On IT Regs, It’s CIOs vs. Consultants

Influence

Ensuring that a company is able to comply with governmental regulations is now part of the CIO job. It is also one of the most frustrating parts. For example, new security regulations for the Health Insurance Portability and Accountability Act (HIPAA) are full of page after page of “shoulds,” “needs” and “musts” that impact corporate information systems, but they almost never say how to meet the letter of the law.

“The government just says you have to do it,” says Rick Skinner, vice president of information services and CIO of Providence Health System, who oversees his company’s HIPAA compliance. “There is no template.” CIOs are often left with this choice: Guess that the steps they are taking toward compliance are the right ones, or (more likely) hire expensive consultants. But CIOs can help create better regulations if they are willing to take a more active role in policy-making.

Many regulatory agencies such as the Department of Health and Human Services, the FCC, the FDA and the SEC have a veneer of independence, but it’s no secret that they’re susceptible to political pressure. In the case of regulations that affect corporate IT, the high-tech consulting industry holds sway. According to the Center for Responsive Politics, a campaign finance watchdog organization, high-tech companies and the accounting industry (which incorporates many top IT consultancies) donated more than $36 million to 2002 political candidates and causes. These donations buy access to lawmakers who dictate agencies’ budgets and often their policies.

Lewis Branscomb, a professor at Harvard University’s Kennedy School of Government who ran what is now the National Institute of Standards and Technology from 1969 to 1972, says it’s an unspoken rule in Washington that regulatory agencies keep consultants who operate with many different industries in mind. Officials from the FDA, DHHS and SEC contacted for this story wouldn’t comment on the record, but they say privately that they don’t want to force companies to use technology that might quickly become obsolete.

Feedback to regulators from CIOs (with the corporate counsel’s blessing) is one way to make a difference. Last October, Allan Woods, CIO of Mellon Financial, told the SEC that a proposed data-recovery objective of two to four hours following a major disaster might not be technically attainable, but that eight hours was a fair goal. The SEC subsequently amended its guidelines to recommend such problems be fixed within one business day.

-Ben Worthen