From a client perspective, the risks are even more serious as they are often life-altering and financially devastating. The potential damage resulting from the lack of an effective incident response process runs the gamut from the theft of oneís identity to unauthorized financial transactions totaling millions of dollars. As a customer, I expect that the companies I do business with employ an effective incident response process. I expect that they will let me know my credit card data has gone missing. Unfortunately, as customers, we do not find out which companies take this seriously until itís too late. Personally, I donít want to open my credit card statement to find that Iíve apparently purchased one million boxes of latex gloves on eBay.
In a recent case in the Eastern U.S., BJís Wholesale had a security breach that entailed the capture of up to tens of thousands of credit card numbers from registered customers. Several major U.S. banks were forewarned to alert their credit card customers to the possibility of fraudulent card use. A month after a formal investigation was opened into the incident, customers whose information had been stolen were just finding out that their credit cards has been used to create fraud around the globe. Though itís not been confirmed whether B.J.ís had any customers located in California, notification of the breach of security would be mandatory under the current California SB1386 statutes. As it stands, B.J.ís apparently left the unsavory task of notification up to the majority of banks and credit card issuers, passing the buck and delaying the negative publicity.
Essentially, they did not have an effective controls process in place, were not looked at by the regulatory bodies, were never fined or forced to improve processes, yet now they are forced to do all of the above, and have damaged their reputation and clientís credit files in the process. So I pose the question, can any company afford not to worry about compliance?
The number of people paying attention to compliance-related issues speaks for itself.
At RSAís San Francisco conference this past February, more than 200 people, at standing-room only capacity, listened to a discussion on compliance and regulatory requirements from an enterprise perspective. Consistently, Guidance Software hosts educational webinars that address the issue of Sarbox as a control initiative for hundreds of worldwide attendees. Large corporations such as Sun Microsystems are having meetings to hear vendors present their "Sarbanes-Oxley support products," and at conferences around the globe there are multiple sessions devoted to understanding and preparing for regulatory compliance.
As criminals grow increasingly savvy, freely operating from inside as well as outside the organization, employing proper controls and technology becomes less of a compliance issue and more of a survival tactic. However, regulations were created to inspire such infrastructure changes and avoid the damage that occurs from the lack of an effective IT process. For corporations as well as clients, compliance is a critical issue on a variety of levels.
Whether itís Sarbox or GLBA, HIPPA, or PIPEDA, regulations are here and have expanded. Itís no longer acceptable to wait until the inevitable to secure the fort.
As Victor reiterates, "Compliance with the securities laws is no trivial matter. More importantly, do you have the ability to effectively investigate whatís going on within your organization?"