IT pros who are slow to plan ahead may be forced to change strategy by new laws covering privacy, financial culpability, and terrorism, according to Tari Schreider, a security consultant with Extreme Logic, an e-business solutions provider.
“It always seems we are our own worst enemy in technology planning,” Schreider said. “Now we’ve got the government involved.”
More than 225 bills dealing with information privacy alone are pending in Congress. “Even if only 10 percent of them pass, that’s more than 20 new laws that each organization is going to have to review and see what they’ll have to do to comply,” Schreider said.
In addition to pending legislation, existing laws passed and enacted over the last several years are requiring companies to be very careful about what they do with customers’ private information (Social Security numbers, private numbers, children’s names, etc.). Some of these laws also require companies to keep closer tabs on their customers and identify criminal activity. Still others are designed to protect individuals from potential identity theft, court order violations, and insurance coverage denials. While some legal observers seek a balance between government mandate, individual rights, and the nation’s security, businesses are wrestling with how to comply with the new laws and how to budget for compliance costs.
“A lot of companies are seeing this as an epiphany,” Schreider said. Executives who may have faced only fines before could face criminal penalties, including prison in some cases. Schreider said because many of the new laws are poorly worded and wide open to interpretation, staying out of trouble can be very tricky.
E-mail as a legal record
An example of this slippery slope is e-mail. Many IT professionals have looked at e-mail as simply another business communications tool. But legal issues have made e-mail much more than that, Schreider said. E-mail is now considered a record, much as are paper receipts and company memos. And companies could be held legally liable for e-mail content. They also could find themselves in hot water if they can’t produce, on demand, certain e-mail. “And so people are waking up and saying, ‘Oh my God, e-mail is a record.'” Schreider said.
However, Schreider also pointed out that e-mail has always been a record—it just hasn’t been popularly viewed as such. The first clue for many IT professionals that things had changed came when companies have found themselves in litigation over e-mail that was deleted and not available in archives. “You get a few incidents like that and, suddenly, everyone gets religion,” he said.
Greater responsibilities for business
And it doesn’t stop with e-mail. Some of the laws IT professionals are starting to work with include:
Gramm-Leach-Bliley—Limits financial institutions’ ability to disclose “non-public personal information” about customers to third parties. The same financial institutions also are required to tell customers about their privacy policies.
Health Insurance Portability and Accountability Act (HIPAA)—Requires physicians and other healthcare professionals to take measures to protect the security and integrity of patients’ private information kept in electronic form. This law has been phased in over the last eight years, and the final privacy provisions take effect in October.
USA Patriot Act—Extends law enforcement’s surveillance and investigative powers. It also, for the first time, makes businesses responsible for seeking, detecting, and reporting computer trespasses. Banks in particular are expected to identify, discover, gather, amass, investigate, and report on financial activity to a far greater degree and depth than ever before was expected of them.
Sarbanes-Oxley—Enacted in large part as a response to U.S. corporate and accounting scandals, this legislation requires that companies become more fiscally accountable. Whistle blowing and other provisions have made this law particularly controversial and difficult to enforce.
While the laws are controversial—some considered unconstitutional by some observers—financial institutions, physicians, librarians, and any businesses that hold any private information in their databases not only must comply with these laws, but must also shoulder the costs of compliance. “And doing that will require technology,” Schreider said.
That is the key and something IT professionals will have to watch, respond to, and deal with from now on. Little of this new legislation directly affects IT, but IT pros in the enterprise can expect to be the driving force behind compliance.
However, staying in compliance isn’t as easy as simply toeing the legal line. Sometimes you have to know which guidelines to follow. For instance, many techs are finding that they have to make their way through a maze of security guidelines, including those developed by the North American Electric Reliability Council (NERC), the Federal Energy Regulatory Commission (FERC), and Supervisory Control and Data Acquisition (SCADA). These organizations, not widely known in the IT industry, have become more important and are producing guidelines that are beginning to approach those of better-known IT organizations, such as the International Organization for Standardization (ISO). “So there’s a changing landscape of regulations and guidelines out there,” Schreider said.
“And depending on what you want to do, you’re going to have to invest to a greater or lesser degree.”
The greatest—and most difficult—guidelines, requirements, and laws, current and future, involve ensuring privacy. For many companies, this means hardware investment and more money spent on staff trained to maintain the security of enterprise networks. Many companies have spent the last few years ratcheting back on IT spending, but these new requirements have put some of those companies on alert. “This is why companies need to start looking at IT as an investment,” Schreider said.
For instance, one of the proposed laws requires companies that employ people under 18 and hire someone with a felony conviction to inform parents of those minor employees that they’ve hired a felon. Keeping track of employees by age so a company can comply with this law will definitely require technology, Schreider said.
Some other items now on IT’s to-do list include:
- Connecting private and government databases.
- Developing up-to-the-minute threat assessment systems for business, interstate highways, airports, and other installations.
- Possible implementation of a national ID card system that could include biometric information.
- Developing tools to track phone calls, e-mail, and other forms of private and business communication.
- Producing applications for surveillance and profiling.
All this is certainly good news to out-of-work IT professionals, but Schreider cautioned that some companies are investing too much in an overzealous attempt to comply with these new laws. “Some people jump the gun, and they shouldn’t,” he said.
On the other end of the spectrum are those who are doing nothing to ensure compliance. “You’d be surprised how many people are holding off,” Schreider said. Some of this may stem from a long-noted tendency among IT professionals to be very conservative about changes in habits, technology, and policies. However, some of it can be attributed to confusion about just how these new laws will be enforced, and just what is going to be required from IT.
It’s a new world out there for IT, Schreider said. “It’s going to be very interesting to see what kind of legislation is coming and how CIOs and IT professionals will have to respond to it,” he said.
Here are links to additional resources:
- Playing on Fear and Patriotism
- Sarbanes-Oxley compliance: It’s not over yet for publicly traded companies
- Leveraging New Regulatory Trends for a Competitive Advantage