"Depending on the industry, there are other regulatory structures that are in place requiring companies to be able to self-investigate and cooperate with law enforcement. If you look at regulations under Graham-Leach-Bliley (GLBA), which apply to the finance industry, one of the requirements of a response program is to be able to make adequate reports to law enforcement. Clearly a company needs to be able to collect evidence and cooperate under those regulations. The same is true under HIPAA. We then have state regulations as well, such as California’s SB1386 which deals with self-disclosure. There are a variety of laws on a per-industry-basis that apply," answers Victor.

I asked Victor what his impression was of compliance-related changes within various organizations, "I think what is important is the trend. If you go back six years, you could have given a talk titled ‘Information security regulation is on its way.’ Now, it’s here, and it’s expanding. You have it touching public companies under Sarbox, affecting the health-care industry with HIPPA and the financial industry with GLBA. You have anti-identity theft statutes such as SB1386, which is now primarily Californian, but is being looked at on a national level. The trend is to increase information security regulations, increase requirements for self-investigation and employ the ability to mitigate liability."

Compliance issues are not an American-only concern. John Weigelt, Strategic Security Advisor for Microsoft Canada states, "When I speak to clients about security-related issues, they are also very focused on compliance issues. While the Personal Information Protection Electronic Documents Act (PIPEDA) remains a primary concern for Canadian businesses, I have found that many clients are equally occupied trying to address U.S. legislation such as Sarbanes-Oxley."


"Companies are engaged in applying the "four P’s" to address compliance issues: Policy, Process, People and Products. They are reviewing existing policies to ensure their consistency with the legislation and addressing any gaps that they find. They are developing transparent processes to meet the obligations imposed. Company-wide training activities are generally underway to educate the workforce about the substantive impacts of the laws. Finally, companies are looking at technological/product solutions to streamline their compliance activities in support of implementation efforts as well as ongoing business activities."

From a client perspective, the risks are even more serious as they are often life-altering and financially devastating. The potential damage resulting from the lack of an effective incident response process runs the gamut from the theft of one’s identity to unauthorized financial transactions totaling millions of dollars. As a customer, I expect that the companies I do business with employ an effective incident response process. I expect that they will let me know my credit card data has gone missing. Unfortunately, as customers, we do not find out which companies take this seriously until it’s too late. Personally, I don’t want to open my credit card statement to find that I’ve apparently purchased one million boxes of latex gloves on eBay.