Under the gun

Compliance with new security and privacy regulations falls squarely on IT departments

Network executives who want to keep up with the latest developments affecting their job had better start watching C-SPAN.

That's because state and federal governments, in response to concerns about security , privacy and corporate accountability, have gone on a regulatory spree that will cost U.S. companies billions of dollars in mandated IT upgrades.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Network executives who want to keep up with the latest developments affecting their job had better start watching C-SPAN.

That's because state and federal governments, in response to concerns about security , privacy and corporate accountability, have gone on a regulatory spree that will cost U.S. companies billions of dollars in mandated IT upgrades.

Cash-strapped IT departments are already feeling the financial and organizational sting of several pieces of legislation, and the worst is yet to come.

The first regulation to come through the pipeline is the Health Insurance Portability and Accountability Act (HIPAA). Designed to secure electronic patient information, HIPAA cost businesses an estimated $270 million in 2002, the year that most healthcare groups came into compliance, according to market researcher Frost & Sullivan.

HIPAA pales in comparison to the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to protect customer information. Even more sweeping is the Sarbanes-Oxley Act, which mandates all public companies back up financial statements with proof of procedures and controls.

Further reaching still is a new California state law that says companies doing business in that state must alert customers to any potential breaches in the security of their information, in an attempt to head off identity theft. If a similar law makes its way through Congress, any company that stores information about its customers could feel the effects.

These and other new laws will have a huge impact on IT departments, which must add or modify those systems that underlie and support virtually all operational business procedures.

"IT is so central to corporate and business affairs that you can't write a new regulatory program without it touching on IT," says Stewart Baker, a partner with Steptoe & Johnson in Washington, D.C. "We're going to see increasing federal regulation of IT issues just because all new federal regulation is going to have an IT element."

Lawmakers take a greater interest in IT issues when high-profile breaches of security and privacy occur; they want to know why it happens and how to fix it.

"We're at a critical juncture right now in the regulatory environment. Our national strategy says, 'Hands-off regulation, we don't want command and control,'" says Mark Rasch, senior vice president and chief security counsel with security software vendor Solutionary. However, legislators feel the need to react when they read about identity theft and hacker attacks, he says. "The government is getting impatient with the marketplace and that creates great pressure for regulation."

Slow dancing with the regulators

Although many of these laws have been on the books for a while, compliance doesn't occur overnight. Given the current economical climate, many companies are loath to overhaul their IT infrastructures. And, because many of the laws are still fresh enough that their specific regulations have not yet been hammered out, companies are waiting to see how the law is interpreted or changed. Some of these laws also are vague regarding what steps a company must take to comply or lack specific enforcement guidelines, giving companies another reason to delay.

"There's this very slow dance toward compliance that's occurring because you're never sure what [part of your business] is exposed and how far you need to go," says Austin Hill, executive vice president and general manager of privacy software maker Zero-Knowledge Systems'  enterprise division in Montreal.

The estimated cost of compliance can be staggering, although in some industries, systems or policies that must be modified were already long overdue for an overhaul. For example, the healthcare industry is notoriously behind the times when it comes to implementing new technology.

HIPAA replacement costs

HIPAA has forced the industry to adopt security, privacy and information exchange systems and policies that are costing the average midsize hospital $1 million to $2 million, and large insurance companies $5 million to $10 million each, says Dr. Peter Kongstvedt, vice president of Cap Gemini Ernst & Young's managed-care practice.

"A lot of companies used the [new law as an] opportunity to make changes, replacing a system or substantially upgrading," he says, noting that some insurance companies spent as much as $20 million to $40 million.