Your Guide To Good-Enough Compliance

Noncompliance is a fact of life as the list of security and privacy regulations grows. The key is knowing how to comply just enough so that you don't waste your time or bankrupt your company.

1 2 Page 2
Page 2 of 2

Taylor asked her what she did. She said she wrote back to the programmer telling him not to do anything.

Taylor told the CISO that the university should have reported the breach. The CISO disagreed, saying, essentially, that because very few people review system log files and because only one or two people at the university understood the systems and the data in them, it was probable that the breach would go unremarked and undiscovered. “I was thinking, Wow,” Taylor recalls. “That’s a risky chance to take.”

According to Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker, state security breach notification laws are among the most frequently ignored types of security regulation. About 35 states have passed security breach notification laws, which lay out, to varying degrees, when an enterprise needs to notify customers and clients if their private information may have been exposed to an unauthorized user. According to CIO and PricewaterhouseCoopers’ “The Global State of Information Security 2006” survey, 32 percent of U.S. organizations admit to not being compliant with state privacy regulations.

There are two possible explanations for why the noncompliance rate is so high. First, the risk of being caught is low because it has been extremely difficult to tie a specific instance of fraud to a specific breach at a specific company, says Jim Lewis, a security expert at the Center for Strategic and International Studies in Washington, D.C. (Recent lawsuits filed against TJX­—owner of discount retailers TJ Maxx, Marshalls and other stores—which claim credit card numbers stolen during a security breach in 2005 and 2006 led to specific instances of fraud, may indicate that this fact of security life is changing. For more on the TJX breach, see Financial Penalties for Security Breaches Will Promote Change.)

Second, these laws tend not to be terribly specific regarding situations and requirements. For example, California’s security breach notification law, the first in the nation, does not require notification of a security breach if the private data was encrypted. However, it also does not require encryption.

For that reason, how companies protect private data has become a risk-based business decision, says Sony’s Spaltro. Sony processes about 5 million credit card transactions a month, mostly associated with its PlayStation consoles and the massively multiplayer online games it sells. Although Spaltro declines to talk about Sony’s security practices, he says that while Sony Online Entertainment is fully compliant, every company weighs the cost of protecting personal data with the cost of what it would take to notify customers if a breach occurred. Spaltro offers a hypothetical example of a company that relies on legacy systems to store and manage credit card transactions for its customers. The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he suggests.

That reasoning is “shortsighted,” argues Ari Schwartz, a privacy expert at the Center for Democracy and Technology. The cost of notification is only a small part of the potential cost to a company. Damage to the corporate brand can be significant. And if the FTC rules that the company was in any way negligent, it could face multimillion-dollar fines. In 2006, the FTC fined information aggregator ChoicePoint $15 million after the company admitted to inadvertently selling more than 163,000 personal financial records to thieves. The FTC ruled ChoicePoint had not taken proper precautions to check the background of customers asking for the information.

Crime and Punishment

How can a CIO know that the security measures he’s taken will be adjudged customary and reasonable by federal or state regulators? Looking at the 15 security breach cases the FTC has ruled on since 2002, a picture emerges as to what regulators deem reasonable (the FTC plans this spring to release a document that will set out more specific guidelines), and by looking at the 14 cases the FTC has settled against companies that have experienced security breaches, one can get a sense of what’s deemed customary. (For a look at some of the more recent cases, see When Companies Violate the Rules.)

In 2005 the FTC handed down a judgment against BJ’s Wholesale Club. BJ’s was found to have “engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information.” The FTC ruled that BJ’s had failed to encrypt personal data transmitted over the Internet; had stored personal data after it no longer needed the information; used commonly known default passwords for access to files containing personal information; and did not use commercially available technology to secure wireless connections, detect intrusions or conduct security audits.

“We know security can’t be perfect, so we don’t expect perfection,” says Jessica Rich, assistant director of the Division for Privacy and Identity Protection at the FTC. “But companies need to try, and if you do that, you will be much better off.”

But for some, “trying” requires a lot more than receiving an “A” for effort. You better know what you are doing, says Joe Fantuzzi, CEO of the information security company Workshare. He says the FTC’s ruling against BJ’s was intended to send the message that if you claim to protect your customers’ personal data in your privacy statement (as BJ’s did), your security had better be up to the task.

“The point is that companies make risk management versus compliance management trade-offs all the time,” Fantuzzi says. “Just make sure you do your homework so you know you made the right trade-off.”

Allan Holmes is a Washington, D.C.-based freelancer and security expert.

1 2 Page 2
Page 2 of 2
NEW! Download the Fall 2018 digital issue of CIO