Friday, March 19, 2010

Law and Disorder

When I look at our client base, there are two industries that are suspiciously low in the amount of security risk assessment work that we do. Typically, we have a relationship with law firms for forensics or CPA firms to assist with audits. It's rare that they actually have us perform risk assessments for their organizations. Mind you, it's not like they don't have a ton of sensitive information. In fact, you'd think 99% of their information is sensitive because another organization needed to share it with them for legal or audit purposes. One would think that sensitive information needs protection, especially if it isn't "yours." So my question is, "What makes these industries think they don’t need to conduct security risk assessments?", or more to the point, "What makes you so special?"

Part of the problem lies in the adage that "Nobody does security unless they have to." Translated, it means most organizations won't have a decent security program unless they get hit with compliance issues or a breach. What's that, you ask? “Aren't these firms subject to compliance?” I'm glad you asked that! These groups have a tendency to slip under the radar with a somewhat 'holier than thou' attitude. For example, let's look at the FTC Red Flags Rule to protect against ID theft. It's supposed to apply to companies that extend credit to persons or corporations, although the term 'creditor' is very broad in scope. When the American Bar Association realized it applied to them, they responded by suing the FTC and were granted exemption. They did the same thing when the Gramm-Leach-Bliley Act (GLBA) was passed for financial institutions and applied to lawyers who did financial planning. About the same time, the American Institute of CPAs also petitioned for Red Flag exemption. They have lobbied for exemption from the Consumer Financial Protection Agency Act of 2009 as well.

Of course, there are problems with the 'it’s not my problem' approach and we really need to read between the lines here a bit. If you look at something as basic as the FTC Red Flags Rule, it really isn't asking for all that difficult of a program - basic security, privacy, and notification. It's not like they are being asked to be ISO 27001 or PCI compliant. So why did the ABA and AICPA push back so hard? They both claim that due to the nature of their business, ID theft is very low risk. Of course, I believe they would not have pushed back if they had enough of a security program to meet the Red Flags Rule. Therefore, I'd bet most of them don't have one. They also said these things could be cost prohibitive to small CPA firms. But when it came time for an exemption to SOX 404(b) for small businesses that the CPA firms assess, the Center for Audit Quality, associated with the AICPA, fought it because that might hurt the investors that are supposed to be protected. So are we supposed to conclude they want to help the investor, but not the consumer?

Today, however, these firms are running of out wiggle room. There is an onslaught of compliance that sooner or later will be inevitable. For example, with the HITECH Act in ARRA, firms now realize they are pretty much stuck with HIPAA compliance if they handle PHI from a client as a Business Associate. They also realize that private standards, like PCI, that are enforced through contract now are unavoidable. Additionally, if firms have clients in states like Massachusetts and Nevada which have new trends in breach laws that include prevention, and not just notification, they likely are subject.

Of course, some of these compliances allow for risk-based decisions in which the firms may decide , like they did with Red Flag, that they think the organization still is low risk. I suppose it just will take some breaches to create a more sobering atmosphere. There is almost no industry that can really afford to adopt the 'it would never happen here' mentality, as we see breaches aren't just focused on financial institutions. Don't forget that the bad guys are both highly organized as well as lazy. If they recognize that there are 'soft spots' here, it could lead to some serious concentration of efforts on these gold mines of sensitive information.

The point is not to say that all law and CPA firms are ignorant of security risks and ripe for a breach. It's more to state that there is a general attitude problem that needs a big reality check. Eventually, these organizations need to increase their security posture and incorporate assessments for quality management. The early adopters will reap the benefits of understanding their risks sooner so they can minimize their risks earlier, or have more time to do so before being confronted with compliance deadlines.

No comments: