What you will learn from this tip: Who is enforcing regulations and penalties for noncompliance.
Security professionals and business executives often wonder who's enforcing regulatory compliance and if enforcement agencies actively seek out violators. With the threat of a decade or two in prison or fines up to $500,000, depending on the violation and intent, these are valid questions.
Generally speaking, the "regulatory police" (which could range from state agencies to the U.S. Department of Justice) are not likely to be out walking the streets shaking people down, looking for outdated security policies, weak passwords, or unsecured personal information or financial reports to come flying out of their pockets. Law enforcement resources are too limited. Most regulatory compliance violations are the result of someone doing something stupid and getting caught. However, things are changing.
Organizations that violate a law or regulation often get caught as a result of an audit or oversight board inspection that turns up evidence of wrongdoing, or they are accused based on hearsay or other suspicion. In addition, in the U.S., for example, almost anyone from a disgruntled employee to an unhappy health care patient can lodge a complaint or lawsuit if they believe information is being mishandled.
- Learn more about HIPAA-related regulation enforcement.
- Find out how to get your regulatory priorities in order.
- Learn how to comply with SOX in five steps.
The Securities and Exchange Commission (SEC) is responsible for enforcing the Sarbanes-Oxley Act (SOX). The Public Company Accounting Oversight Board (PCAOB -- pronounced peek-a-boo) was formed by the SEC to oversee and inspect the audit of public companies by registered public accounting firms. This proactive assessment ensures audit processes remain on the up and up according to the SOX requirements. However, whistleblowers and others can just as easily launch a complaint if they suspect a violation.
Complaints related to Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) violations can be submitted via the Web. The Centers for Medicare and Medicaid Services' (CMS) offers an enforcement and complaint Web page for HIPAA, which provides information about filing a complaint against a HIPAA-covered entity both online and in writing. Consumers in the financial industry (banking, mortgage, etc.) can file an electronic complaint about an organization with the Federal Trade Commission (FTC) -- the enforcer of GLBA -- via its consumer complaint form page.
Once a suspected violation occurs or a complaint is received, depending on the issue, some form of investigation is likely to be launched. This doesn't mean law enforcement investigates individual complaints, but this information can point agencies in the direction of a larger issue.
In the past, proactive monitoring and enforcement was somewhat limited. That is changing, especially in industries known for strong regulations, such as banking and pharmaceuticals. There is a growing public awareness of information privacy and security due to the increase in new laws at both the state and federal levels combined with the increase in the number of privacy breaches and security incidents. Consumers and businesses alike will undoubtedly hold others to a higher standard, thus raising the demand for better enforcement.
Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC where he specializes in security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including the The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach), Hacking For Dummies (Wiley), and the upcoming Hacking Wireless Networks For Dummies. Kevin can be reached at firstname.lastname@example.org.