The introduction of several industry and government information-intensive regulations [such as European Union Data Protection Directive, Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act of 2002 (SOX), the US Patriot Act, Gramm-Leach Bliley Act (GLBA) California SB 1386, Basel II, and others in recent years] has made the issue of safeguarding private and sensitive information a major concern for organizations. As non-compliance with the expanding set of those regulations may carry criminal and/or civil penalties that can lead to the prosecution of individual executives or substantial fines, organizations are increasingly looking to implement solutions and practices that will help them comply.
Technology plays a significant role here, providing organizations with different means to meet regulatory demands such as maintaining information integrity, preventing unauthorized access, storing and securing communication records for future investigations, and so on. In fact, those requirements have become a major driver for greater spending on security, storage, backup, disaster recovery, information life cycle management, and other related IT product groups.
Information security is one of the major sectors that is benefiting from the regulatory movement, especially in markets such as encryption, intrusion detection, access and identity management, and others. In addition, preventing leaks of private and sensitive information is strongly related to regulatory compliance. As organizations are now required to make sure that employees do not inadvertently or deliberately break the law, both desktop-based and network-based ILD&P solutions could play an essential role in organizations' overall compliance strategies.
The following sections describe the main industry and government information-intensive regulations that are driving the adoption of ILD&P solutions.
European Union Data Protection DirectiveThe Data Protection Directive, which outlines principals for protecting the privacy of individuals' Personal Identifiable Information (PII) on information systems, was adopted by the EU in 1995. The Directive requires each EU member state to pass local legislation that meets the different privacy protection principals that are an outcome of the OECD guidelines of 1980.
Among those, Security Safeguards Principle 11 requires that "personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data". The Directive also classifies certain types of personal data such as financial, health, and so on that requires additional safeguards given its sensitive nature.
Overall, the Directive represents a stricter line regarding privacy protection adopted by the EU comparing to US regulations (see below). For example, unlike US regulations, the EU Directive refers to both customer and employee PII. In addition, it prohibits the transfer of PII to countries in which privacy laws are not considered adequate by the EU.
Although the Directive does not mandate the use of specific solutions to protect PII, the legislative freedom given to EU member states regarding the adoption of the Directive has led some of them to require them by law. For example, Italian law requires companies to secure data with the usage of firewall and antivirus solutions, while in Spain certain types of PII must be encrypted. Violations of the Directive may lead to substantial civil and criminal penalties, including fines and even prison time in some EU states.
Basel II AccordThe New Basel Capital Accord, due to become effective in most OECD countries by the end of 2006, requires financial institutions to calculate credit, market and operational risks, in order to ensure they have enough capital reserves to cover risk exposures.
Although the Accord does not discuss information security measures directly, as operational risk is defined as "direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events", security breaches are considered as such and should be handled accordingly.
In that respect, protecting sensitive and customer private information against unauthorized distribution is aligned with operational risks management as the Accord requires. Thus, financial institutions should be deploying related solutions or otherwise face regulatory sanctions if such violations occur.
Sarbanes-Oxley Act of 2002The Sarbanes-Oxley Act of 2002 (SOX) was legislated in the US in light of high-profile corporate scandals such as those of Enron and WorldCom. Defining new requirements regarding the financial management of publicly traded companies, the act is aimed at ensuring the integrity and the accuracy of reporting and preventing accounting errors and wrongdoings that may affect a company's shareholders and the general public. SOX lays responsibility on CEOs and CFOs, who must certify that their companies' financial reports are complete and do not contain any inaccurate or misleading statements. Non-compliance may lead to fines of up to $5 million for individuals and up to $25 million for entities, and prison sentences of up to 20 years. Section 404, which describes management's responsibility for establishing "internal control over financial reporting", is one of the key sections of SOX in terms of ILD&P. Under this liability, companies are required to "provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements".
The broad category of "assets" includes digital assets such as source code, trade secrets, M&A information, patient records, and any other sensitive information the unauthorized disclosure of which may have a negative impact on the company's stock price and its financial performance. Thus organizations are required to closely monitor the usage of those assets and be able to detect such events in real-time or near real-time.
The above should foster greater demand for ILD&P solutions. In that respect, audit, reporting and risk assessments capabilities are essential for SOX compliance.
HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) of 1996 has two major objectives: making healthcare transactions simpler through the use of standards, common code sets, and unique health identifiers; and protecting the confidentiality of patients' health information. The act applies not only to healthcare service providers but also to all healthcare entities, including insurance companies and government agencies.
The HIPAA Privacy Rule defines administrative, physical, and technical safeguards for Covered Entities (CE), which include standards for keeping the privacy of Electronic Protected Health Information (EPHI). These standards deal with several requirements that are most relevant for ILD&P solutions, including the implementation of policies and processes on issues like assigning and controlling access to EPHI; reporting incidents; keeping tracks of EPHI moving in, out and within CE; and securing the transmission of EPHI over networks. Non-compliance with the Security Rule requirements may carry criminal penalties of up to $250,000 in fines and jail time of up to 10 years.
The HIPAA Privacy Rule became effective in April 2003, and the compliance date for most CEs is April this year (smaller CEs should be in compliance by April 2006). Although the rule does not require CEs to implement specific security technologies and solutions, desktop-based and network-based ILD&P should benefit from heightened demand in the healthcare industry, as they can meet some of the core requirements of the Privacy Rule.
Gramm-Leach Bliley Act (GLBA )The Gramm-Leach Bliley Act was passed in order to protect customer information maintained by (or on behalf of) financial institutions from loss, unauthorized access, or misuse.
The GLBA Safeguard Rule requires all financial institutions to "develop, implement and maintain a comprehensive written information security program that contains administrative, technical and physical safeguards" to protect customer "non-public information" (e.g., account numbers and details, social security numbers, credit card numbers, and so on). It mandates different requirements for safeguarding NPI, including the establishment of access controls of IT systems on which NPI is stored; encryption of electronic records; and monitoring of systems in order to detect intrusion attempts and attacks. Non-compliance with the Safeguard Rule may carry severe penalties in fines and prison terms of up to five years for individuals.
In light of the above, and although GLBA ? as in the case of the HIPAA Privacy Rule ? does not require the use of specific security solutions, Intrusion Detection Systems and encryption are being implemented by most financial institutions, and ILD&P solutions should also take their share of the market for GLBA compliance.
California SB 1386Effective July 1, 2003, California SB 1386 act requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information : to disclose in specified ways, any breach of the security of the data : to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person".
The act defines "personal information" as social security number, driver's license number or California Identification Card number, account number, and credit or debit card number ("in combination with any required security code, access code, or password that would permit access to an individual's financial account"). The act allows California residents who have been injured by a violation of the act to undertake civil action to recover damages. In addition, it allows courts to enjoin violating businesses.
Practically speaking, organizations that are required to comply with this act should protect the IT systems in which they store and manage private information, but also to take appropriate measures to detect any unauthorized delivery thereof outside their boundaries. Thus, ILD&P solutions could be relevant for that purpose and should benefit ? especially if other states follow California's lead.
The above-mentioned regulations are the main compliance-related drivers for the adoption of ILD&P solutions. Nonetheless, other US information-intensive regulations such as SEC 17A-4, the US Patriot Act, Check 21 legislation, and the Government Paperwork Elimination Act are also having an impact, albeit lesser.
