Pointer to article:
Many IT vendors are pitching the “compliance” features of their wares.
By “compliance,” they’re usually referring to such US laws/regulations as Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley. These are essentially top-down mandates to implement lifecycle controls over information access, transfer, storage, and management, leveraging strong authentication, authorization, encryption, digital signatures, risk assessment, auditing/logging, and so forth. In other words, to the whole bag of goodies that IT security vendors and consultants have to offer.
This article points out that the ultimate battleground for “compliance” will probably be bottom-up: driven by the growing volume of lawsuits by people who have been the victims of identity theft. In this regard, it’s just going to get nastier and more litigious for more companies who collect and manage this info. The news stories of identity theft will just grow in frequency, shrillness, and alarmism.
In defending your organization against these increasingly inevitable lawsuits, it would behoove you to make sure you’ve got compliance—a la SarbOx, HIPAA, and GLB—nailed down good and tight. That way, you’ll stand a better chance of proving to judges that you’ve implemented every and all necessary controls and safeguards on the identity info you manage, per industry best practice, and in keeping with national laws, regs, and standards.
IT vendors should begin to recast their compliance pitches in terms of customers protecting themselves from the coming deluge of identity-theft lawsuits. SarbOx, HIPAA, and GLB are fuzzy mandates with loose timeframes for compliance and unclear punishments. But lawsuits are nasty, unexpected shots fired across your bow, and demand an immediate attention to defensive pre-emptive strategy.