Cartika Blog

Regulatory Compliance and What it Means for IT Departments

Regulatory Compliance CartikaFor years, we have heard horror stories and read disturbing headlines about the exploitation and mismanagement of corporate and private data. Regulatory compliance has evolved as a result of these unfortunate events and now we must all deal with it. In this article, we will highlight some of the major legislation involving information and privacy across North America. Most companies are obligated to adhere to these laws to some degree.  A few specific industries have an added layer of governance as well. They must all comply, or risk having to pay the price.

What is a Regulatory Compliance?

Simply put, regulatory compliance is a government imposed set of rules, policies and procedures. It relates to data in terms of how it is captured, stored, secured, managed, retained and retired. The legal implications for non-compliance can include mandated corrective action, fines and other penalties, and even criminal prosecution in extreme cases. At times, data-related offences come from external sources such as hackers or cyber-criminals. But, more often than not, offences are caused internally - either by design or inadvertently.  Aside from legalities, data breaches, and illegal data manipulation can tarnish the brand reputation of a company. This can result in a significant revenue loss, or worse. Although there is definitely a heavy burden for companies in adhering to these standards, there is also a healthy dose of common sense built into most compliances. The fact is that many of the requirements in these Acts are best-practices that companies and IT departments should be using anyhow.

Regulatory Compliance and IT Implications

Rather than explain these in detail, the following chart outlines the major Acts and how they affect information and data management. Click the "Short Forms" to see the Wikipedia explanations and the "Formal Names" to visit the official websites.
Short Form Formal Name Who is Impacted? Primary Purpose Key IT and Data Implications
SOX The Sarbanes-Oxley Act (US 2002) Public companies, boards, and accounting firms Deter corporate fraud (for a look at some high-profile cases, see here) 5-year retention period for electronic documents plus an audit trail of log files
Bill 198 Keeping the Promise for a Strong Economy Act (Canada 2003) Public companies, boards, and accounting firms Deter corporate fraud (Bill 198 is very similar to SOX and also known as C-SOX) Support of financial systems to accommodate control, evaluation, and disclosure requirements
HIPAA Health Insurance Portability and Accountability Act (US 1996) Healthcare providers / Health plans / Healthcare clearinghouses Help people keep health insurance / Privacy / Reduce industry administration costs Numerous activities around security, control, access, software protection, awareness and BC/DR
FISMA Federal Information Security Management Act (US 2002) US Federal Government and companies that deal with them Protect US economic and national security interests Adherence to the NIST 9-Step compliance framework
PCI-DSS* Payment Card Industry Data Security Standard (Global 2004) Organizations who work with, or are associated with payment cards Protect credit cardholder data 8 major areas focused on network security, infrastructure security, and log retention
* PCI-DSS is not a law. It's an international  governing body. Retailers or card processors can be fined from $5,000 to $500,000  for non-compliance This is by no means an all-inclusive list, but it highlights some prominent Acts in North America today. Some other notable examples include: HITECH Health Information Technology for Economic and Clinical Health Act - US. This Act is designed to encourage a higher adoption in the use of electronic medical and health records. PIPEDA:  Personal Information Protection and Electronic Documents Act - Canada.  As the name implies, this one is about ensuring the personal right to privacy. The US seems to be less focused in this area. SSAE 16:  Statement on Standards for Attestation Engagements - A US audit process for IT and other service providers managing data. The CSAE 3416 in Canada is very similar. In addition, there may be other state and provincial regulations to attend to depending on your industry. The most important things to keep in mind are:
  • Industries, companies, and IT teams must be aware of, and understand, what regulatory compliance applies to them.
  • Organizations must know the specific actions they need to take and be aware that they are legally responsible for satisfying those requirements.
  • Once the obligations have been properly defined, a plan needs to be executed to ensure compliance within the stated timeframes. Usually there are reasonable periods of time allocated to make the necessary changes.
  • The rules change, so there needs to be a "sensing" mechanism in place for keeping on top of periodic revisions to the various Acts.
  • Companies doing business across borders, need to understand that certain Acts in one country may still apply in another. For example, a HIPAA-bound US medical firm looking to outsource a hosted web application in Canada can only use a HIPAA compliant hosting provider if  data will reside on north of the border.
  • Many of the regulations include provisions for on-going executive and employee training, which usually managed by IT.
Like it or not, regulatory compliance has become the new reality of business that simply can't be ignored.  Few people get excited about the work, time and cost it takes. But, there can be significant benefits. Let's face it, managing and protecting data better is always wise. There is also high marketing value generated by showing your company has met the requirements for applicable compliance.  In some situations, clients will not deal with you unless you can prove attainment.  In less extreme cases, it still sends a strong message that security and privacy are important at your organization - and that inspires confidence!