Tip

Will the 'regulatory police' be knocking on your door?


What you will learn from this tip: Who is enforcing regulations and penalties for noncompliance.
Security professionals and business executives often wonder who's enforcing regulatory compliance and if enforcement agencies actively seek out violators. With the threat of a decade or two in prison or fines up to $500,000, depending on the violation and intent, these are valid questions.

Generally speaking, the "regulatory police" (which could range from state agencies to the U.S. Department of Justice) are not likely to be out walking the streets shaking people down, looking for outdated

Requires Free Membership to View

security policies, weak passwords, or unsecured personal information or financial reports to come flying out of their pockets. Law enforcement resources are too limited. Most regulatory compliance violations are the result of someone doing something stupid and getting caught. However, things are changing.

Organizations that violate a law or regulation often get caught as a result of an audit or oversight board inspection that turns up evidence of wrongdoing, or they are accused based on hearsay or other suspicion. In addition, in the U.S., for example, almost anyone from a disgruntled employee to an unhappy health care patient can lodge a complaint or lawsuit if they believe information is being mishandled.


MORE INFORMATION
The Securities and Exchange Commission (SEC) is responsible for enforcing the Sarbanes-Oxley Act (SOX). The Public Company Accounting Oversight Board (PCAOB -- pronounced peek-a-boo) was formed by the SEC to oversee and inspect the audit of public companies by registered public accounting firms. This proactive assessment ensures audit processes remain on the up and up according to the SOX requirements. However, whistleblowers and others can just as easily launch a complaint if they suspect a violation.

Complaints related to Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) violations can be submitted via the Web. The Centers for Medicare and Medicaid Services' (CMS) offers an enforcement and complaint Web page for HIPAA, which provides information about filing a complaint against a HIPAA-covered entity both online and in writing. Consumers in the financial industry (banking, mortgage, etc.) can file an electronic complaint about an organization with the Federal Trade Commission (FTC) -- the enforcer of GLBA -- via its consumer complaint form page.

Once a suspected violation occurs or a complaint is received, depending on the issue, some form of investigation is likely to be launched. This doesn't mean law enforcement investigates individual complaints, but this information can point agencies in the direction of a larger issue.

In the past, proactive monitoring and enforcement was somewhat limited. That is changing, especially in industries known for strong regulations, such as banking and pharmaceuticals. There is a growing public awareness of information privacy and security due to the increase in new laws at both the state and federal levels combined with the increase in the number of privacy breaches and security incidents. Consumers and businesses alike will undoubtedly hold others to a higher standard, thus raising the demand for better enforcement.

Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC where he specializes in security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including the The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach), Hacking For Dummies (Wiley), and the upcoming Hacking Wireless Networks For Dummies. Kevin can be reached at kbeaver@principlelogic.com.

This was first published in May 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.