Problem solve Get help with specific problems with your technologies, process and projects.

Worst practices: Recognizing the biggest compliance mistakes

With all of the compliance requirements and regulations organizations need to abide by these days, corporate compliance blunders are inevitable. In this tip, security management expert Mike Rothman highlights the biggest compliance mistakes seen in the information security industry, and offers advice on how your company can learn from them.

As the season of entertainment awards comes to a close, I want to weigh in and do my first annual "Steaming Brown Bag Awards" or STiBBAs for short, which recognize the biggest compliance blunders of the past year (or so), and the award is – of course – a steaming brown bag.

And without further ado: The Rip Van Winkle STiBBA goes to TJX. Considering TJX was unaware its systems had been compromised for years, maybe the retailer should be a perpetual STiBBA award winner.

Using WEP to protect stored wireless networks, not monitoring database and log information and having a porous point-of-sale application certainly qualify as compliance worst practices. So TJX takes the cake, and it's hard to see how it will ever be topped in the data breach sweepstakes. But that's the optimist in me talking.

The next STiBBA is for "aiding and abetting a train wreck," and this goes to Visa, which gave TJX a two-year exemption for PCI compliance while the attackers were pilfering TJX's database daily. I'm not sure what the escalation process was to approve that extension, but hopefully it's been eliminated. At this point, there should be no exceptions.

We all should vote with our wallets. We should not do business with companies that can't keep our personal data private.

Mike Rothman

Next on our hit parade is the "paper tiger" STiBBA, which goes to the Department of Health and Human Services. Yes, that's right – HIPAA is officially an empty suit. The sad truth is that from a risk management standpoint, it's more cost effective for healthcare institutions to basically do nothing and wait until they are caught before trying to fix their security issues.

The odds any health organization will get caught in a HIPAA assessment and then fined are virtually nil. Of course, that's exactly the wrong thing to do for their patients, but it's happening out there. Thankfully, many doctors and hospitals take credit cards and, thus, are also forced to comply with PCI. So they are likely making progress, but it's not because of HIPAA.

Now let's get into the user-oriented STiBBAs, starting with the award for "sitting on their hands." And the winner is TD Ameritrade. These folks suffered one of the more high-profile breaches in late 2007, with at least 6.3 million TD Ameritrade customers having their identities stolen. Even worse, the company may have known about it for more than a year. It claims it didn't, but the lawyers suing them for an earlier spam-related suit disagree. We probably won't hear more about this until the class action lawsuits start hitting legal dockets in another 18 months or so.

Not disclosing a potential data breach is another compliance worst practice. It's acceptable to a point if the organization is still actively trying to figure out what happened and get the situation is under control before it's disclosed, but waiting for weeks is an exceptionally bad idea. Waiting a year will result in a swift execution in the court of public opinion. If an enterprise doesn't know what's going on within a couple of days, the news isn't going to get better with time.

The "fool me twice, shame on me" STiBBA goes to Pfizer, which had not just one, but two data breaches within two months on separate issues. The first breach resulted from an alleged insider attack that compromised personal information on 17,000 Pfizer employees. And just when you thought lightening wouldn't strike twice, a set of laptops owned by a Pfizer contractor that contained personal financial information was lost. Now that's a double whammy.

So how can organizations avoid this worst practice? If an enterprise experiences a data breach, it should put everyone on high alert. As long as the organization is candid about the issue the first time, it's forgivable. If it happens twice within a short amount of time, all bets are off. Organizations should ensure that employees are scrutinizing everything; verify that contractors understand they need to protect data; and add a few more processes to ensure it doesn't happen again. The enterprise may take a little productivity hit, but what's the brand damage hit if another breach happens?

Finally, the last STiBBA goes to the consumer. On behalf of all of the customers, including myself, who still shop at places like TJX and frequent other organizations that violate our trust and lose our data.

We all should vote with our wallets. We should not do business with companies that can't keep our personal data private. These corporations should learn the hard way that protecting customer data is important. All consumers should resolve to not do business at places that have had a data breach within the past 12 months. Maybe it will be a pyrrhic victory – but it'll be a victory nonetheless.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about the Pragmatic CSO at, read his blog at, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

This was last published in April 2008

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.