IT, Security and the Legalese of Compliance

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

ITSec shops all over the country have been engaged in the tedious job of interpreting regulatory compliance requirements. In addition, many are faced with huge unforeseen capital investments in technologies in order to begin engineering an enterprise solution to address compliance. Even with these factors in play, more people are facing pushback from all levels when presenting the major shifts in culture and business processes that must change.

News at 11

We can’t turn on the evening news without hearing of yet another high profile case involving the unauthorized disclosure of credit card numbers. So what is really fueling the push for compliance? Is it lawyers?

Not yet.

Let’s face it. The way the law is written today, no one is afraid of being sued for PCI compliance. Why? For one, the litigation end of PCI is still in its infancy and is working its way down the tree, or, it has not reached a point where lawyers know precisely how to litigate.

The term used here is, “rising to the bar.” In lawyer speak this means that once lawyers figure out the concept and put together the documentation, procedures and such, they’ll know exactly how and when to sue for PCI violations. Right now, this “bar” has not been hit and it’s still too expensive and very difficult to prove PCI violation damages for individuals and small companies.

If this is the case, what’s pushing the compliance race?

It shouldn’t be surprising that at the forefront sit motivators that can’t easily be quantified monetarily. After all, these are the ones that can be spun as the worst possible risks (and rightly so as they are truly unknown). Public perception is one of the leading reasons why compliance is moving forward. No one wants to be perceived as the company that dropped the ball due to a PCI compliance violation that led to losses and/or disclosures.

Thanks to our sensationalist pals in the media, people are especially charged over compliance issues so the climate is perfect for a company to take a huge financial hit over perceived poor practices and/or PCI violations. After all, the consumer will typically respond to something of this nature by moving dollars away from you and shifting them to your competitors.

At the end of the day, business is what it’s all about. Security is now a major factor in the business world and will continue to drive behavior on both consumer and business fronts. Regulatory compliance will certainly be the fuel for this continued pattern.

$500,000 per PCI incident? Yikes!

Fines, at the moment, prove to be the strongest motivator for compliance. Since the PCI group has formed an enforcement body, the fear of fines is now palpable. With recent high-dollar fines being levied against the big fish, businesses realize that there will be consequences to sitting back and playing the odds of not being audited or worse, the center of a massive disclosure.

HIPAA is a little different in that fines aren’t going to be a major driver. However, just like PCI, HIPAA compliance is driven heavily by public pressure. People tend to not like it when personal health information leaks out to marketers. Next thing you know, you’re getting junk mail targeting those who have moles on their backsides, and that’s one of the tamer examples.

On the flip side, jail time is the punishment arm of HIPAA, yet there aren’t many people cooling their heels because they failed to comply with HIPAA standards.

Now, given that we know that the lawyers aren’t our problem right now and that public perception and fines are our primary motivators, the name of the game is to get yourself compliant so that when the lawyers finally get their hooks into successfully litigating in this area (and you can be sure they will), you’re not the one they’re coming to ring up.

The idea is to have the ability to provide tangible proof that you are performing your due diligence and are in no way operating in a negligent fashion. This way you won’t take a financial hit, and more importantly, you’ll avoid participating in the prison system.

This article was first published on EnterpriseITPlanet.com.