Understanding online regulations: the need to simplify

---

Online compliance White paper December 2008

Understanding online regulations: the need to simplify and automate compliance.

Understanding online regulations: the need to simplify and automate compliance. Page 2

Contents

2 Compliance in an online environment 2 Understanding online compliance demands

Compliance in an online environment

Organizations operating on the Internet, whether in the commercial or public sector, face a growing surge of regulations. Increasingly, detailed rules and laws governing online privacy and data security, as well as accessibility by disabled citizens, are being enforced with rigor around the globe. Penalties for noncompliance can by heavy, and the financial consequences of a damaged reputation are often worse.

3 The high cost of noncompliance 4 Key legislation in the United States and Europe

In a well-governed organization, management teams need to ensure that their online operations adhere to a compliance and security policy as robust as their offline operations. This enables them to:

6 Keeping up with financial services, pharmaceutical and healthcare legislation 7

Additional U.S. regulations

8

Automation is no longer optional

10 Needed: a broad and ongoing commitment 11 Conclusion

• • • •

Enhance customer trust and encourage Web site use. Create and maintain competitive advantage. Manage legal and regulatory risks. Reduce the cost of manual testing, recovery and fixes.

This paper discusses current compliance demands, and it reveals the benefits of instituting a comprehensive online compliance and security management program. Understanding online compliance demands

Businesses with an online presence face compliance risks in three main areas: • Privacy and data protection • Site and application security • Site accessibility

Understanding online regulations: the need to simplify and automate compliance. Page 3

Highlights

In addition, many organizations must contend with fair-trade rules, intellectual property protection, and regulations for specific vertical industries, including legislation governing security, product advertising and promotion, and records management. In many countries, the most stringent compliance rules apply to security and data privacy. These rules prohibit the exploitation of customer data without obtaining full consent, and they set requirements to protect data from security or privacy breaches. The high cost of noncompliance

Organizations around the world have suffered expensive penalties

Regulators do not take security and privacy legislation lightly. Around the globe, failure to comply can engender high costs.

for violating key privacy and security measures.

The United States has seen huge fines levied against big-name organizations in the IT, aviation, financial services, food manufacturing, fashion, online services and pharmaceuticals industries for violating key privacy and security measures. In Spain, organizations have been fined for improper data collection and failing to honor consumers’ requests to opt out of receiving marketing materials. In Germany, cases have been brought against companies for improperly using databases to send promotional e-mail. Elsewhere in western Europe, firms have been blocked from transferring personal data to countries outside the European Union. Similar fines were imposed in Italy for unlawful use of customer data for promotional e-mails, forcing some Italian companies to take down their Web sites. French authorities have mandated that companies give data privacy guarantees before allowing them to transfer employee data to other countries. And in the United Kingdom, the Advertising Standards Authority, the Information Commissioner and the Financial Services Authority (FSA) have taken enforcement action against Web sites and have levied fines.

Understanding online regulations: the need to simplify and automate compliance. Page 4

Highlights

Security breaches can take a huge toll on an organization, including a maligned reputation.

In nearly every country, large numbers of cases go unreported because violators reach settlements with regulators. Sometimes the fix is as simple as taking down the violating site. But regulators often specify financial compensation — typically €50,000 or more per incident in the European Union. In addition to these overt costs, penalties can be incurred in other ways. It is difficult to quantify the toll that a security breach takes on a company’s reputation and the consequent cost of lost business. The impact is especially great on businesses whose main commercial channel is online, and in fields such as finance and healthcare, where consumer trust is paramount. Key legislation in the United States and Europe

Although a comprehensive review of all regulations governing online business is beyond the scope of this paper, we can address a few regulations that affect large numbers of organizations. United States

Businesses with an online presence in the United States need to comply

Sarbanes-Oxley Act (SOX)

SOX states that publicly held U.S. companies and their auditors must ensure that their online business is not vulnerable to unauthorized changes or manipulation by hackers or others. This act specifies recordkeeping and data privacy measures.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA establishes standards for electronic data interchange (EDI), security, confidentiality and protection of all private healthcare-related data.

PATRIOT Act

A wide-ranging law that substantially expanded the authority of law enforcement agencies, the PATRIOT Act affects Americans’ ability to regulate financial transactions, particularly those involving foreign individuals and companies.

Gramm-Leach-Bliley Act (GLBA)

GLBA governs the way that affiliated financial services companies can share customer information. It requires privacy and security policies, annual privacy notices, opt-outs for information sharing, and, under the Safeguard Rule, proactive steps to secure customer information.

with SOX, HIPAA, the PATRIOT Act and GLBA.

Understanding online regulations: the need to simplify and automate compliance. Page 5

Highlights

The Safe Harbor principles

European Union Privacy and electronic communications regulations

These regulations impose tight restrictions on the use of tracking technologies such as Web cookies, as well as on direct marketing and the gathering of personal information through Web sites. In addition to clearly explaining why the hosting company uses cookies, the Web site must provide visitors with an option to refuse to use them. Any failing that compromises a user’s personal data may also be seen as a breach.

Safe Harbor principles

These are laws affecting the way organizations or their Europe-based subsidiaries can do business online. They govern organizations headquartered in the United States, U.S. subsidiaries of foreign businesses, and business partners of European organizations. Their aim is to simplify data protection issues, as the United States and European Union have different approaches to these topics. Companies must tell consumers why they are collecting information, provide an opt-out mechanism (opt-in for sensitive information), give them access to data the company is holding, and secure the data from unauthorized access.

mandate that companies tell consumers why they are collecting information, provide opt-out and opt-in mechanisms, give users access to company data, and protect the data from unauthorized access.

United Kingdom Data Protection Act of 1998

This act is similar to legislation enacted in E.U. countries and the United States. It distinguishes between personal data and sensitive personal data. It governs the extent of data that businesses and organizations can collect as well as how it can be used, stored and processed. The Data Protection Act also states that information must not be kept for longer than required, and that organizations must take steps to prevent unauthorized data access, loss and destruction. Security breaches affecting personal data might also be considered breaches of the United Kingdom’s Communications Act of 2003.

Understanding online regulations: the need to simplify and automate compliance. Page 6

Highlights

International World Wide Web Consortium’s (W3C’s) standards for accessibility

This international organization has defined a set of standards to help the elderly and disabled access and use Web sites. Many member countries have written laws based on these standards. For example, the United Kingdom has a vigilant disability discrimination act with Web site–specific regulations, and many E.U. countries have issued similar provisions. The United States specifies accessibility provisions in the American Disabilities Act of 1990 and Section 508 of the Rehabilitation Act.

Keeping up with financial services, pharmaceutical and healthcare legislation

Many industries subject businesses around the globe to extensive, highly specific regulations. Some are designed to protect customer data and privacy, such as the Gramm-Leach-Bliley Act that is specific to financial services firms doing business in the United States. Others, such as Sarbanes-Oxley, have had a worldwide effect on businesses and have spawned the enactment of similar laws in most other Western countries. In Europe, financial services companies must comply with rules covering trading in shares and other securities, as well as establish their customers’ identity to prevent money laundering.

Across Europe, financial services businesses are governed by highly specific rules covering trading in shares and other securities, collective investments, deposit-taking and banking services, and lending. Regulations impose specific requirements on advertising for services, disclosing information and dispensing financial advice. Financial services companies and related businesses must also establish their customers’ identity to prevent money laundering — an obligation that applies whether the initial contact is in a branch, over the phone or via the Internet.

Understanding online regulations: the need to simplify and automate compliance. Page 7

Highlights

Companies that operate in Europe are responsible for keeping up to date with changes in regulations and for complying with the latest provisions.

U.K. legislation includes the Financial Services and Markets Act, which is regulated by the FSA. In Germany, financial services firms are regulated under Germany’s Banking Act of 1961, as amended and supervised by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin). In France, regulation is split between the Commission Bancaire, Commission des Opérations de Bourse, and Conseil des Marchés Financieres. Although the European Commission is working on cross-border regulation, statutes vary across countries. Regulations are amended frequently, and it is up to individual businesses to ensure compliance with the latest provisions. Pharmaceutical and life sciences industries are also tightly regulated, particularly in how they promote and advertise their products. In the United States, healthcare providers, such as clinics and hospitals, face tight controls from HIPAA on handling patient data and protecting privacy. Additional U.S. regulations

Specific industries have specific regulations; organizations need to understand provisions in

Many major U.S. laws now include protective measures for online data. If you do business in the United States, you may need to understand provisions in the following legislation — which, keep in mind, is only a partial list:

various legislation.

• California Online Privacy Protection Act (OPPA) • Children’s Online Privacy Protection Act (COPPA) • Director of Central Intelligence Directive (DCID) 6/3 protecting sensitive compartmented information within information systems • Federal Information Security Management Act (FISMA) of 2002 • North American Electric Reliability Council (NERC) security guidelines for the electricity sector

Understanding online regulations: the need to simplify and automate compliance. Page 8

Highlights

• • • • • •

Office of the Comptroller of Currency (OCC) Web linking rules Privacy and Electronic Communications Regulations (EC Directive) 2003 The Security Breach Information Act (Senate Bill 1386) Section 208 of the E-Government Act of 2002 Section 508 of the Rehabilitation Act Visa Cardholder Information Security Program (CISP)

Automation is no longer optional Automated scanning tools are available to quickly check and monitor complex Web sites to make sure that they comply with regulations.

Using automated tools, software organizations can integrate compliance governance procedures into their Web application development and delivery processes.

Most large businesses have governance policies designed to ensure that their Web sites comply with relevant legislation. However, the size of these sites — sometimes thousands of pages — combined with an increasing volume of rules and updates, makes manual compliance checking far too time consuming and expensive to be feasible. Nor can visual checks reveal all potential security flaws and vulnerabilities. Support from automated scanning tools that can quickly check and monitor complex Web sites is a necessity for organizations that need to reduce their exposure to litigation. Automated support can yield other benefits as well, such as fewer technical support requests, fewer abandoned Web sessions and greater consumer trust in your online channel. Collectively, these changes help boost sales and improve customer retention. Perhaps most important, automated tools enable software organizations to integrate compliance governance procedures into their Web application development and delivery process. It is far more efficient and cost-effective to address compliance concerns when you’re creating an application rather than when you’re fixing a deployed solution. Attempting to retrofit compliance measures into a noncompliant Web site is costly and not always effective; in fact, certain accessibility features cannot be retrofitted.

Understanding online regulations: the need to simplify and automate compliance. Page 9

Highlights

Automated reporting capabilities are also crucial, as businesses need to document that they have taken all reasonable measures to detect and correct compliance issues. Such evidence can reduce the severity of penalties if a breach is found and can also provide a solid foundation for site improvements. IBM Rational® Policy Tester™ software is an automated scanning and reporting solution that addresses all of these needs. It is designed to support the governance measures that software and systems delivery organizations require to ensure compliance with privacy, quality and accessibility requirements, and to help reduce exposure across corporate Web properties.

IBM Rational Policy Tester is designed to help software and systems delivery organizations ensure compliance with various requirements and regulations.

Rational Policy Tester offers automated reporting capabilities that help developers document compliance issues before an application is deployed. Management dashboards in the software display graphical representations of issue severity history and issue management history.

Understanding online regulations: the need to simplify and automate compliance. Page 10

Highlights

Compliance is an ongoing commitment; when regulations change, organizations need to update their sites and reverify compliance.

Needed: a broad and ongoing commitment

A successful organizational infrastructure for compliance starts with an executive-mandated policy that commands the resources, attention and participation of the entire organization. When that policy becomes a corporate mantra, it can drive effective procedures and produce compliant products. To create compliant Web applications, development teams need to understand that compliance is an ongoing commitment. Web sites constantly grow and change; you cannot simply conduct a predeployment compliance check and declare that an application is forever fit to run. Instead, organizations must build applications with flexible architectures and institute regular monitoring procedures to ensure that their Web pages remain compliant when changes occur in the regulatory environment or in the Web infrastructure. In addition, teams must recognize that the need to comply with regulatory requirements — particularly those that protect sensitive and private data — apply to all Web applications, even those that run exclusively on intranets and extranets. Organizations that create stand-alone accessible sites apart from their main Web operations soon discover that they are pursuing a risky strategy. Such sites can quickly become out of date. And, unless they offer the full services of the main site, they may be branded as discriminatory and therefore subject to legal action.

Understanding online regulations: the need to simplify and automate compliance. Page 11

Highlights

Rational Policy Tester enables organizations to build compliance into their online applications at the development stage.

Conclusion

As we have seen, the wealth of global regulations that govern privacy and data protection, site and application security, and accessibility make compliance a primary concern for organizations that depend on the Web for a critical piece of their business success. When compliance policies have the sponsorship of senior management, they can become part of the culture and win enterprise-wide support. Using an automated tool such as IBM Rational Policy Tester software to build compliance into online applications and continuously monitor them for alignment with regulatory changes can help businesses stay in good standing with the law and minimize the time and resources they spend to do so. For more information

To learn more about IBM Rational Policy Tester software, contact your IBM representative or IBM Business Partner, or visit: ibm.com/software/rational/offerings/testing/webcompliance

© Copyright IBM Corporation 2008 IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America December 2008 All Rights Reserved IBM, the IBM logo, ibm.com, and Rational are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™ ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The information contained in this documentation is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this documentation, it is provided “as is” without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this documentation or any other documentation. Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM (or its suppliers or licensors), or altering the terms and conditions of the applicable license agreement governing the use of IBM software. Each IBM customer is responsible for ensuring its own compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

RAW14099-USEN-00