- Why uHost
- About Us
- Learn More
As the government places an increasing number of compliance requirements on businesses, IT departments are struggling to keep pace with the increased workload. A study conducted in 2006 by technology research firm Gartner Inc. estimated that 10 to 15 percent of that year's corporate IT budgets would be spent on financial compliance management. According to Gartner Inc., professional services focused on consulting, audits, process management/workflow, documentation and planning are responsible for most compliance expenses.
Here's a look at the five big laws that are driving regulatory compliance and the burdens they place on IT departments:
The Sarbanes-Oxley Act of 2002 (SOX)Enacted in response to a series of high-profile financial scandals, the Sarbanes-Oxley Act (SOX) is designed to protect shareholders and the general public from enterprise accounting errors and fraudulent practices. The act is administered by the SEC (Securities and Exchange Commission), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records. Instead, it defines which records are to be stored and for how long. Sarbanes-Oxley is all about ensuring that internal controls or rules are in place to govern the creation and documentation of information in financial statements. Since IT systems are used to generate, change, house and transport that data, IT departments have to build the controls that ensure that SOX information stands up to audit scrutiny.
The Gramm-Leach-Bliley Act of 1999
The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act, is a federal law designed to control the ways financial institutions deal with consumers' private information. As with other privacy-related mandates, affected IT departments need to spend heavily on data-protection technologies.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Created to establish standardized mechanisms for EDI (electronic data interchange), security and confidentiality of all health care-related data, the Health Insurance Portability and Accountability Act (HIPAA) features two distinct sections. HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs. HIPAA Title II includes an administrative simplification section that concerns the standardization of health care-related information systems. To organize and protect medical records, IT departments need to invest in and operate an array of technologies, including EMR (electronic medical record) solutions, firewalls, remote monitoring systems, intrusion-detection technologies, auditing software and encryption programs.
The "Can-Spam Act" of 2003
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, informally known as "The Can-Spam Act," allows courts to set damages of up to $2 million when spammers break the law. Federal district courts are allowed to send spammers to jail and/or impose triple damages if the violation is found to be willful. IT departments need to install software and policy safeguards that ensure that bulk emails don't violate the law's provisions.
The "Do Not Call" List
A registry of U.S. phone numbers that telemarketers are prohibited from calling under most circumstances, the "Do Not Call" list is maintained by the FTC (Federal Trade Commission). Consumers can contact the agency to have their numbers registered. Organizations are prohibited from making calls to sell goods or services to any numbers consumers list with the National Do Not Call Registry. Violators are subject to substantial fines if they fail to comply. IT departments need to install software and policy safeguards that ensure outbound call centers don't violate the law's provisions by contacting individuals on the "Do Not Call" list who have no direct business contact with the organization.
Enterprises and their IT departments should look for compliance solutions that simultaneously satisfy multiple regulations covering several business units. At the same time, IT managers and their bosses should adhere to a sensible strategy when deciding on a solution and not rely on a stopgap measure to comply with a single regulatory act. Organizations that choose one-off solutions for each regulatory challenge could spend up to 10 times more on IT compliance solutions than counterparts that take a sustainable programmatic approach.
See also: regulatory compliance, Sarbanes-Oxley Act, Basel II, Gramm-Leach-Bliley, HIPAA, ISO/IEC 27001, PCI DSS
Private Industry Regulations
PCI Data Security Standard (DSS)
Digital fraud and identity theft incidents have made the protection of payment card information more critical than ever. Cardholder security programs started as early as 2001, and credit card issuers joined together in 2004 to publish the first Payment Card Industry (PCI) Data Security Standard (DSS). Visa, MasterCard, American Express, Discover Bank and JCB all now endorse the standard. The PCI DSS is unique from other information security regulations as it receives governance from private industry rather than elected officials, which means the PCI Security Standards Council (SSC) retains the authority of managing the DSS.
The DSS is comprised of a list of twelve requirements to which members, merchants and service providers must adhere. It applies to any organization that stores, processes or transmits cardholder data. The requirements include the use of data encryption, end-user access controls and activity monitoring and logging, as well as the need to regularly test security systems and processes. Companies face stiff fines or even the possibility of being barred from the card acceptance program if they do not comply. The PCI DSS extends to all “system components” of these organizations, which means all technology involved with or connected to cardholder data is considered applicable to the standard.