The compliance crunch
An extra layer of urgency is added when considering adherence to regulations. When it comes to compliance, again the first challenge is figuring out with which mandates one needs to comply, though in general, being aware of what data one has and demonstrating proper controls over it helps meet most compliance requirements.
“Typically, an intelligent and comprehensive security strategy will, by default, address compliance needs,” says Rachwald. On the other hand, he says, too many organizations attempt to mollify compliance auditors at the expense of truly effective security by adopting a simple “checklist” approach, rather than truly understanding and addressing the problem.
And, sometimes the requirements are unclear. “Clarity and cost are the two most common concerns when it comes to compliance,” says Sanjay Raja, director of product marketing - TippingPoint at Hewlett-Packard. For example, he says the Payment Card Industry Data Security Standard (PCI DSS) sets guidelines for process, technology and policy for any company, organization or government body involved in the transaction of payment information. It is enforced through fines, penalties or suspension from processing payments.
And bills currently making their way through the legislative process may not clarify issues. According to Jerry Irvine, a member of the National Cyber Security Task Force, and CIO of Chicago-based Prescient Solutions, an IT outsourcer, there is currently no new legislation targeted toward the protection of PII. Neither the House-sponsored Cyber Intelligence Sharing and Protection Act (CISPA) nor the Senate-sponsored Protecting Cyberspace as a National Asset Act of 2010 defines PII requirements. However, he says, “there are proposed amendments to CISPA to limit the inclusion of PII from shared information.”
“Typically, an intelligent and comprehensive security strategy will, by default, address compliance needs.”
– Rob Rachwald, director of security strategy at Imperva
Still, there is plenty to worry about under existing regulations. For instance, says Irvine, the Health Insurance Portability and Accountability Act (HIPPA) provides for a fine of up to $50,000, or up to one year in prison, or both, for release of personal information. If the offense is committed under false pretenses, a fine of up to $100,000, and up to five years in prison, or both, is mandated. And, if the offense is committed with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, a fine of up to $250,000 or up to 10 years in prison, or both, is possible.
“In general, if loss of PII by a company is intentional or determined to be caused by negligence or failure of ‘due diligence,' other laws, regulations and or penalties could apply, including jail time,” Irvine says.