Infrastructure
Commentary
4/27/2005
11:19 AM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Three Ways To Prepare For The IT Impact Of New Privacy Laws

In the wake of numerous high-profile customer-data breaches, companies that haven't previously been subject to information security and privacy regulation should expect new regulations to mirror elements from existing laws. For businesses that want to start planning now, there's no need to wait for implementation instructions on how to secure consumer data.

Decide What The Law Requires
For businesses that want to start planning now, there's no need to wait for implementation instructions on how to secure consumer data. Companies that already have implemented privacy-compliance measures know something that newer arrivals will need to understand: laws typically do not prescribe specific implementation measures. Instead, laws mandate that businesses take "reasonable" security measures and implement "appropriate" safeguards. In other words, a business probably already knows what it needs to know about compliance standards.

This deliberately vague standard is necessary. Otherwise, government would have to get in the business of prescribing technology-implementation details. Instead, laws leave the details to the parties most likely to understand security requirements as they evolve -- businesses themselves. But this lack of specificity means IT security professionals, not their corporate counsel, get the job of deciding what "reasonable" security looks like in technology terms.

Many in IT feel uncomfortable with an analog standard such as "reasonable measures." They can find a reassurance, however, in the language of the laws listed earlier as well a number of federal and state Unfair and Deceptive Acts and Practices enforcement cases. When the Federal Trade Commission took action last October against two mortgage brokers for violations of the Safeguards Rule under the Gramm-Leach-Bliley Act, one clear message the agency sent was: businesses must at least get started, mount a good-faith compliance effort that makes sense, and show that they're trying to cover the basics.

The IT community has the necessary expertise to define what reasonable security looks like. That's a good thing, because IT professionals face an even greater challenge -- how to persuade the rest of the company to adhere to reasonable security standards. Many of the privacy-breach reports that have hit the news this year demonstrate a failure of business processes, not information-security technology.

Previous
3 of 4
Next
Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.