GRAND RAPIDS — The debilitating expenses of post-regulatory corporate America haven’t stopped yet. The legal and accounting professions have swollen with the help of Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, Basel II, and a host of other federal regulations and reporting requirements. If recent headlines are any indication, IT security management is about to undergo its own expensive evolution.
“We’ve been doing a lot of assessments directly related to the security needs of HIPAA and Sarbanes-Oxley,” said ISG President and CEO Dan Horne. “If you’re a company that is storing or transmitting data, you’ve an obligation to keep that private. You have a responsibility to make sure that you have put in place the necessary measures to make sure the data is protected.”
Grand Rapids Community College already has felt the sting. After three laptop computers containing hundreds of Social Security numbers and other sensitive information were stolen late last year, the college committed $300,000 to security improvements.
After placing millions of consumers at risk this spring, ChoicePoint, Bank of America, LexisNexis and Time Warner are likely all undergoing significant capital expenditures for security.
“Primarily, the focus of IT security is to protect data from falling into the wrong hands,” said Scott Montgomery, CPR’s director of security. “We have several areas of business that are regulated in ways that protect customer information. Security cannot fall into the hands of someone you do not give authorization to.”
The bulk of the regulatory environment was reactionary to issues unrelated to privacy. HIPAA was created to standardize electronic data interchange in the health-care field; SOX came along to prevent the next Enron. A surprising result is that the regulations have created a loose architecture to regulate the sensitive data threatened by the growing trend of identity theft. Medical records, phone numbers, e-mail and home addresses, and Social Security numbers are all protected in some manner.
“The way the privacy laws work, we don’t have a comprehensive law,” said attorney Norbert Kugele, a founding member of Warner Norcross & Judd’s Privacy and Security Task Force. “Take HIPAA, for instance. If you’re a covered entity like a health-care provider or insurer and you haven’t protected the information as stipulated, you are liable under HIPAA.”
HIPAA, however, does not provide individuals a course of action. Their only recourse is to complain to regulators.
Kugele said it is possible to sue under a commonwealth law negligence theory.
“It’s a question of reasonableness. Did you take the necessary steps to protect the information?” he said.
Recent events have solidified the pressure in Michigan. In March, Michigan became the first state in the nation to enact legislation requiring that every employer maintain a policy for safeguarding employee Social Security numbers.
At the same time, the Michigan Court of Appeals became the first appellate court to allow the victims of identity theft to recover damages (totaling $275,000) from an organization that failed to adequately safeguard personal information that was subsequently used for identity theft.
As written by Phil Gordon in ASAP: “These national precedents expose Michigan employers to liability for failing to safeguard employee personal information, and open the door to employer liability for workplace identity theft in other jurisdictions that likely will follow Michigan’s example.”
“There is an increasing liability in how you handle sensitive information about people,” Kugele said. “You can’t just sit back and decide how much you want to spend. You need to look at what other people are doing and see if what you are doing is reasonable.”