Share This Article:

Compliance is once again a favorite selling tool for IT vendors and resellers alike. The message usually goes, “If you don’t buy our product, you will suffer the pains of security breaches and government fines.” On paper, that much is truly black and white. In reality, though, regulatory enforcement is very gray, as seen in the enforcement actions by the Massachusetts Attorney General’s office.

Today, there are more than 45 state laws and a dozen federal laws governing the security and confidentiality of personal data. In the private sector, the Payment Card Industry Data Security Standard (PCI-DSS) is proven effective in compelling security investments by retailers and merchants processing credit card payments. The plethora of security and privacy regulations has made compliance a favorite marketing tool for selling services and solution.

The International Association of Privacy Professionals recently hosted a panel reviewing the Massachusetts Data Security Regulations (201 CMR 17), widely considered the most stringent data protection statute in the nation because it prescribes actions for disclosing security breaches as well as prevention measures to mitigate the changes of a breach. The law’s first anniversary is March, and the AG’s office reports receiving breach reports on a daily basis. However, there have been no enforcement actions to date.

A representative of the Massachusetts AG’s office said it carefully reviews every report of a security breach. However, they’re not auditing companies for compliance due to insufficient resources. And, so long as the reporting company is meeting the criteria of the breach disclosure law, the AG isn’t  conducting investigations unless there’s ample evidence of flagrant violations of the data protection law.

What’s happening in Massachusetts is particularly important to solution providers, especially those providing IT data services such as remote backup, security and compliance auditing.

According to statements made by Shannon Choy-Seymour, assistant Attorney General of the Consumer Protection Division, investigations are typically triggered if:

>> A company didn’t properly report the breach or notify the affected data owners
>> A written information security plan (WISP) cannot be produced or does not exist
>> The WISP is inadequate to safeguard sensitive records
>> Data was not stored in a way that provides a reasonable level of protection in accordance with the law
>> Compromised data was illegally or fraudulently collected by the breached entity
>> Data was being used for deceptive practices

Here’s the opportunity for industrious solution providers: WISPs. Outside of large enterprises and highly exposed organizations such as financial institutions, few businesses know what data privacy and protection regulations require of them. Having a security policy isn’t enough, as noted by the Massachusetts law; businesses covered by various data protection regulations must draft policies that “adequately” safeguard information.

What is the standard for “adequate”? It’s usually measured by what other “like” organizations would do. In legal circles, this is often referred to as the “reasonable person” standard. Providing professional services that review and improve security policies is a tremendous opportunity for solution providers, who are in a position to drive “the reasonable person” standard through collective action.

The Massachusetts AG’s office made an interesting observation about encryption, often seen as the panacea of compliance measures. Most federal and state laws exempt companies from disclosing breaches if the affected data was encrypted. Encryption-as-the-silver-bullet is a misnomer, says Scott Shafer, chief of the Consumer Protection Division of the Massachusetts AG’s office. Many of the breach reports reviewed by his office include the compromising of encryption keys. Shafer’s statement points to the need for better implementations of key management and security – another opportunity.

Ah, but there’s also need for concern among solution providers in these regulations. As providers of data security, application, storage or backup services, solution providers not only become a party to the regulatory compliance equation, but in some cases have primary responsibility in the event of a breach disclosure.

Massachusetts AG representatives said if a company demonstrates they contracted a third-party to provide data security or application services, and conducted adequate due diligence in the selection of that service provider, the responsibility for the breach is born by the service provider. In a sense, the Massachusetts law negates the time-tested standard “caveat emptor.” Other regulations such as the Health Insurance Portability and Accountability Act (HIPAA) extend regulatory compliance requirements to all parties in the data custody chain, including IT service providers. Depending on the law, solution providers can be solely or equally culpable for a security breach and subject to the same penalties as the primary-covered entity.

While the panel discussion revealed several opportunities and risks for solution providers in regulatory compliance, the Massachusetts Attorney General’s most interesting statement came in regards to enforcement: Due to insufficient resources in its office and among businesses, the AG is taking a “collaborative” approach to compliance. Specifically, the AG is working with businesses to ensure they are taking reasonable steps to comply with the law and protect sensitive data, reserving enforcement – the levying of fines and criminal charges – as a last resort.

As with most government regulations, enforcement is a beast that’s often spoken of about but rarely seen in the wild. Going back to the time when the Sarbanes-Oxley Act was enacted to ensure the integrity of financial records, the Securities and Exchange Commission took two years to bring the first enforcement action. Even then, the SOX violation had nothing to do with data integrity or security, but rather fiscal mismanagement and fraud. Very few businesses have faced fines for various state and federal laws. Even with the federal government giving states the authority to enforce HIPAA security violations, only a handful of cases have been brought against compromised health care providers.

What the Massachusetts panel discussion shows is compliance remains a process not a product. Government agencies are reluctant to bring enforcement action against any business unless there is flagrant disregard for the law, which should minimize the effectiveness of using compliance as a selling tool. However, government typically passes over organizations that have exercised due diligence and executed a reasonable level of safeguards. Ultimately, providing sound support and reasonable data protection schemas is what solution providers should aim for in compliance marketing.

* * *

Lawrence M. Walsh is CEO and president of The 2112 Group, a technology business advisory service that specializes in optimizing indirect channels and partner relationships. He’s also the executive director of the Channel Vanguard Council. He is the former publisher of Channel Insider and editor of VARBusiness Magazine. You can reach him at lmwalsh@the2112group.com.