CSOs seek regulatory sanity in 2006

By Bill Brenner, Senior News Writer 26 Dec 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Ask CSOs to predict which issue will cause them the most pain in 2006, and year after year it's the same two words -- regulatory compliance.

One would think that after years of struggling with Sarbanes-Oxley (SOX), Gramm-Leach-Bliley and Health Insurance Portability and Accountability Act, the art of compliance would be second nature by now. But it's actually getting harder to manage, said Wayne Proctor, CISO of Certegy Inc., a St. Petersburg, Fla.-based merchant services company with over $1 billion in annual revenue that handles data for 100 million consumers worldwide.

"In finance, it's becoming more difficult to keep up with the pace of regulations coming from multiple sources at the same time," Proctor said.

Besides the laws listed above, there are also industry regulations to heed, like the Payment Card Industry (PCI) Data Security Standard. But the challenges Proctor described are also the result of a 2005 legislative tsunami that began after companies like ChoicePoint Inc., Lexis-Nexis Group and CardSystems Inc. were forced to admit their data networks had been compromised.

Steve Bell, a partner in the telecom group at New York-based law firm Willkie Farr & Gallagher LLP, said as of late November, 21 states had enacted laws mirroring California's Security Breach Information Act (SB-1386). Thirty-nine other states have either drafted or considered similar legislation, he said.

State laws have same purpose but often conflict
Though the laws are all designed for the same purpose -- to ensure companies come clean when hackers penetrate their networks and steal information that could be used to commit fraud -- the specific requirements are not always the same from one state to the next. Hence the confusion, Proctor said.

"With some of the legislation in the different states, there are conflicting points" and the challenge is to separate the common criteria from the differences, he said. "If it's at the federal level, it's more watered down and you know the minimum requirements," he said. "But if you're a national company and you're dealing with laws in different states that may have differing elements -- that's challenging."

Certegy's solution is to operate based on the toughest regulations out there, including those from overseas. "We have basic decision-making criteria where we lean toward the stricter so we're in compliance by default," Proctor said. In the coming year, he'll be watching to see if the federal government enacts a law that supersedes those enacted at the state level.

Feds should 'take their time'
Legal experts like Bell believe that for consistency's sake, it may be time for a federal law. In an earlier interview with Information Security magazine, a sister publication to SearchSecurity.com, Bell worried that additional state laws could start to complicate business functions, and said one overriding federal law might be the answer.

"I think the states have done a remarkable job and it's clear the California legislation was the precipitating factor in ChoicePoint coming forward," Bell said. "But look out at the horizon and you'll see that as more and more legislation is adopted, it'll really complicate the function of a lot of businesses as they're forced to spend more and more time and money trying to figure out the similarities and differences between the various state laws they're bound by."

Proctor expects that a superseding federal law will emerge in 2006. But despite the headaches he has suffered in the name of regulatory compliance, he isn't in a hurry to see it happen. In the end, he said, the tougher regulations are probably for the best.

"Federal lawmakers should take their time to make sure it's a good law because it'll affect us all," he said. "If they go with the firmer level of compliance that some states require, that would send a clear message that everyone has to get in line."

Anxieties shared behind closed doors
It remains to be seen if things will play out as Proctor expects. But Jim Wade, executive director and chief operating officer of the International Information Integrity Institute (I-4), said many CSOs share Proctor's view, namely that regulatory compliance will remain a dominant challenge through the next year.

I-4, part of Tewksbury, Mass.-based Getronics, is a consortium of multinational organizations in which CSOs meet behind closed doors several times a year to trade notes on their biggest challenges. By meeting in secret, Wade said, the CSOs are comfortable speaking candidly about their pain points.

"We have 75 companies involved," Wade said. "That's our ceiling so they can really interact and communicate with each other. We hold three large meetings a year for the membership. Those meetings are moved around to various locations in the U.S. and Europe, and the forums are three and a half days long, starting early morning and going into the early evening." There are also breakout sessions where smaller groups mull over specific issues. And there are regional one-day meetings throughout the year where only one or two subjects are tackled at a time.

Governance the big concern for 2006
If the most recent gatherings are any indication, he said, governance is a big concern for 2006. "It's not just the U.S," he said. "The U.K. has been dealing with many of the same issues. Security is one of those areas that is really catching attention on the regulatory and auditing side. We're hearing people really trying to get their arms around best practices. They see the need to make an integrated effort and come up with an integrated set of requirements. They're trying to figure out how to comply with multiple regulations without reinventing the wheel."

Wade noted that most corporations fall under the rules of HIPAA because they provide employees with health insurance. Global companies must abide by European and Japanese data integrity laws and a SOX-like equivalent in Australia. "How do you get your arms around all this without burning out the staff?" Wade asked. "That's an issue CSOs hope to address in the next year."

CSOs are also looking at how to integrate "the next thing that comes along," he said. "They want to figure out how you take a new set of regulations and integrate it with the processes you already have in place for other regulations."

Tags: Sarbanes-Oxley Act,  HIPAA,  Gramm-Leach-Bliley Act (GLBA),  FISMA,  Data Privacy and Protection,  Information Security Policies, Procedures and Guidelines,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research HIPAA Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist Quiz: How to meet HIPAA compliance requirements How to avoid HIPAA Social Security number compliance violations HIPAA Research Gramm-Leach-Bliley Act (GLBA) Implement security and compliance in a risk management context The road to compliance IBM to boost security spending, push PCI DSS program ISO 27001 could bridge the regulatory divide, expert says Policies and regulatory compliance Where hard drives go to die, or do they? Compliance guide for managers: Lessons learned and best decisions Become compliant -- without breaking the bank Compliance Guide for Managers Making sense of the maze Gramm-Leach-Bliley Act (GLBA) Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary