Rules, Rules, Rules

Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, the USA Patriot Act, the California Security Breach Law, Securities and Exchange Commission rule 17a-4 -- these are but a few of the compliance challenges companies face today.
Still, as Huntington makes the final push toward 404 compliance, executives have been surprised at how labor-intensive it is. "We knew it would be a resource hog, but as the number of projects entering the pipeline increases, there's more of a drain on resources," Benninger says.

For obeying section 409, which requires faster disclosure of weaknesses in controls, Huntington plans to use the software infrastructure it's building for complying with section 404. A Web-enabled centralized database will provide managers with a dashboard to view the status of each control, such as whether it's being tested or fixed.

The consequences of a failure to comply with regulations are all too apparent--more than half of InformationWeek Research respondents say their companies face stiff fines and penalties.

Change AgentBut it's not just banks, insurance companies, hospitals, and other heavily regulated businesses that need to keep watch on a steady flow of regulatory requirements. Regulations such as the federal Can-Spam Act and changes to labor law affect even small companies, across a wide range of industries.

An example is a new rule from the Federal Communications Commission due to take effect in January that will require written permission for a company to send a fax containing sales or promotional information. That leaves those small companies that have relied on fax for decades as their primary means of customer communication without a lifeline, says Janel Apps Ramsey, marketing administrator for a small Midwestern company that resells steel from big manufacturers. Ramsey says alternative approaches using technology don't offer much hope--E-mail or fax software tends to be too complicated or expensive for the size of her company. "No software is written for small companies," she says. "There's nothing I can link with my inventory system to manage fax and E-mail."

Changes enacted last month to rules governing who gets overtime pay could send even more business-technology pros scrambling, including small companies not geared up to manage big regulatory changes. Under the change to the Fair Labor Standards Act, any worker whose income is less than $23,660 a year must be paid overtime for working more than 40 hours a week. White-collar workers are exempt from overtime pay if their incomes exceed $100,000 a year. If their incomes fall between $23,660 and $100,000, they can be exempt if they meet certain criteria, such as managing other workers or having expertise in a field of learning.

It also guarantees overtime for so-called first responders: police officers, firefighters, emergency medical technicians, and paramedics. That's producing some anxiety at American Medical Response Inc., the nation's largest provider of ambulance services for hospitals and municipalities, because it employs 14,000 paramedics, nurses, and other caregivers. While its human-resources department evaluates the new regulation, the IT department is upgrading to the latest version of the company's time and attendance system from Kronos Inc. The system feeds American Medical Response's core payroll and financial system from J.D. Edwards, now owned by PeopleSoft Inc.

American Medical Response's CIO Bill Tara

Systems acquisitions are linked to business requirements, American Medical Response CIO Tara says.

Photo by Ray Ng
A year ago, the IT department launched a project to bring order to its payroll operation, a hodgepodge of systems inherited when the company acquired numerous rivals. IT consolidated seven payroll databases scattered across three regions into one. American Medical Response involves people with experience in IT, HR, and compliance in technology-buying decisions, with the goal of making technology fit business processes. "Systems acquisitions are closely linked to business requirements," CIO Bill Tara says.

When American Medical Response has disputes over overtime, bookkeeping is often part of the problem. The company's Kronos system helps ease overtime problems, says Tim Bernier, IS project manager for the eastern region, and it aids in compliance with Sarbanes-Oxley's financial-reporting requirements.

The onslaught of requirements from regulators and lawmakers isn't going to ease. Lawmakers in California--who created the first state law requiring any organization that suffers a security breach involving certain types of financial information to inform people affected--are now debating regulating the use of RFID in stores and libraries. The California bill that passed the Senate would, among other things, prohibit stores from using RFID readers to track which items have been picked up from shelves.

Legislators in Maryland, Massachusetts, and Virginia are considering similar legislation. Looks like compliance mandates, and the business technology needed to satisfy them, will continue to be constant companions.

Illustration by Dan Page