Under the gun

Compliance with new security and privacy regulations falls squarely on IT departments

Compliance with new security and privacy regulations falls squarely on IT departments.

Network executives who want to keep up with the latest developments affecting their job had better start watching C-SPAN.

That's because state and federal governments, in response to concerns about security , privacy and corporate accountability, have gone on a regulatory spree that will cost U.S. companies billions of dollars in mandated IT upgrades.


The letter of the law Vendors hope for compliance windfall


Cash-strapped IT departments are already feeling the financial and organizational sting of several pieces of legislation, and the worst is yet to come.

The first regulation to come through the pipeline is the Health Insurance Portability and Accountability Act (HIPAA). Designed to secure electronic patient information, HIPAA cost businesses an estimated $270 million in 2002, the year that most healthcare groups came into compliance, according to market researcher Frost & Sullivan.

HIPAA pales in comparison to the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to protect customer information. Even more sweeping is the Sarbanes-Oxley Act, which mandates all public companies back up financial statements with proof of procedures and controls.

Further reaching still is a new California state law that says companies doing business in that state must alert customers to any potential breaches in the security of their information, in an attempt to head off identity theft. If a similar law makes its way through Congress, any company that stores information about its customers could feel the effects.

These and other new laws will have a huge impact on IT departments, which must add or modify those systems that underlie and support virtually all operational business procedures.

"IT is so central to corporate and business affairs that you can't write a new regulatory program without it touching on IT," says Stewart Baker, a partner with Steptoe & Johnson in Washington, D.C. "We're going to see increasing federal regulation of IT issues just because all new federal regulation is going to have an IT element."

Lawmakers take a greater interest in IT issues when high-profile breaches of security and privacy occur; they want to know why it happens and how to fix it.

"We're at a critical juncture right now in the regulatory environment. Our national strategy says, 'Hands-off regulation, we don't want command and control,'" says Mark Rasch, senior vice president and chief security counsel with security software vendor Solutionary. However, legislators feel the need to react when they read about identity theft and hacker attacks, he says. "The government is getting impatient with the marketplace and that creates great pressure for regulation."

Slow dancing with the regulators

Although many of these laws have been on the books for a while, compliance doesn't occur overnight. Given the current economical climate, many companies are loath to overhaul their IT infrastructures. And, because many of the laws are still fresh enough that their specific regulations have not yet been hammered out, companies are waiting to see how the law is interpreted or changed. Some of these laws also are vague regarding what steps a company must take to comply or lack specific enforcement guidelines, giving companies another reason to delay.

"There's this very slow dance toward compliance that's occurring because you're never sure what [part of your business] is exposed and how far you need to go," says Austin Hill, executive vice president and general manager of privacy software maker Zero-Knowledge Systems'  enterprise division in Montreal.

The estimated cost of compliance can be staggering, although in some industries, systems or policies that must be modified were already long overdue for an overhaul. For example, the healthcare industry is notoriously behind the times when it comes to implementing new technology.

HIPAA replacement costs

HIPAA has forced the industry to adopt security, privacy and information exchange systems and policies that are costing the average midsize hospital $1 million to $2 million, and large insurance companies $5 million to $10 million each, says Dr. Peter Kongstvedt, vice president of Cap Gemini Ernst & Young's managed-care practice.

"A lot of companies used the [new law as an] opportunity to make changes, replacing a system or substantially upgrading," he says, noting that some insurance companies spent as much as $20 million to $40 million.

Blue Cross Blue Shield of Michigan began working on HIPAA compliance in 2001, according to CIO William Smith. The company has not had to make major hardware purchases or hire new staff to come up to compliance. However, because it also acts as an electronic clearinghouse for medical claims in the state, it has had to extensively update its software, including all of its medical codes and transaction formats. With the help of contract workers, Blue Cross Blue Shield of Michigan expects to be in compliance with the regulation's transaction and code set standards' deadline of Oct. 15.

Blue Cross Blue Shield of Michigan expects to spend a total of about $80 million on HIPAA compliance, Smith says. One unexpected cost has been educating and lobbying other parts of the healthcare industry on the importance of getting their IT systems to meet HIPAA's deadline, so that electronic transactions can go through.

"In testing we found that hospitals, doctors and other billers are just not going to be ready, and that's going to be a significant problem," Smith says. If billers resort to paper claims, instead of updating their IT systems, that will add a new level of cost and delay to processing claims, he says.

Financial firms face GLBA

The Gramm-Leach-Bliley Act's mandate that financial institutions protect customer information shouldn't impose a significant burden on companies that already are spending the recommended 5% to 8% of their IT budgets on security and have working privacy policies, as most banks and investment houses already do, says Michael Scheidell, CEO of security provider Secnap Network Security.

But significant spending will be forced on companies that might not consider themselves financial institutions, such as small mortgage brokers and employers that offer workers direct deposit of paychecks into their bank accounts.

"Any company that has not thought about security, such as mom-and-pop mortgage brokers, may not even have a firewall," Scheidell says.

Sarbanes-Oxley gores companies

Compliance with the Sarbanes-Oxley Act is predicted to hit IT departments as hard as the Y2K crisis, except this problem doesn't have an expiration date. A recent report from AMR Research found 85% of the companies affected by the act expect to have to make at least some changes to their IT architecture.

Under the law, public companies must employ a third party to audit not only their financial statements, but also to verify the reasoning, policies and controls behind those statements. That means IT departments must store and create access to all information - including structured data like spreadsheets and databases, and unstructured data such as e-mail and instant messages - related to the company's financial statement.

"Right now, people are putting together ad hoc solutions to meet the deadline," says Rakesh Shukla, co-founder of online information management provider 170 Systems . "In a year or two it will be how to automate and streamline costs."

Sola International, a lensmaker in Menlo Park, Calif., bought financial reporting software from Hyperion Solutions  to help comply with Sarbanes-Oxley. Sola also had to buy more powerful servers to run the software, says Patrick Kiernan, senior financial systems analyst.

While Sarbanes-Oxley was clearly the impetus for upgrading the company's systems, Kiernan says the investment, which is significant, needs to be put in perspective. "These actions may have naturally occurred in our business decision processes anyway," he says.

Ammo in cyberterror war

On the brighter side, many of these laws give IT departments the ammunition they need to make their case to the company's executive staff for updated systems and policies, experts say. One example is the National Strategy to Secure Cyberspace Report, which is not a law but a proposal the White House issued in February on how government and the private sector can work together to help fight terrorism.

"One of the problems that the [report] addresses is that cybersecurity needs to be elevated beyond the IT departments and addressed at the CEO, CFO and board of directors level," says Larry Clinton, operations officer at Internet Security Alliance. "A lot of corporations traditionally think of cybersecurity as something that will be handled by the IT department; the problem is the IT department isn't getting the resources they need to affect change."

Learn more about this topic

Garretson is a freelance writer. She can be reached at cgarretson@starpower.net.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT