To the letter of the law

A look at various laws and regulations that have enterprised under the gun to comply.

Health Insurance Portability and Accountability Act (HIPAA)Passed: August 1996Purpose: To improve the portability while maintaining the privacy and security of patient information.Types of companies affected: Medical providers, insurance companies, claims clearinghouses, employers that self-insure workers’ health benefits.

Gist: The law’s “administrative simplification” section enforces a privacy rule, security rule, transaction and code-set standards and identifier standards. These regulations specify what patient information must be kept private; how companies must secure the information; and the standards for electronic communication between medical providers and insurance companies. The deadline for implementing privacy controls was April 15; security is April 21, 2005; transaction and code set standards is Oct. 15, and identifier standards is July 30, 2004.

Effects on IT departments: Unlike some other laws, HIPAA lists very specific technology standards and policies that must be implemented to comply.

Opinion: “The scrambling you’ve heard about is [to comply with HIPAA’s] privacy, but the heavy activity in IT departments will be around transactions and code sets.” – Dr. Peter Kongstvedt, vice president of Cap Gemini Ernst & Young’s managed care practice.

Estimated spending to comply: Research firm Frost & Sullivan estimates that companies spent $270 million in 2002 to comply with HIPAA.

Gramm-Leach-Bliley ActPassed: November 1999Purpose: To protect the information financial institutions collect about customers.Types of companies affected: Mainly financial institutions, but also any company that collects name, Social Security number and bank account number from customers or employees.

Gist: On May 23 the act’s Safeguards Rule came into effect, forcing financial institutions to design, implement and maintain safeguards to protect customer information.

Effects on IT departments: All companies that collect financial information must take security measures, such as maintain firewalls, install and update virus protection, and schedule routine security audits, as well as develop and implement privacy policies.

Opinion: “Most IT departments are aware that they must protect customer information, but they aren’t specifically aware that there are federal regulations enforcing this.” – Michael Scheidell, CEO of Secnap Network Security.

Estimated spending to comply: If a company is already spending the recommended 5% to 8% of their IT budget on security, additional costs will be minimal. Security audits typically can cost $10,000 to $20,000.

Sarbanes-Oxley ActPassed: August 2002Purpose: To restore investor confidence in the financial reporting of public companies and hold a company’s officers personally responsible for misrepresentation.Types of companies affected: Any public company. Experts recommend private companies hoping to go public or be acquired by a public company also should abide by the rules.

Gist: Section 302 came into effect on Jan. 1, mandating quarterly reporting on how a company derived its quarterly financial report, including controls and procedures used. Section 404 will kick in June 14, 2004, forcing public companies to have reports of controls and procedures audited by a third party.

Effects on IT departments: Two-phased; initially, companies will scramble just to comply with the law, providing necessary documentation to auditors. Eventually, companies will want to automate the process, building audit trails and procedures into their systems.

Opinion: “It’s a very broad and sweeping law, that’s why it’s causing a lot of pain right now with public companies.” – Rakesh Shukla, co-founder of 170 Systems.

Estimated spending to comply: AMR Research says companies will spend $2.5 billion on Sarbanes-Oxley compliance in 2003. The majority of that spending will be on consulting fees.

USA Patriot ActPassed: October 2001Purpose: To boost the government’s ability to track and prosecute terrorist activity through increased use of surveillance, information sharing and other means.Types of companies affected: Financial institutions, ISPs and other companies that handle and store online communications.

Gist: The act obliges financial institutions to report any suspicious activity regarding large money transactions. Also, ISPs are encouraged to hand over information about activity by their users they consider suspicious, and can do so without liability. The law also expands that type of information that government agencies can collect from ISPs about their users, including records of session times and durations, temporarily assigned IP addresses and credit card or bank account information.

Effects on IT departments: Many aspects of the act encourage cooperative efforts from the private sector, instead of imposing regulations. Companies might wait until a government agency subpoenas information from them before considering compliance, although the time and cost to produce information on the fly could be prohibitive. Legal experts recommend companies ask the inquiring agency to reimburse the cost – some will, some won’t.

Opinion: “There’s a certain amount of pressure to automate tasks that are becoming common after Sept. 11.” – Stewart Baker, partner, Steptoe & Johnson.

Estimated spending to comply: Too soon to tell because many of the act’s provisions are suggestions. If the government repeatedly asks a company to produce records to help the government, its officials might realize upgrading their IT systems to automate reporting is less expensive than hiring temporary staff to do it by hand.

California Senate Bill 1386Passed: September 2002Purpose: To give California consumers immediate notice of security compromises in businesses’ computer systems so they can take action before identity theft occurs.Types of companies affected: Any company that stores a California resident’s personal information on their computer system.

Gist: The law, which went into effect July 1, says companies must notify their cus-tomers when they know or believe unencrypted personal information was accessed by an unauthorized person. Notification must happen “in the most expedient time possible and without unreasonable delay,” and can be written or, in some cases, sent by e-mail or posted on the company’s Web site. Personal information is defined as an individual’s name and Social Security number, California driver’s license or state ID number, bank account, credit card or debit card number along personal identification number or password.

Effects on IT departments: Mandatory reporting of security breaches means departments must know about them, determine which customers’ information might have been compromised and automate notifying all potentially affected individuals.

Opinion: “While privacy has never been a huge [business] driver, lack of privacy is.” – Mark Rasch, senior vice president and chief security counsel, Solutionary.

Estimated spending to comply: Depends on whether the bills brewing in Congress to make this a federal law pass. For now, it means every company doing business in California must implement security and notification systems.

The National Strategy to Secure Cyberspace ReportIssued: February 2003Purpose: To suggest best practices to the private sector for protecting critical infrastructures and businesses from cyberattacks.Types of companies affected: All private businesses, but especially those that run critical infrastructures such as telecom networks, stock markets, electricity and transportation.

Gist: This report issued by the White House encourages industries and government agencies to reduce the risk of cyberterrorism wherever practical. It says the government reserves the right to respond “in an appropriate manner” if the U.S. is attacked in cyberspace.

Effects on IT departments: The report can be used to back up IT managers’ requests that companies assign larger budgets and higher priority to security programs and policies.

Opinion: “The report makes it clear that there will not be a technology silver bullet that’s going to solve the [security] problem.” – Larry Clinton, operations officer, Internet Security Alliance.

Estimated spending to comply: Because none of the report is mandatory, spending will be at the discretion of each company.

Back to feature: “Under the gun”