23 May Compliance Makes Good Sense for Good Business
Specific industry IT security and privacy regulations such as PCI, HIPAA and GDPR apply to millions of organizations, with more regulations being enacted every month. But even those not REQUIRED to be in compliance with any standards should act as if they are – being in compliance is simply good security and data privacy discipline.
There are many areas of liability and risk that come from not protecting data. You can be sued by customers or partners, run afoul of an increasing number of state and federal laws relating to data privacy and data breaches, be in violation of contracts, fail to meet industry or licensing requirements, or not live up to the terms of various insurance policies.
Compliance as a Business Enabler and Customer Confidence Booster
Instead of thinking of compliance as a bureaucratic and IT hassle that adds no value, think of compliance as a business enabler and positive influence. Good compliance reduces risk and creates a culture of ethics, fairness, corporate governance, and customer care.
With tight compliance, your client will have less to fear from fines, lawsuits, bad publicity from data breaches and data exposure, and state or federal prosecution. And your client will gain the confidence of customers, prospects, partners, and investors.
Data Breach Laws Toughen
Government agencies at all levels have been beefing up data breach prevention and reporting laws that apply to all companies that have any private customer data…not just credit card information. In fact, most states in the US legally mandate protection of Personal Identification Information (PII). This data includes social security numbers, driver’s license numbers, birth dates, and bank and credit card information. Under many of these laws, consumers can sue companies for failing to protect their information.
Protecting PII data in customer databases and other obvious records systems isn’t enough. It also needs to be protected in spreadsheets, email and other messaging, scanned imaging and paper documentation. PII data also needs to be protected and managed on PCs and laptops, portable drives, smartphones and any other storage media.
This is done with layers of security such as firewalls and intrusion detection/prevention systems, modern operating systems, good patch and software update management, broad use of encryption, and of course, routine internal assessments and audits.
The Federal Trade Commission Steps in
The US Federal Trade Commission (FTC), which has jurisdiction across all 50 states and US territories, is another authority to worry about.
The FTC tends to get involved after a data breach that exposes consumer PII data, especially in wide scale and highly public cases. In most cases, companies that do not take Due Care to prevent a breach and/or promptly report it, face stiff penalties. In one recent incident, the FTC issued a $10 million fine and $5 million in consumer redress fees to ChoicePoint.
Security and Compliance Assessments – Insurance and Peace of Mind
With the right solution, MSPs can both help their clients remain in compliance with key security and privacy regulatory standards AND increase recurring service revenue at the same time. For example, Compliance Manager GRC gives MSPs a centralized web-based portal to manage compliance with multiple standards across their client base.
Compliance Manager GRC features a powerful, task-driven workflow automation engine that guides an MSP through the complex compliance process, literally step-by-step. It also automatically gathers much of the information an MSP needs directly from a client’s networks and computers, and allows the client to directly input any additional information that only they would know (i.e. roles of specific individuals, policy specifics, etc.). The system combines all this information for the MSP, and automatically generates risk reports, management plans, policies and procedures documents, and ultimately evidence of compliance.
Learn more about Compliance Manager.