When Congress passes laws like The Sarbanes-Oxley Act, companies have little choice but to comply, even if the regulations impose significant incremental business costs. Legislators legislate—those affected must go along or face sanctions.
The only saving grace is the fact that the legislative process provides an opportunity for companies to lobby on behalf of their interests, block adverse regulations, or at least influence the final content.
But government officials aren't the only ones throwing their weight around these days. In fact, a whole host of parties, from industry consortia to powerful corporations, are demanding their own unique forms of "compliance," which are backed by fines or worse: restricted access to huge markets.
The major credit card companies, for example, recently drew up a common Payment Card Industry Data Security Standard that governs how they expect merchants to protect cardholder information. Merchants had to comply by Sept. 30, 2004, and must verify compliance by June 30 of this year. Failure to do so exposes a merchant to fines of up to $500,000—or even contract termination.
Some merchants are up in arms over the June 30 date because they heard about it only after recent data security breaches hit the headlines. David Glaser, director of professional services at Cybersource, blames the credit card companies' cumbersome structure. "Visa and MasterCard communicate directly to the merchant acquiring banks," he explains, "It's up to the acquiring banks to notify their particular merchants or service providers." Although some banks have worked hard to get the word out, he says others have not.
The standard (see box above, right) consists of 12 requirements covering network security, data protection, vulnerability management, access control and network monitoring; merchants must maintain a written information security policy, too.
And compliance costs can be substantial. Cybersource has found many larger merchants used different information handling procedures at point of sale systems in stores, call centers and their Web sites. Glaser estimates that in late April the average merchant is complying with only 30 percent of the applicable requirements.
Smaller merchants will face only modest costs if they already adhere to stringent data security procedures. Glaser believes the tone at the top is critical; if senior executives are just worried about fines or the deadline, they may miss the point. "The card companies imposed these rules to protect cardholders," he says, "to protect individuals who are trusting Internet sites and other merchants."
Corporate Enforcement
In many ways, market-driven compliance standards are a necessity driven by the inter-networked economy, and pure self-preservation interests.
Robinson
Laura Robinson, a compliance analyst at RSA Security, acknowledges companies must embrace data security in their own best interests. "People will be looking for organizations like credit card companies and banks to reassure them that there isn't a risk of losing their identity by using their services," she says.
Christianson
Although Chris Christiansen, an analyst at market research firm IDC, acknowledges corporate enforcement of data security standards is accelerating, he does not see it as anything new. "It has just become more important as companies have transitioned from private networks to public networks," he says. Regulatory compliance has ratcheted up the vulnerability, but the cost is a necessary business expense. "Not being able to attest to proper governance across the entire chain with respect to such age-old practices as channel-stuffing conceivably makes everybody liable within that network," says Christiansen.
Data privacy laws hold companies with whom consumers do business responsible even if a security breach occurs at a subcontractor, so companies have to hold business partners accountable to the same standards they must meet.
The healthcare industry discovered this the hard way. The U.S. Department of Health and Human Services introduced in April 2003 new privacy regulations under the Health Insurance Portability and Accountability Act of 1996. According to a reports first covered in The San Francisco Chronicle, a woman in Pakistan hired through several layers of subcontractors to transcribe medical records for the University of California San Francisco Medical Center in October 2003 threatened to publish them on the Internet unless she received overdue payments from the U.S.-based subcontractor next up in the chain. Three weeks later, another medical record transcription firm, Toledo-based Heartland Information Services, suffered an extortion attempt by workers in Bangalore who threatened to publish medical records unless they were paid off.
Although no medical records entered the public domain in either case, the incidents shook the industry, according to Robinson at RSA Security. "Companies realized they'd better make sure whomever they contract to and whomever that entity subcontracts to handles the information in a way that would be compliant," she says.
As outsourcing grows, companies find themselves pushed into the role of enforcer as privacy regulations proliferate. In addition to federal statutes like HIPAA and GLB, California and other states have adopted laws that require companies to notify state residents when a security breach occurs that may compromise their personal information. Robinson believes that companies will take the regulations seriously more for fear of lawsuits than to forestall government action. "It's not like the HIPAA police will come to your door," she says, "The enforcement is complaint driven. Nobody wants to be the HIPAA poster child."
Wal-Mart's Compliance Mandate
More regulations, more outsourcing and more data transfers between business partners give privacy regulations pervasive reach. RSA Security now offers a compilation of IT security standards drawn from various sources, including the International Standards Organization, the Federal Financial Institutions Examination Council, Control Objectives for Information and Related Technologies (COBIT), and the National Institute of Standards and Technology, to help customers develop best practices for their businesses.
Corporate enforcement doesn't stop at government or industry standards either. Large companies often expect their suppliers to meet technical performance standards, including security requirements before suppliers can access inventory control data.
Wal-Mart took this a stage further in its campaign to force suppliers to use Radio Frequency Identification tags on deliveries. The pilot program required its top 100 suppliers to use RFID tags on pallets and cases delivered after January 1, 2005 to distribution centers in the Dallas/Fort Worth area. Another 37 suppliers joined the program voluntarily, and by early February more than 100 suppliers had complied, according to Christi Gallagher, a Wal-Mart spokesperson. She refused to discuss compliance details or to name suppliers that have not met the requirement, but said Wal-Mart continues to support its suppliers, "especially the ones encountering challenges."
Wal-Mart's experience underscores that companies lack the government's power to enforce. True, big suppliers can hardly say no to Wal-Mart, but the relationship is symbiotic–Wal-Mart needs the merchandise, too. Cutting off a non-compliant supplier may not be a viable option.
The credit card companies face a similar dilemma in their PCI program: Terminating a merchant or service provider may be tantamount to a kiss of death. Glaser at Cybersource expects merchants to be making progress by June 30, but does not expect the credit card companies to bring down the bar or impose fines provided merchants can show they are implementing a plan to comply. "The date is a guiding force to get merchants moving," he says, "But the merchants really should be embracing this standard to protect their brand and their customers more than anything else."
The PCI initiative may be a harbinger of things to come in other industries. For the first time, the credit card companies joined together to create a common data security standard rather than asking merchants who accept multiple cards to implement separate but overlapping procedures for each one. RSA Security's Laura Robinson believes that if more industries take a proactive approach to setting standards they may stem the tide of legislation. "The rationale behind more and more regulations is that industry is not doing enough," she says.
No comments yet