that could threaten that data? Also, has there been a study to measure the
risk associated with that site as compared with others?
If a vendor is responsible for managing data, is there a system of accountability
for what happens if an incident occurs? An example could be stipulations —
such as penalties or assurances — dealing directly with such issues in a ser-
vice level agreement.
Other risks that require policies in order to deal with the potential for such a
scenario playing out include loss of intellectual property, leaking of customer
information, and more. We discuss these issues in greater detail later in the
chapter, but the larger point here is that governance as it concerns risk is
about ensuring business continuity and mitigation of financial risks based on
and with regard to the IT resources of the company.
In terms of compliance ......................................................................
If your company operates across state and national boundaries, or it hopes
to one day do so, compliance extends far beyond SOX or even HIPAA (the
Health Insurance Portability and Accountability Act). Here’s a quick rundown
of some of the data privacy regulations around the world. Remember that, to
date, the U.S. takes this topic less seriously than other regions:
Europe:The European Data Protection Directive, which has shaped leg-
islation in each member countryCanada:Personal Information Protection and Electronic Documents Act
Japan:Personal Information Privacy ActStates within the U.S. are also getting into the act to shore up protections
they may feel the federal government is moving too slowly on. For example,
according to the Data Governance Institute (DGI), the California Security
Breach Information Act requires state agencies, nonprofit institutions, and
companies, regardless of geographic location, to notify their California
customers if personal information maintained in digital format has been
compromised. (The DGI is a very good resource for those interested in
learning more on IT compliance issues. For more info, see their Web site
http://www.datagovernance.com)..)
The California Security Breach Information Act means that if you do business
via the Internet on your Web site hosted in, say, Massachusetts and you collect
shipping addresses and credit card information in order to send and process
orders and you believe that your security was compromised, you have to
notify each customer in California who may have been affected. Simply placing
an ad in the newspaper is not enough. California is not the only state with such
a law — Arkansas, Connecticut, New York, Delaware, and many others have
passed their own versions.