NWC | Feature | The Business of IT | Feds Reach Out and Touch IT |

NEWS BLOGS FORUMS NEWSLETTERS RESEARCH EVENTS DIGITAL LIBRARY CAREERS

IMMERSE YOURSELF:

Storage & Servers

F E A T U R E

Feds Reach Out and Touch IT

July 10, 2003
By Sean Doherty

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	All in the Implementation
	Gramm-Leach-Bliley
	Whip Out the Crystal Ball
	HIPAA
	An Open Door Policy
	Sarbanes-Oxley
	Executive Summary
	Law vs. Regulation
	FYI
	With 1386, California Leads the Way
	Hospitals Get HIPAA
	Web Links
	Epoll Results

Most IT shops set policies and practices to limit vulnerabilities and reduce security incidents. The operative words here are limit and reduce. Short of unplugging your computers, it's impossible to eliminate all the threats to your information systems and data. But in the health and financial sectors, this best-effort scenario is no longer enough--the federal government wants more done to combat fraud and abuse. And don't think that because you're in retail or manufacturing you don't need to take notice: As the feds hone their regulatory skills on technology, the long arm of the law soon may extend to other areas of network computing.

The Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) hold affected enterprises accountable to protect private information, meaning IT must assess the risks and implement appropriate safeguards. The Sarbanes-Oxley Act of 2002 (Sarbox) requires companies that issue public securities to establish and maintain internal controls over their financial reporting systems and assess these controls' effectiveness in reports to the Securities and Exchange Commission (SEC). About 72 percent of readers polled for this article say they are affected by HIPAA, Sarbox, GLBA or the Patriot Act.

The bottom line for each of these laws is accountability--accountability that goes beyond IT's responsibility to keep information systems and data secure. Management teams must formulate policies and procedures that comply with GLBA, HIPAA and Sarbox and ensure these policies are implemented. Otherwise, civil and criminal penalties may apply. Fines for ignoring a specific requirement under HIPAA can reach $25,000 per violation, and a corporate officer who knowingly signs a false financial report can be fined up to $1 million and/or face as many as 10 years in prison under Sarbox.

Under GLBA, banks and financial institutions have a mandate to secure private customer data. They must implement a comprehensive, written information security program with administrative, technical and physical safeguards for customer information. In addition, the institution's board of directors or an appropriate committee of the board must approve the security program and oversee its development. Individual actions to enforce the regulations may reach $1,000, and damages for a class of individuals is available up to $500,000. Beyond that, GLBA regulations link information security safeguards to the overall safety and soundness of an institution and give overseeing agencies, such as the FDIC and the Treasury Department, wide latitude to address unsafe and unsound conditions in institutions under their jurisdiction.

Under HIPAA, enterprises in the health sector must guard PHI (protected health information) and implement policies and procedures to safeguard it in any format, paper or electronic. And as with GLBA, covered entities under HIPAA must identify an official responsible for developing and implementing these privacy and security policies and procedures.

Sarbox holds corporate officers accountable for their financial reporting systems. It requires the management teams of public companies to establish and maintain adequate internal controls and assess the effectiveness of those controls. It even creates a nonprofit organization (Public Company Accounting Oversight Board) to oversee the audit activities of public companies.

In light of recent corporate scandals, you're likely thinking, "Better late than never." But Sarbox is not the SEC's first foray into this regulatory arena: As early as 1979 the agency proposed rules requiring public companies to disclose certain information about their internal accounting controls. For example, the rules required management to state its opinion on whether access to corporate assets and transactions were executed and recorded in accordance with their authorization. But the SEC abandoned its rulemaking, deciding to let voluntary, private-sector initiatives continue to develop. Then came Enron.

Fast forward to today: Industry self-regulation is being replaced with law and government regulation. But though GLBA, HIPAA and Sarbox require corporate accountability in handling transactions, security and data on networks, they do not provide a detailed road map of the hardware and software you'll need to comply. Rather, each provides broad objectives and suggests implementation strategies for compliance (see "Law vs. Regulation,"). This leaves a lot for IT to interpret.