The SEC and FTC currently in the U.S. are enforcing information security sanctions and penalties upon companies that are victim and guilty for violating privacy and information security practices. The applicable law and infraction varies, but needless to say the enforcement of poor decisions by companies is being scrutinized by these two agencies.
A recent enforcement action dealing with the SEC’s Privacy and Safeguards Rule (Regulation S-P) centered on three individuals that were fined for their actions. Infosecisland has a nice writeup from back in April, which can be found here. This article and enforcement is relevant today, and applicable to all businesses and professionals in the information security and compliance space. Of particular interest is how the SEC framed the violation and the applied fine. To illustrate, I have dubbed out some the names and added titles where appropriate below to create a bit of MadLib style enforcement ‘fill in the blank’ mental map:
The SEC alleged that Chief Compliance Officer / ______ violated the rules by failing to supervise ‘The Sales manager’ and ‘The President of the firm”, failing to ensure that the firm’s policies and procedures were reasonably designed to safeguard confidential customer information, and failing to update the firm’s relevant policies and procedures following the information security breaches the firm experiences between 2005 and 2009.
Finally, the SEC alleged that, by their conduct, the three former executives aided and abetted ______ in violating Regulation S-P.
“The SEC imposed a fine of $20,000 on _____ and ____ and $15,000 on Chief Compliance Officer (individually and personally).
Critically important is to always do what is right and sometimes within the security and compliance space teams are worn down. The recent escalation of attacks of these past few years; the clear gap in the possible damages by such attacks to governments and business, and the personal harm that can result only raise the bar.
Next steps – always consider the methodical nature of managing your business’ information security program and ensure it evolves to the business relationships and threats that exist internally and externally. Standards provide a baseline, but certainly not the immediate answer. Other considerations?