The Art of Data Management Compliance, Part 1: Keeping Pace
There's an alphabet soup of acronyms -- including SOX, HIPAA, GLBA and FISMA -- that enterprises must become familiar with in their effort to comply with data management regulations. Compliance with these regulations keep them in the clear legally, and also helps them stem the tide of cyber-crime.
Apr 26, 2008 4:00 AM PT
When it comes to properly managing and protecting critical enterprise data and information resources, Corporate America is stuck between two strongly opposing forces.
The Rock: Cyber-Crime
The U.S. is world "cyber-crime" headquarters (followed closely by the UK), according to the Internet Crime Complaint Center (IC3) 2007 Internet Crime Report. The term cyber-crime refers to criminal activity in which computers and networks like the public Internet play an essential part in the lawbreaking. Americans reported losses of US$240 million from global cyber-crime in 2007, a $40 million increase from 2006, the April 2008 IC3 report states.
The IC3 received 206,884 complaints of online fraud in 2007. Cyber-criminal activities include accounting fraud, identity theft, malicious software, data breaches, espionage, sabotage and newly minted esoteric misdeeds such as thumbsucking, podslurping, bluesnarfing and much, much more.
The Hard Place: Compliance
In an effort to stem the tide of cyber-crime -- or at least compel the business world to be more diligent in implementing prevention efforts -- thousands of U.S. state and federal regulations (in addition to numerous voluntary standards) officially require that organizations be in full legal compliance with mandates concerning records management.
Each of the following represents just a part of the extensive web of rules and regulations imposing strict obligations on businesses regarding proper stewardship of the information at the core of their operations:
- The Sarbanes-Oxley Act of 2002 (SOX)
- Auditing Standard No. 5 (AS5)
- Gramm-Leach-Bliley Act of 1999 (GLBA)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Fair and Accurate Credit Transactions Act (FACT)
- Statement on Auditing Standards 103 (SAS)
- Payment Card Industry Data Security Standard (PCI DSS)
- Federal Information Security Management Act (FISMA)
- Code of Federal Regulations 21-11 (CFR)
- Federal Rules of Civil Procedure (FRCP)
- California Security Breach Information Act (SB-1386)
- Electronic Communications Privacy Act (ECPA)
"Regulations related to data management have shifted dramatically during the last few years, and are requiring that public and private companies comply with more stringent requirements around the retention, privacy and security of electronic records," said Tom Klaff, CEO of Surety, an IT security software and services company.
The biggest challenge is that that there is no uniform federal law, said Sai Huda, chairman and CEO of Compliance Coach.
"Companies have to comply not only with a variety of federal laws and regulations, but also a patchwork of state laws and regulations, so there are multiple rules to follow," Huda told the E-Commerce Times.
"I have seen data reflecting between 10,000 and 12,000 pieces of legislation out there," Chrisan Herrod, executive editor of The Compliance Authority Blog, told the E-Commerce Times.
Compliance and MDM
Compliance covers data storage, archiving, encryption, retrieval and security. In the corporate world, the prime target of technology-based crime, and therefore regulation, is "master data" -- any information that plays a key role in the core operation of a business. Master, or reference, data relates to the main subjects of an information system such as clients and customers, employees, products and vendors, inventory, suppliers, analytics and more.
The processes of managing master data have been formalized in a system called "master data management" (MDM), an IT subdiscipline that focuses on the management and interlinking of reference data shared and used by an organization's different systems and groups.
"Compliance is the art of making sure that your organization's data-management practices pass muster with authorities and stakeholders and the financial community in general, and MDM is the key to corporate compliance," said James Kobielus, a senior analyst for the Burton Group.
"MDM refers to the infrastructure, tools and best practices for governance of official corporate records that may be scattered across diverse databases and other repositories. MDM helps you assure that data has been generated, vetted, processed, protected and transmitted according to a consistent set of policies and controls," he added.
"Where compliance is concerned, data quality, integrity and security are everything, Kobielus told the E-Commerce Times. "Without MDM, companies can't prove that scattered corporate records constitute a single source of truth. Without an unimpeachable official system of records, your lawyers will have to work twice as hard to prove your organization is complying with the letter of the law."
The Sarbanes-Oxley Act
The letters most notable in regard to data management law are SOX. The Sarbanes-Oxley Act of 2002 was enacted after the Enron and WorldCom scandals of the early 2000s and administered by the Securities and Exchange Commission. SOX, which regulates the management of corporate financial records and provides penalties for abuse, created sweeping disclosure obligations for public companies.
"SOX has substantially changed how organizations view compliance by putting the burden of reporting accurate financial results personally on key corporate executives," Mario Spanicciati, operations vice president for BlackLine Systems, told the E-Commerce Times. "In order to comply with these regulations, organizations must create one version of the truth, and effective financial controls are essential to achieving this."
SOX requires that all assets and liabilities be accounted for, observed Kris Barker, CEO of Express Metrix.
"IT assets consist of both physical items such as PCs, servers, printers, etc., as well as far less tangible ones such as software and contracts," Barker told the E-Commerce Times. "Intentional, planned management of IT assets is key to having the information required to comply with such regulations."
SOX was further bolstered by the Auditing Standard No. 5 from the Public Company Accounting Oversight Board (PCAOB), created by the SOX law to oversee and discipline accounting firms in their roles as auditors of public companies.
"AS5 encouraged and allowed for better automation, so we're now seeing organizations realize dramatic SOX cost reductions via automation," said Barker.
The financial services industry, in particular, is feeling the heat as scrutiny becomes ever more intense, according to Timothy Kennedy, vice president of sales and marketing at MyComplianceOffice.
"The pace of changes within the regulatory environment has put tremendous pressure on wealth management firms to remain compliant," he told the E-Commerce Times. "Today, regulators are looking for higher levels of data management, comprehensive disaster recovery plans, and effective data protection to ensure the security of client information. As a result, regulators are conducting much more detailed exams, spending a significantly larger amount of time conducting on-site audits."
GLBA and HIPAA
The avalanche of rules and regulations began with the Gramm-Leach-Bliley Act of 1999, which opened up competition among banks, securities companies and insurance companies. GLBA's Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. Compliance is mandatory.
The Health Insurance Portability and Accountability Act of 1996 requires the establishment of national standards for electronic health care transactions and the security and privacy of health data.
Though the laws have been in place for a while, the pressure is increasing.
"Broadly, the regulating organizations are getting more and more serious and previously unregulated geographies are becoming regulated," Mark Kraynak, senior director of strategic marketing for Imperva, an application data security and compliance specialist, told the E-Commerce Times. "As an example of stronger enforcement, even in just the last few months, our customers are seeing real HIPAA enforcement where previously HIPAA had a reputation for lax or nonexistent enforcement."
The payment card industry -- encompassing debit, credit, prepaid, e-purse, ATM and POS (point-of-sale) cards companies and associated businesses -- has long been an area of serious concern to regulators. The PCI Security Standards Council (formed in 2007 by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) has a goal to manage the ongoing evolution of the PCI Data Security Standard, which includes requirements for security management, policies and procedures.
"With the significant increase in sensitive data breaches and identity theft, we have seen regulations such as DSS become much more granular, with very specific technical and auditing measures described for protection of data," Dave Shackleford, a director at Configuresoft, told the E-Commerce Times. "Additionally, many regulations are mandating the use of data encryption techniques, which is a change from several years ago. The reporting and auditing processes have become more stringent, too, with separation of duties and more detailed statements of controls needed to be compliant."
State(s) Your Business
The U.S. states have also been aggressive in addressing data privacy and loss notification procedures that directly affect how companies address data management.
"Today most states have in place laws that now require companies to make public notification of any data loss with personal or confidential information," Rob Guba, CCO of TraceSecurity, told the E-Commerce Times.
"In fact, some states are even requiring controls be put in place to preempt the loss from happening. They have also added the bonus of potential legal action. Minnesota, for instance, has opened up an avenue for an institution to place the expense of ID theft-related expenditures on the organization that lost the data," he noted.
The 2003 California Security Breach Information Act requires organizations maintaining personal information about individuals to inform those individuals if the security of their information is compromised. In the event of a database security breach, the responsible organization must notify each individual for whom it maintained information. The Act was created to help stem the increasing incidence of identity theft.
SB-1386 changed the face of data privacy forever, according to Wasim Ahmad, vice president at Voltage Security.
"Five years ago, federal data privacy-related compliance regulations focused on GLBA and HIPAA," Ahmad told the E-Commerce Times. "Then came SB-1386 -- instead of compliance being internally focused, suddenly companies were publicly on the hook to safeguard customer data -- not just in California but all over the U.S. And SB1386 linked common-sense practices with brand reputation, forcing companies to disclose data breaches publicly and subsequently face the consequences with customers whose identities were exposed."
All of this has produced strong incentives to maximize enterprise data security.