. For that reason, auditing information security and compliance has become big business.