Compliance with the ever-increasing array of legislative mandates presents a burden to management and IT staff alike. If you’re in financial services, you are bound by Gramm-Leach-Bliley; in health care, by HIPAA; or if you’re a publicly-held corporation, Sarbanes-Oxley. If you process credit card payments, there are PCI-DSS rules to consider.
In addition, there are state regulations that transcend the state—such as California’s SB1386 (California Information Practice Act). Although this is a California state law, it has become a de facto nationwide practice because of its scope. Any company that maintains any information about a resident of California, whether the company is in California or not, must comply—and as a result, almost every midsize to large company falls under its purview.
SB 1386 requires policies and procedures to be put in place to ensure that personal data is safe from outside attack, and in addition, requires a procedure for creating a public notification if such an attack does occur. Although it applies only to California residents, as a practical matter, a company complying with SB1386 would offer the same safeguards to all data for all customers, California resident or not. The goal of a company complying with this regulation is to focus more on the first requirement (prevention), so that the second requirement (public notification) is not required.
Although specific technology is not stated in the legislation, two key principals relating to backup and recovery systems would be ensuring the integrity of the stored data, and imposing authentication and authorization controls over the stored data.
In the healthcare business, HIPAA is one of the most far-reaching pieces of legislation that has had a major impact throughout the entire industry. Meant as legislation to improve the efficiency of the healthcare system, it also minimizes the incidence of fraud and protects the privacy of patient data. Several pieces of technology throughout the enterprise will be touched by HIPAA, most notably storage and backup—since HIPAA mandates access controls over sensitive data.
Gramm-Leach-Bliley imposes similar controls over personal data as it relates to financial institutions, setting out technological requirements to protect the personal information of the financial institutions’ clients.
Sarbanes-Oxley, on the other hand, deals with financial data instead of client data, but it also imposes the same mandates that call for strict security controls over stored information. Section 404 of Sarbanes-Oxley is the part that deals specifically with “internal controls,” which sets out a broad requirement for internal security, including the concepts of authentication, authorization, and encryption, as well as auditing capabilities, over stored financial data.
Chances are, if you’re any larger than a mom ‘n pop operation, you are under the purview of one of these regulations, even if you don’t realize it. In many instances, it may not even be readily apparent—if you are a contractor or supplier to a company that falls under one of these compliance mandates, chances are, you too, will have to comply, for the sake of your client.