Three Ways To Prepare For The IT Impact Of New Privacy Laws
In the wake of numerous high-profile customer-data breaches, companies that haven't previously been subject to information security and privacy regulation should expect new regulations to mirror elements from existing laws. For businesses that want to start planning now, there's no need to wait for implementation instructions on how to secure consumer data.
Plan For The Obvious
Companies that haven't previously been subject to information security and privacy regulation should expect new regulations to mirror elements from existing laws: Put someone in charge, analyze vulnerabilities, make a plan, implement policies and procedures that address technology as well as business processes, train, monitor your service providers, and circle back to evaluate and adjust your program on an ongoing basis.
These common and common-sense requirements appear in existing data-security regulations for companies subject to the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and, north of the border, the Canadian Personal Information Protection and Electronic Documents Act.
Businesses will have to be reasonably certain their service providers live up to the same standards. A company must wisely choose and monitor its service providers and cannot evade privacy liability by outsourcing. Even while Congress has been considering new regulations to control outsourcing, existing laws already require companies to police their service providers by building privacy provisions into contracts and monitoring vendor performance.
Some companies pondering the future of regulation may be unaware that a mandate of reasonable security already applies to them today. If a company is engaging in business-to-consumer transactions, it is regulated. Under the basic consumer-protection principles of Unfair and Deceptive Acts and Practices laws, the Federal Trade Commission and state attorneys generally already have established a data-security-enforcement history involving organizations that include the ACLU, Alta Vista, Barnes & Noble, Eli Lilly, Guess, Microsoft, Sony/InfoBeat, Tower Records, Victoria's Secret, Ziff Davis Media, and many others.
These cases targeted online practices, but the rules are the same in all data channels. Be assured that consumer-protection agencies are taking a hard look at offline and business-to-business transactions that expose consumer data. And take note, "consumer data" means more than hot-button data such as Social Security numbers, credit-card numbers, and medical data. It includes names, addresses, phone numbers, and Global Positioning System data.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.