Newsroom Home · Emerging Security Trends · "Real" Security and Privacy Programs - Now a Business Requirement

SDS Newsroom

FISMA, PCI, Safe Harbor, SAS70 (SSAE16), EU Directives, ISO27001, GLBA, HIPAA, Telecommunications Act, Fair Credit Reporting Act (FCRA), COPPA, Privacy Act, CAN-SPAM, and many more regulation requirements are now being used to vet and add, keep, and more importantly remove companies from approved vendor or company lists as a way to eliminate companies from consideration to reduce their own risk of doing business with companies that don’t have viable security and privacy programs. 

The only companies that will be around in the future currently have, or are now investing in, comprehensive security and privacy compliance program initiatives.

Up until just a few years ago, it seemed many companies relied on using outdated methods, and the internet, for finding and creating their security and privacy policies to get them through their business partners/vendors security and privacy audits. They would exchange a few e-mails and attachments with the general inclination of, “it’s all good” and all would be fine for another year. 

That used to be okay, until security and privacy, through legislative (the increasing number, and scope, of laws, and increasing enforcement of those laws) and market forces (the rise of breaches, internal threats, black hats, external threats, external hacking and major incidents) see Sony, began to change these business as usual practices.

Today, companies cannot afford to do business with other companies that do not have effective and “real” security and compliance programs in place. 

Based on numerous administrative rulings, legal cases, class action lawsuits, and 100’s of consent decrees, it should be apparent that a company that does business with another company that does not have a sound security and privacy compliance program may end up being liable for some, and possibly all, of the costs of any problems that result. 

The general message if it is not clear is this: you cannot afford to be a business that doesn’t have a real security and privacy compliance program in place; and, you cannot afford to do business with a company that doesn’t have a sound security and privacy compliance program.

“We need to look into why we lost our vendor contract with xyz corp” states a client. One reason may be that the legal, reputational and financial costs of doing business with companies without good security and privacy compliance programs is no longer worth the risk.

Business is going away and not coming back to companies unprepared in the area of security and privacy compliance.

Finally, a question that often comes up often is, “do we need a security/privacy compliance program for our small business?”   I posit that if you are a company and want to do continue to business and/or grow your business to work with other companies, you must have a security and privacy program (of appropriate scale) in place.

Joshua Carlson, Esq., CISSP

 

Joshua Carlson is an attorney and a security and privacy professional who has worked with numerous companies, including some of the largest retailers and global manufacturing companies, he performs privacy and security audits for companies of all sizes as well as providing guidance in security and privacy program development.