How is compliance really perceived?

Carl Ellison has an interesting story that may give some insight into how people in the business world really view the maze of data security and privacy laws that they have to navigate these days. Here's his story (told with his permission, of course):

I remember being in a workshop with health-care IT pros. We were talking
security – especially access control.  I asked what their #1 threat was.
The answer:  HIPAA.  They weren't worried about whether a patient's records
were disclosed to a wrong person. They were worried only if they might go to
jail.  They wanted a security solution that kept them out of jail with the
minimum effort and disruption for them.

In other words, the regulation itself is seen as a bigger threat than any disclosure of any Protected Health Information! I wouldn't be surprised if you can hear similar discussions at meetings where other compliance issues are discussed.

  • Steve Burnett

    This seems to indicate to me that we need these regulations. If they aren’t there, will the people who hold our sensitive data take security measures to protect it?
    We can be as careful as possible with our own sensitive information so that bad people can’t steal it from us. However, the problem is that other entities have our sensitive information as well and they have very little incentive to protect it. Somone gets your medical records? The hospital doesn’t care, they didn’t lose any money or privacy because of it. Someone obtains credit card numbers from an online merchant? So what, the online merchant doesn’t care, that’s not their money they’re losing.
    There are market forces that push “other entities” to protect our data. They might lose customers, merchants might lose money if the Credit Card companies refuse to pay for purchases made with stolen CC numbers, and so on.
    But it doesn’t seem that those market forces are enough. So we still need to require these other entities to employ security measures or else they won’t. The requirements might come from the government in the form of HIPAA, or it might come from Visa/MasterCard et al in the form of PCI.


Leave a Reply

Your email address will not be published. Required fields are marked *