This week RSA released a new report produced in concert with its Security for Business Innovation Council (SBIC), a high-powered group of IT security decision-makers from organizations such as FedEx, eBay, T-Mobile and JPMorgan Chase. The consensus among the SBIC is that as many organizations are finally getting a handle on many of their compliance responsibilities, the regulatory environment is changing such that even the most mature organizations and their partners will need to make adjustments to keep up. This means balancing compliance and risk and creates a truly tricky situation for channel partners who use compliance as a selling point but still want to leave their customers more secure as a result of their purchases, rather than less.
"Compliance is the best and worst thing that ever happened to security," said Denise Wood, chief information security officer and corporate vice president for FedEx Corporation, in the report. "It’s a combination. It gives you awareness. It gives you real life justification for good security practices. But at the same time, especially when regulations get prescriptive, it can make it more difficult to have a truly risk-based program where your highest risk items always get your financial investment.”
Channel Insider takes a look at four key changes highlighted by the report and some of the things that SBIC members are saying about these issues.
In the early days of SOX and HIPAA, many organizations felt they could skate by with no controls or the bare minimum due to the ‘lack of teeth’ within the main body of the day’s regulations. But regulators are cracking down with real monetary fines and penalties that can truly affect the bottom line for organizations today.
"The regulators are moving away from light-touch to more interventionist regulation. That’s clear in all senses of society and economy so it’s not surprising regulation is tightening up in the data protection field," says Stewart Room, partner at the Privacy and Information Law Group of Field Fisher Waterhouse LLP. "As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation.”
Data breach notification laws have come a long way since California’s landmark passing of SB 1386 in 2002. As lawmakers around the globe have faced increasing pressure from incensed citizens, global enterprises must navigate a maze of breach and privacy laws wherever they operate.
“It gets more and more complex. If you’re a public company, you’ve got SOX. If you take credit cards you’ve got PCI. Then there are the privacy laws," says Dave Cullinane, chief information security officer and vice president for eBay. "A company like ours has operations in 37 countries around the world. Global organizations have to comply with all the variations of privacy laws in the US, the EU and Asia — and there are new laws and new requirements all the time.”