Will the 'regulatory police' be knocking on your door?

Generally speaking, the "regulatory police" (which could range from state agencies to the U.S. Department of Justice) are not likely to be out walking the streets shaking people down, looking for outdated security policies, weak passwords, or unsecured personal information or financial reports to come flying out of their pockets. Law enforcement resources are too limited. Most regulatory compliance violations are the result of someone doing something stupid and getting caught. However, things are changing.

Organizations that violate a law or regulation often get caught as a result of an audit or oversight board inspection that turns up evidence of wrongdoing, or they are accused based on hearsay or other suspicion. In addition, in the U.S., for example, almost anyone from a disgruntled employee to an unhappy health care patient can lodge a complaint or lawsuit if they believe information is being mishandled.

• Learn more about HIPAA-related regulation enforcement.
• Find out how to get your regulatory priorities in order.
• Learn how to comply with SOX in five steps.

Complaints related to Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) violations can be submitted via the Web. The Centers for Medicare and Medicaid Services' (CMS) offers an enforcement and complaint Web page for HIPAA, which provides information about filing a complaint against a HIPAA-covered entity both online and in writing. Consumers in the financial industry (banking, mortgage, etc.) can file an electronic complaint about an organization with the Federal Trade Commission (FTC) -- the enforcer of GLBA -- via its consumer complaint form page.

Once a suspected violation occurs or a complaint is received, depending on the issue, some form of investigation is likely to be launched. This doesn't mean law enforcement investigates individual complaints, but this information can point agencies in the direction of a larger issue.

In the past, proactive monitoring and enforcement was somewhat limited. That is changing, especially in industries known for strong regulations, such as banking and pharmaceuticals. There is a growing public awareness of information privacy and security due to the increase in new laws at both the state and federal levels combined with the increase in the number of privacy breaches and security incidents. Consumers and businesses alike will undoubtedly hold others to a higher standard, thus raising the demand for better enforcement.

Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC where he specializes in security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including the The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach), Hacking For Dummies (Wiley), and the upcoming Hacking Wireless Networks For Dummies. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG General,   Infosec-Related Regs,   Compliance,   Security Audit, Compliance and Standards,   HIPAA,   Sarbanes-Oxley Act,   Data Privacy and Protection,   Compliance Counselor,   Gramm-Leach-Bliley Act (GLBA),   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT General IT compliance success doesn't equal security success Security rules to live by: Compliance with laws and regulations Business continuity planning standards and guidelines Regulatory Requirements and their Impact on You Define security's role in the regulatory process The 5 pillars of successful compliance What to tell senior management about regulatory compliance Complying with multiple regulations and contending with conflicts Getting your regulatory priorities in order HIPAA Cost of security, IT management add up at healthcare facilities, study finds Healthcare security spending remains sluggish, report shows Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist HIPAA Research Sarbanes-Oxley Act Information security book excerpts and reviews SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.