Saturday, July 28, 2007

Compliance: Can We Be Honest Here?

In talking with businesses every day, attempting to educate them on the risks of ID theft and the vulnerabilities their businesses face, I hear how overwhelmed they are, with an urgency to get off the phone. I often hear one of two responses:

“We have our policies in place and don’t need further assistance.”
“We’re not interested.”

So, let’s be honest here. “If your business has a good set of policies and procedures, and operates in an ethical and efficient manner… sorry, that’s not good enough”, writes Alan Zeichick of InfoWorld, in a 2005 compliance guide, in response to the preparation for new regulatory laws about securing data and non-public information. Here we are in 2007, and the lack of urgency about needing to understand these federal laws is past due. Many company contacts often convey to me that those issues fall on someone else’s head, i.e. our IT department, our lawyers, our PEO, but if we’re being honest, the law requires your company to have a Security Compliance Officer - a single individual who enforces your companies policies, in addition to, ensuring that all departments understand how to comply with those policies. So, when I hear the above responses, and they don’t identify having a Security Compliance Officer that handles their training, education, and plan of action, I know that these companies are not conforming to the current laws and these are the businesses that need my help the most.

If companies continue to take the, “a security breach won’t ever happen to us” attitude, the costs to their bottom line may just put them out of business. Fines, penalties, civil damages, and liabilities are increasing in every state. Although this may seem unfair, if we’re being honest, the reasons these actions are taking place is because state and federal funds are required to pursue the criminals of reported breaches and are rarely caught, so someone’s bottom line must pay the price.

Your company’s compliance issues aren’t a particularly difficult proposition, but they certainly must be a priority.