Filtering Through Regulatory Compliance

The advantages of doing business in a digital economy — paperless transactions, instant communication, effortless administration and reaching out across borders to far-away locations to collaborate with partners in a virtual community — are precisely the risks of doing business in a digital economy.

Because of the increased value of information, and because of the tangle of regulations that exist to prevent information abuse and manipulation, companies are finding that much of what was once simple in e-commerce is now complex. Transferring data across the globe may run a company afoul of European data-protection laws, and, closer to home — and with direct bearing on other members of the global virtual business community — sorting information must be done in accordance with the rules laid out in regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or the Fair and Accurate Credit Transactions Act (FACTA).

The Gramm-Leach-Bliley Act (GLBA) outlines how a company must handle a consumer's financial data, and for any company doing business with California residents, it seems there's a new law added to the books each week. Sarbanes-Oxley (SOX) dictates how companies are to communicate corporate information and, when an organization adopts a corporate privacy policy, the Federal Trade Commission (FTC) will be paying close attention to make certain the organization follows that policy.

(For more information on these topics, see, the other articles in this Special Edition of e-Commerce Law & Strategy.)

Risk And Reward

Most companies are aware of the financial penalties of regulatory non-compliance. Every regulation includes provision for the governmental entity with enforcement authority to assess penalties for non-compliance, but for many organizations compliance has been a matter of weighing the risks against the rewards: What will it cost and what is the minimum that is needed to comply (or even, what will I save by not complying and what are the chances of getting caught if I don't?). For these gamblers, the odds are skewing heavily toward the house, as it were, as the media, more customers, and even more investors begin to pay closer attention to non-compliant firms — or looking for non-compliance in all firms because of publicity resulting from non-compliant firms being detected and penalized.

California's notification law, S.B. 1386, has upped the ante for many companies. Requiring that any enterprise doing business with California residents inform those residents whenever their personally identifiable information (PII) is accessed by unauthorized parties, S.B. 1386 has made sloppy data security a very public event. ChoicePoint, DSW Inc., Bank of America, LexisNexis, and many other companies can attest to the detrimental effect of negative headlines, and new research by the Cyber Security Industry Alliance suggests that fear over data security has kept 48% of Americans from making at least some purchases online, which could have a significant blunting effect on the growth of e-commerce.

In the world of electronic commerce, where geographic market limitations are a figment of a bygone era, even a niche mom-and-pop retailer selling blueberry-themed merchandise from a shop in rural Maine could have any number of customers in California, subjecting it to S.B. 1386. Suddenly, under such circumstances, the business picture for the mom-and-pop operation gets complicated: Security is no longer a luxury, but a necessity.

If the owners retain credit information on their customers, they must then think about security. Are phishers probing employees in search of a back door through the use of virus-laden e-mails? Are Nigerian scam artists spamming the company in hopes of accessing sensitive data through social-engineering techniques? Such approaches to defeating network security threaten companies of all shapes and sizes. Large, well-heeled organizations are not immune to the wiles of would-be data thieves. In fact, because of the vast amounts of valuable data they often keep stored on their networks, and because having more employees means increasing the chances of data crooks finding a weakness in security, larger companies make more attractive targets. It is probable that data broker ChoicePoint had invested millions in security products prior to March 2005, but that didn't prevent identity thieves from tricking Choice-Point employees into selling them more than 160,000 detailed consumer credit profiles.

Three Points of Compliance

The good news is that focusing on three points of compliance will go a long way toward helping most organizations meet their data-security obligations:

• Information security;
• e-Mail security; and
• Proof of control.

Let's examine these three points of compliance separately.

Information security covers an abundance of issues, including data protection, maintaining original data integrity and security-event response. Most legislation demands that companies take “reasonable” measures to protect data in their care, but the definition of “reasonable” is the subject of intense debate that will likely be resolved in the courts.

Using provisions of HIPAA and GLBA, a baseline standard for protecting data must include a mechanism for administrating security measures, and protections against spyware, viruses and other forms of malware. Blended threats — attacks that combine elements of worms, Trojans, viruses and spam — have complicated matters for security managers. Protection at the network gateway is no longer sufficient. Instead, a real-time, multi-layered approach to network security is now also needed at the gateway, desktop and server level to detect and stanch, or flat-out stop, attacks that may attempt to come in by way of mobile telephone, CD, e-mail or Internet downloads, for example. Immediate threat notification will also help to minimize the effects of any attacks, mobilizing security personnel to quickly respond and take preventive or corrective measures.

e-Mail security is of critical importance not only for inbound threats, but also to minimize the risk of outbound data loss. Much of the data that finds its way into the wrong hands does so through poor or non-existent e-mail policy enforcement. Insiders, whether intentionally, accidentally or through acts of ignorance, are responsible for the majority of breaches affecting personal or corporate data. The ease with which individuals are able to attach documents to an e-mail message and send that information outside the network has exacerbated this problem, creating a serious liability issue under many data-privacy regulations, such as HIPAA, GLBA, SOX and California's law — S.B. 1386. Corporate financials, personal credit data and healthcare records have all been e-mailed contrary to the law and corporate policy.

Preventing erroneous or intentional data loss through e-mail is a matter of awareness and of policy, with enforcement executed at the network level. Establishing, documenting and administering rigid rules can prevent certain types of data from exiting the network; for example, implementation and maintenance of such a policy might include such requirements as certain files being encrypted prior to transmission or blocking specific types of files from being sent to unauthorized addresses or domains.

Templates outlining proper handling of information by the recipient can also be added to e-mails automatically, providing a measure of cover against possible misuse of information by an authorized recipient bound by agreement, or even by individuals who come across sensitive information through misdirected messages. Indeed, storage is one of the most vexing issues to many organizations. The rule of thumb is that information should not be kept any longer than is necessary, but such a guideline is of little use to organizations where the sheer volume of information crossing the network via e-mail makes the “save-it-all” strategy unwieldy. Once again, the establishment of policies enforced at the gateway can help alleviate the complications and burdens of this issue. (For additional perspective on this matter, see, “Subpoena for e-Mail,” this issue.)

Proof of control is an issue tied directly to compliance. To prove that an organization is doing the things required under a particular law or regulation, it must capture the information, creating an audit trail that will serve to demonstrate to regulators that the company is meeting its obligations. Such proof can also serve as a tool for internal-compliance officers to assess the effectiveness of the organization's efforts, identifying potential risk areas, and offering the information necessary to analyze situations and to correct problems. Granularity is an essential element to proof of control:

• Who didn't follow which policy and when?
• How many times did filters capture inappropriate content or prevent data from being sent to unauthorized recipients?
• When were certain files corrupted and what was the source of the virus?
• How did a certain disclosure take place?

Capturing metadata can enable the creation of detailed event logs without overwhelming information systems. Don't think such provisions are important? In April 2004, the Securities and Exchange Commission (SEC) settled with 10 top Wall Street firms for $1.4 billion, in part due to the firms' “failure to supervise” employee communications. Because the firms named in the SEC's action were unable to demonstrate that proper controls were in place, it was as if any such action had never happened. Proof of control includes the identification of actions that were taken at any point, and must be rendered in clear, concise language, demonstrating a common and consistent format.

Finally, proof of control at the e-mail level should be triggered by the content of legitimate and illegitimate messages and allowing automatic handling of suspicious messages — including discarding, routing and multi-step reviews, with basic violation reporting as well as detailed views into specific instances of violation. Viral-attack analysis must also be reported, with enough information to isolate infected machines and analyze attacks for possible identification of trends.

Technology and Compliance

The myriad threats that exist today will be eclipsed tomorrow as miscreants, whether motivated by malice or the simple thrill of the challenge, busily craft binary code into some new (or repackaged) virus, develop a novel twist on an old scam, or otherwise seek to put their signature on disrupted network operations. This unfortunate reality means that information-technology security managers must be eternally vigilant. A one-time investment in firewall software or other security product is a waste of time and money. Instead, the choice of technologies is, in reality, a choice of security partners who will stand with your organization, committed to doing all they can to support your network's integrity. Technology, service and support are inseparable in this paradigm in which trust is lingua franca, success is uncelebrated and failure an ever-present Damo-clean sword.

Approaching compliance from the perspective of “doing what we have to” is laying the groundwork for failure. On the other hand, viewing compliance as an opportunity to step up system security and to re-evaluate data policies with an eye toward meeting larger business goals will help an organization put the issue into proper perspective. The latter strategy can be enhanced with a three-pronged framework that is outlined below.

Use your compliance project as an opportunity to bolster existing security infrastructure. Compliance and security go hand-in-hand, and the right security system(s) can help ease the transition to compliance through threat-detection, risk-management and reporting.

Plan for change, the inevitable and constant reality of security and compliance. Threats are ever-evolving, and state and federal legislative responses to threats are also in a constant state of change. Investing in partners and platforms that have demonstrated the ability to adapt with the changing landscape will prolong the value of your security and compliance investment.

Simplify the solution and enhance security. Many companies equate security with complexity, yet security solutions that are difficult to use or manage nearly always result in lower security as personnel find workarounds that can put data security at greater risk. Unifying security management under a single provider can help to ease the burden. Security providers with capabilities such as threat-detection labs can take security and compliance further by working more defensively, and actively, to anticipate threats before they arrive.

Conclusion

In today's electronic economy, a complete understanding of data and network integrity must be considered a security issue and a compliance issue. Sloppy data management internally and diverse external threats all conspire to endanger organizations and businesses. Understanding the legislative and regulatory landscape (SOX, GLBA, HIPAA, S.B. 1386), along with the sinister elements (viruses, spam, spyware, phishing, social-engineering scams) that conspire to undermine your network is the first step toward taking action to reduce the risks associated with non-compliance and data loss.

Focusing on information security, e-mail security and proof of control issues will put your organization on the right course toward a program that effectively manages security and compliance. Adopting solutions that approach security and compliance as a strategic business initiative, that are as flexible as the threat environment, and that offer simplified management can ensure long-term success.

The advantages of doing business in a digital economy — paperless transactions, instant communication, effortless administration and reaching out across borders to far-away locations to collaborate with partners in a virtual community — are precisely the risks of doing business in a digital economy.

Because of the increased value of information, and because of the tangle of regulations that exist to prevent information abuse and manipulation, companies are finding that much of what was once simple in e-commerce is now complex. Transferring data across the globe may run a company afoul of European data-protection laws, and, closer to home — and with direct bearing on other members of the global virtual business community — sorting information must be done in accordance with the rules laid out in regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or the Fair and Accurate Credit Transactions Act (FACTA).

The Gramm-Leach-Bliley Act (GLBA) outlines how a company must handle a consumer's financial data, and for any company doing business with California residents, it seems there's a new law added to the books each week. Sarbanes-Oxley (SOX) dictates how companies are to communicate corporate information and, when an organization adopts a corporate privacy policy, the Federal Trade Commission (FTC) will be paying close attention to make certain the organization follows that policy.

(For more information on these topics, see, the other articles in this Special Edition of e-Commerce Law & Strategy.)

Risk And Reward

Most companies are aware of the financial penalties of regulatory non-compliance. Every regulation includes provision for the governmental entity with enforcement authority to assess penalties for non-compliance, but for many organizations compliance has been a matter of weighing the risks against the rewards: What will it cost and what is the minimum that is needed to comply (or even, what will I save by not complying and what are the chances of getting caught if I don't?). For these gamblers, the odds are skewing heavily toward the house, as it were, as the media, more customers, and even more investors begin to pay closer attention to non-compliant firms — or looking for non-compliance in all firms because of publicity resulting from non-compliant firms being detected and penalized.

California's notification law, S.B. 1386, has upped the ante for many companies. Requiring that any enterprise doing business with California residents inform those residents whenever their personally identifiable information (PII) is accessed by unauthorized parties, S.B. 1386 has made sloppy data security a very public event. ChoicePoint, DSW Inc., Bank of America, LexisNexis, and many other companies can attest to the detrimental effect of negative headlines, and new research by the Cyber Security Industry Alliance suggests that fear over data security has kept 48% of Americans from making at least some purchases online, which could have a significant blunting effect on the growth of e-commerce.

In the world of electronic commerce, where geographic market limitations are a figment of a bygone era, even a niche mom-and-pop retailer selling blueberry-themed merchandise from a shop in rural Maine could have any number of customers in California, subjecting it to S.B. 1386. Suddenly, under such circumstances, the business picture for the mom-and-pop operation gets complicated: Security is no longer a luxury, but a necessity.

If the owners retain credit information on their customers, they must then think about security. Are phishers probing employees in search of a back door through the use of virus-laden e-mails? Are Nigerian scam artists spamming the company in hopes of accessing sensitive data through social-engineering techniques? Such approaches to defeating network security threaten companies of all shapes and sizes. Large, well-heeled organizations are not immune to the wiles of would-be data thieves. In fact, because of the vast amounts of valuable data they often keep stored on their networks, and because having more employees means increasing the chances of data crooks finding a weakness in security, larger companies make more attractive targets. It is probable that data broker ChoicePoint had invested millions in security products prior to March 2005, but that didn't prevent identity thieves from tricking Choice-Point employees into selling them more than 160,000 detailed consumer credit profiles.

Three Points of Compliance

The good news is that focusing on three points of compliance will go a long way toward helping most organizations meet their data-security obligations:

• Information security;
• e-Mail security; and
• Proof of control.

Let's examine these three points of compliance separately.

Information security covers an abundance of issues, including data protection, maintaining original data integrity and security-event response. Most legislation demands that companies take “reasonable” measures to protect data in their care, but the definition of “reasonable” is the subject of intense debate that will likely be resolved in the courts.

Using provisions of HIPAA and GLBA, a baseline standard for protecting data must include a mechanism for administrating security measures, and protections against spyware, viruses and other forms of malware. Blended threats — attacks that combine elements of worms, Trojans, viruses and spam — have complicated matters for security managers. Protection at the network gateway is no longer sufficient. Instead, a real-time, multi-layered approach to network security is now also needed at the gateway, desktop and server level to detect and stanch, or flat-out stop, attacks that may attempt to come in by way of mobile telephone, CD, e-mail or Internet downloads, for example. Immediate threat notification will also help to minimize the effects of any attacks, mobilizing security personnel to quickly respond and take preventive or corrective measures.

e-Mail security is of critical importance not only for inbound threats, but also to minimize the risk of outbound data loss. Much of the data that finds its way into the wrong hands does so through poor or non-existent e-mail policy enforcement. Insiders, whether intentionally, accidentally or through acts of ignorance, are responsible for the majority of breaches affecting personal or corporate data. The ease with which individuals are able to attach documents to an e-mail message and send that information outside the network has exacerbated this problem, creating a serious liability issue under many data-privacy regulations, such as HIPAA, GLBA, SOX and California's law — S.B. 1386. Corporate financials, personal credit data and healthcare records have all been e-mailed contrary to the law and corporate policy.

Preventing erroneous or intentional data loss through e-mail is a matter of awareness and of policy, with enforcement executed at the network level. Establishing, documenting and administering rigid rules can prevent certain types of data from exiting the network; for example, implementation and maintenance of such a policy might include such requirements as certain files being encrypted prior to transmission or blocking specific types of files from being sent to unauthorized addresses or domains.

Templates outlining proper handling of information by the recipient can also be added to e-mails automatically, providing a measure of cover against possible misuse of information by an authorized recipient bound by agreement, or even by individuals who come across sensitive information through misdirected messages. Indeed, storage is one of the most vexing issues to many organizations. The rule of thumb is that information should not be kept any longer than is necessary, but such a guideline is of little use to organizations where the sheer volume of information crossing the network via e-mail makes the “save-it-all” strategy unwieldy. Once again, the establishment of policies enforced at the gateway can help alleviate the complications and burdens of this issue. (For additional perspective on this matter, see, “Subpoena for e-Mail,” this issue.)

Proof of control is an issue tied directly to compliance. To prove that an organization is doing the things required under a particular law or regulation, it must capture the information, creating an audit trail that will serve to demonstrate to regulators that the company is meeting its obligations. Such proof can also serve as a tool for internal-compliance officers to assess the effectiveness of the organization's efforts, identifying potential risk areas, and offering the information necessary to analyze situations and to correct problems. Granularity is an essential element to proof of control:

• Who didn't follow which policy and when?
• How many times did filters capture inappropriate content or prevent data from being sent to unauthorized recipients?
• When were certain files corrupted and what was the source of the virus?
• How did a certain disclosure take place?

Capturing metadata can enable the creation of detailed event logs without overwhelming information systems. Don't think such provisions are important? In April 2004, the Securities and Exchange Commission (SEC) settled with 10 top Wall Street firms for $1.4 billion, in part due to the firms' “failure to supervise” employee communications. Because the firms named in the SEC's action were unable to demonstrate that proper controls were in place, it was as if any such action had never happened. Proof of control includes the identification of actions that were taken at any point, and must be rendered in clear, concise language, demonstrating a common and consistent format.

Finally, proof of control at the e-mail level should be triggered by the content of legitimate and illegitimate messages and allowing automatic handling of suspicious messages — including discarding, routing and multi-step reviews, with basic violation reporting as well as detailed views into specific instances of violation. Viral-attack analysis must also be reported, with enough information to isolate infected machines and analyze attacks for possible identification of trends.

Technology and Compliance

The myriad threats that exist today will be eclipsed tomorrow as miscreants, whether motivated by malice or the simple thrill of the challenge, busily craft binary code into some new (or repackaged) virus, develop a novel twist on an old scam, or otherwise seek to put their signature on disrupted network operations. This unfortunate reality means that information-technology security managers must be eternally vigilant. A one-time investment in firewall software or other security product is a waste of time and money. Instead, the choice of technologies is, in reality, a choice of security partners who will stand with your organization, committed to doing all they can to support your network's integrity. Technology, service and support are inseparable in this paradigm in which trust is lingua franca, success is uncelebrated and failure an ever-present Damo-clean sword.

Approaching compliance from the perspective of “doing what we have to” is laying the groundwork for failure. On the other hand, viewing compliance as an opportunity to step up system security and to re-evaluate data policies with an eye toward meeting larger business goals will help an organization put the issue into proper perspective. The latter strategy can be enhanced with a three-pronged framework that is outlined below.

Use your compliance project as an opportunity to bolster existing security infrastructure. Compliance and security go hand-in-hand, and the right security system(s) can help ease the transition to compliance through threat-detection, risk-management and reporting.

Plan for change, the inevitable and constant reality of security and compliance. Threats are ever-evolving, and state and federal legislative responses to threats are also in a constant state of change. Investing in partners and platforms that have demonstrated the ability to adapt with the changing landscape will prolong the value of your security and compliance investment.

Simplify the solution and enhance security. Many companies equate security with complexity, yet security solutions that are difficult to use or manage nearly always result in lower security as personnel find workarounds that can put data security at greater risk. Unifying security management under a single provider can help to ease the burden. Security providers with capabilities such as threat-detection labs can take security and compliance further by working more defensively, and actively, to anticipate threats before they arrive.

Conclusion

In today's electronic economy, a complete understanding of data and network integrity must be considered a security issue and a compliance issue. Sloppy data management internally and diverse external threats all conspire to endanger organizations and businesses. Understanding the legislative and regulatory landscape (SOX, GLBA, HIPAA, S.B. 1386), along with the sinister elements (viruses, spam, spyware, phishing, social-engineering scams) that conspire to undermine your network is the first step toward taking action to reduce the risks associated with non-compliance and data loss.

Focusing on information security, e-mail security and proof of control issues will put your organization on the right course toward a program that effectively manages security and compliance. Adopting solutions that approach security and compliance as a strategic business initiative, that are as flexible as the threat environment, and that offer simplified management can ensure long-term success.