Ask CSOs to predict which issue will cause them the most pain in 2006, and year after year it's the same two words -- regulatory compliance.
One would think that after years of struggling with Sarbanes-Oxley (SOX), Gramm-Leach-Bliley and Health Insurance Portability and Accountability Act, the art of compliance would be second nature by now. But it's actually getting harder to manage, said Wayne Proctor, CISO of Certegy Inc., a St. Petersburg, Fla.-based merchant services company with over $1 billion in annual revenue that handles data for 100 million consumers worldwide.
Besides the laws listed above, there are also industry regulations to heed, like the Payment Card Industry (PCI) Data Security Standard. But the challenges Proctor described are also the result of a 2005 legislative tsunami that began after companies like ChoicePoint Inc., Lexis-Nexis Group and CardSystems Inc. were forced to admit their data networks had been compromised.
Steve Bell, a partner in the telecom group at New York-based law firm Willkie Farr & Gallagher LLP, said as of late November, 21 states had enacted laws mirroring California's Security Breach Information Act (SB-1386). Thirty-nine other states have either drafted or considered similar legislation, he said.
State laws have same purpose but often conflict
Though the laws are all designed for the same purpose -- to ensure companies come clean when hackers penetrate their networks and steal information that could be used to commit fraud -- the specific requirements are not always the same from one state to the next. Hence the confusion, Proctor said.
"With some of the legislation in the different states, there are conflicting points" and the challenge is to separate the common criteria from the differences, he said. "If it's at the federal level, it's more watered down and you know the minimum requirements," he said. "But if you're a national company and you're dealing with laws in different states that may have differing elements -- that's challenging."
Certegy's solution is to operate based on the toughest regulations out there, including those from overseas. "We have basic decision-making criteria where we lean toward the stricter so we're in compliance by default," Proctor said. In the coming year, he'll be watching to see if the federal government enacts a law that supersedes those enacted at the state level.
Feds should 'take their time'
Legal experts like Bell believe that for consistency's sake, it may be time for a federal law. In an earlier interview with Information Security magazine, a sister publication to SearchSecurity.com, Bell worried that additional state laws could start to complicate business functions, and said one overriding federal law might be the answer.
"I think the states have done a remarkable job and it's clear the California legislation was the precipitating factor in ChoicePoint coming forward," Bell said. "But look out at the horizon and you'll see that as more and more legislation is adopted, it'll really complicate the function of a lot of businesses as they're forced to spend more and more time and money trying to figure out the similarities and differences between the various state laws they're bound by."
Proctor expects that a superseding federal law will emerge in 2006. But despite the headaches he has suffered in the name of regulatory compliance, he isn't in a hurry to see it happen. In the end, he said, the tougher regulations are probably for the best.
"Federal lawmakers should take their time to make sure it's a good law because it'll affect us all," he said. "If they go with the firmer level of compliance that some states require, that would send a clear message that everyone has to get in line."
Anxieties shared behind closed doors
It remains to be seen if things will play out as Proctor expects. But Jim Wade, executive director and chief operating officer of the International Information Integrity Institute (I-4), said many CSOs share Proctor's view, namely that regulatory compliance will remain a dominant challenge through the next year.
I-4, part of Tewksbury, Mass.-based Getronics, is a consortium of multinational organizations in which CSOs meet behind closed doors several times a year to trade notes on their biggest challenges. By meeting in secret, Wade said, the CSOs are comfortable speaking candidly about their pain points.
"We have 75 companies involved," Wade said. "That's our ceiling so they can really interact and communicate with each other. We hold three large meetings a year for the membership. Those meetings are moved around to various locations in the U.S. and Europe, and the forums are three and a half days long, starting early morning and going into the early evening." There are also breakout sessions where smaller groups mull over specific issues. And there are regional one-day meetings throughout the year where only one or two subjects are tackled at a time.
Governance the big concern for 2006
If the most recent gatherings are any indication, he said, governance is a big concern for 2006. "It's not just the U.S," he said. "The U.K. has been dealing with many of the same issues. Security is one of those areas that is really catching attention on the regulatory and auditing side. We're hearing people really trying to get their arms around best practices. They see the need to make an integrated effort and come up with an integrated set of requirements. They're trying to figure out how to comply with multiple regulations without reinventing the wheel."
Wade noted that most corporations fall under the rules of HIPAA because they provide employees with health insurance. Global companies must abide by European and Japanese data integrity laws and a SOX-like equivalent in Australia. "How do you get your arms around all this without burning out the staff?" Wade asked. "That's an issue CSOs hope to address in the next year."
CSOs are also looking at how to integrate "the next thing that comes along," he said. "They want to figure out how you take a new set of regulations and integrate it with the processes you already have in place for other regulations."