About Compliance and Security

Thursday, December 02, 2010

Danny Lieberman


Beyond a basic level of network security (running a firewall) and endpoint security (installing anti-virus), the key driver for companies investing in improving their software and data security is compliance.  

In the case of vendors, such as medical device manufacturers, it is HIPAA and in the case of enterprise business applications, it is governance and privacy regulation such as Sarbanes-Oxley and EU Data security.

However – here we run into anomalies:

  • You can comply without being secure – consider the credit security breaches of PCI DSS compliant retailers
  • But, most companies won’t invest in software and data security without the compliance drivers behind them.

In this essay, I will attempt to investigate the relationship between data security and compliance and suggest how to get the right security for your compliance dollar.

Data Security and compliance

Regulation – drives business into taking action. Is regulation more than just a trigger to management action? Data security requires both management and technology controls. The trigger to implementation often lies in government regulation. This article examines the relevance of regulation in the US and in Europe.

…Truth be told, everything we’ve done in the area of data loss prevention is because of industry regulations. The police were useless in our last data breach event and we’re developing self-audit and control capability in order to protect our customer records and actuarial data.
General Counsel of an insurance company with $8BN in assets

…We don’t invest in DLP technology because it’s a criminal offense when one of our employee breaches critical filings. We feel the legal deterrent is sufficient.
IT Manager – Securities and Exchange Commission in a Middle East country

Regulation cannot protect us from a data breach. Uncompromising ethics and good management are prerequisites for protecting a company’s digital assets and individuals’ private information.

Let’s examine the relationships between individuals, companies and regulation:

  • Individuals Privacy: HIPAA/HHS rulings
  • Children: Children’s Online Privacy Protection Act (COPPA)
  • Credit Card holders: FCRA
  • Public entitiesPublic firms Government agencies
  • Corporate governance: Sarbanes-Oxley
    Insurance: State law
  • Health Care:HIPAA/HHS rulings
  • Credit Cards: FCRA
  • Securities: Cat guards the cream
  • Telecom : New York State Public Service Commission rulings
Privacy regulation trends in the US and Europe

Government-regulated privacy-protection of information is a natural response rooted in the field of telecommunications, since countries either own the telecom business outright or tightly regulate their industry.

This has largely led to a view of electronic privacy as an issue of citizen rights versus state legislation and monopoly.

In the information age, privacy has two dimensions – intrusion and data breach:

  • Protection against intrusion by unwanted information or criminals; similar to the constitutional protection to be secure in one’s home.
  • Protection against data breach by controlling information flows about an individual’s or a business’s activities; for example preventing identify theft or protecting a company’s trade secrets.

Regulation has moved in two major directions–centralized general protection and decentralized ad-hoc protection. The EEC (European Economic Community ) has pursued the former, and passed comprehensive data protection laws with coordination on information collection and data flows.

The United States, in contrast, has dealt with issues on a case-by-case basis (health-care, credit cards, corporate governance etc…) resulting in a variety of ad hoc federal and state legislation.

A synthesis of the European and the American approaches is to formulate a set of broad rules for vertical industry. This was the direction taken by the New York Public Service Commission on the issue of telecommunications privacy.

However, U.S. privacy legislation remains considerably less strict than European law in the regulation of private databases. Two Representatives in the House Select Committee on Homeland Security are calling for a Privacy Czar.

The Privacy Czar would be responsible for privacy policies throughout the federal government as well as ensuring private technology does not erode public privacy.

“Right now, there’s no one at home at the White House when it comes to privacy. There’s no political official in the White House who has privacy in their title or as part of their job description.

Congress should take the lead here because this administration has not,” says Peter Swire, an Ohio State University law professor and former chief privacy officer in the Clinton administration in an interview with Wired back in 2006 – and in the Obama administration has anything changed? (http://www.wired.com/news/privacy/0,1848,63542,00.html )

Horizontal applications Sarbanes Oxley: enforcing corporate governance

The Sarbanes-Oxley Act (SOX) has had a major impact on US corporate governance SOX was a response to the accounting scandals and senior management excesses at some public companies in recent years.

It requires compliance with a comprehensive reform of accounting procedures for public corporations to promote and improve the quality and transparency of financial reporting by both internal and external independent auditors. SOX regulation is enforced by the Public Company Accounting Oversight Board (“the Board”).

SOX Section 404 – “Management Assessment Of Internal Controls ” is indirectly relevant to data breach. It requires an “internal control” report in the annual report which states management responsibility and assesses effectiveness of internal controls. Companies are also required to disclose whether they have adopted a code of ethics for senior financial officers and the contents of that code.

SOX Section 409 – “Real Time Disclosure” implies that a significant data breach event be disclosed on “a rapid and current basis”. SOX also increases the penalties for mail and wire fraud increased from 5 to 10 years and creates a crime for tampering with a record or otherwise impeding any official proceeding.

HSS/HIPPA: enforcing patient privacy

Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gave Congress 3 years to pass health privacy legislation.

In May 2003 – the HHS (Dept of Health and Human services implemented federal protections for the privacy of individual health information under the Privacy Rule, pursuant to HIPAA. Because of limitations of HIPPA, the rule is far from seamless and will require a lot more work in the US Congress by both parties to ensure privacy of personal health information.

My conclusion on all of this is:

  • SOX is a great opportunity for IT vendors of products and services, although external auditors arent supposed to charge additional for SOX compliant work.
  • SOX has general management relevance to data breach prevention requiring internal controls, ethics and disclosing bad news on time.
  • data breach of patient information continues to be an issue.
Vertical Industries Securities: Did we leave the cat guarding the cream?

Annette L. Nazareth, market regulation director at the U.S. Securities and Exchange Commission, outlined proposals at a securities industry conference in New York on May 21 calling for stock exchanges, as the Associated Press put it, “to abide by most of the requirements they set for companies they list.” (http://www.sec.gov./news/speech/spch052104aln.htm )


Insurance Industry: Federal versus free market

October 2003, witnesses before the Senate Commerce committee testified regarding insurance industry regulations. The committee analyzed the current US system, which relies on state law, and examined proposals for improving industry regulation.

One of the central issues was whether or not the federal government should play a larger role in insurance industry regulation. Also discussed was the need to provide protection for consumers without forcing unnecessary regulations on insurance companies. Some senators expressed concerns about high insurance rates.


If you’re an IT vendor of products and services, there may be gold in them thar hills but when you’re running your business don’t leave your ethics at home and don’t wait for governments to tell you what you learned from your parents at age 5 – put your toys away and don’t steal from the other kids.

Cross-posted from Israeli Software 

Possibly Related Articles:
HIPAA Compliance HITECH Sarbanes-Oxley Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.