An outpatient medical clinic is fined for failing to maintain the security of the confidential electronic medical records of its patients, in violation of the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). A bank and its officers face action from the Federal Deposit Insurance Corp. (FDIC) for not protecting a customer- records database from hackers. Meanwhile, officers of a public company incur the wrath of the Securities and Exchange Commission (SEC) because a series of emails relevant to an investigation are (conveniently) reported as "lost."
There's a veritable alphabet soup of governmental (and nongovernmental) groups out there generating regulations--most, but not all, of them dealing with data security/privacy issues--that are keeping IT departments in businesses of all sizes busy as they scramble to comply. At the same time, prominent data disasters, such as last year's theft of 45 million credit and debit card numbers from retailer TJX Companies' IT systems, have resulted in a rush to comply with the data security standards promulgated by the Payment Card Industry (PCI) Security Standards Council, an open industry standards organization, according to David Vella, director of product management for GFI Software, a Cary, N.C.-based developer of network, content, and messaging security software.
The TJX incident "turned the security spotlight on financial institutions and any company/ entity/retail outlet that handles, manages, and/or stores credit card details," says Vella. "The pressure was suddenly on these companies to get their houses in order and to fall in line with the requirements of the Payment Card Industry standard."
The pressure is also mounting on SMBs to get in sync with these standards, as well as with the security requirements of the Gramm- Leach-Bliley Act (GLBA), regarding the protection of consumer personal data, according to Robert Guba, chief compliance officer and co-founder of TraceSecurity Inc., a Baton Rouge, La.-based provider of security compliance and risk management solutions.
"Compliance requirements are no longer for just the big companies," says Guba. "Small to medium-size businesses are now forced to address these issues, not only at a technical level, but also at the business process level."
With the enactment of state-level "Data Loss Notification" legislation, consumers are now becoming more educated about data security breaches, and are developing into a major source of pressure on businesses to comply with the applicable regulations. "The level of protection consumers expect when they give information to a business is increasing," Guba says. Studies have shown that, following a data loss by a company, a significant number of its customers will take their business elsewhere, with the cost of investing in compliance efforts to create a secure environment "a fraction of what the potential loss of business could be," notes Guba.
GETTING A HANDLE ON DATA
The first step channel partners and their SMB clients need to take in complying with today's fast-growing body of regulations is to find out what kind of regulated data the clients are storing--and where, according to Mark Kraynak, senior director of strategic marketing for Redwood Shores, Calif.-based Imperva Inc., a provider of application data security and compliance solutions.
"An inordinate number of breaches of credit card data" as much as 70 percent by some estimates" have been found to stem from stores of regulated data that the organization didn't even know existed," Kraynak explains. These "stores" need to be located and evaluated in terms of mitigating risks, he notes. This is a process that can sometimes mean deleting data, although more often it involves determining who is using the data and how they are using it, "and following up with controls to prevent misuse and abuse of that data," says Kraynak.