Compliance Regulations & Marketing
Creating compelling marketing content and credible messages requires an in-depth understanding of compliance regulations and the vertical markets they impact. Buyers expect more than a simple claim that “our product helps you comply SOX, HIPAA, GLBA, PCI. The challenge for security product marketers is to move away from broad, general claims to specific descriptions of how your product addresses individual requirements. Depending on the regulation and the vertical market, there may be additional guidance as to how to implement the regulation, and there may be different regulating agencies. Mapping your product’s capabilities to these additional guidelines is key to establishing a credible compliance story. And training your salesforce to talk about compliance using appropriate terms is equally important.
Consider two important compliance regulations, GLBA and PCI:
The Gramm Leach Bliley Act seeks to provide protection for consumer’s “non-public personal information”, or NPI. In terms of how it impacts IT security, GLBA includes two primary provisions, the Financial Privacy Rule, and the Safeguards Rule. The Financial Privacy Rule requires financial institutions to give their customers privacy notices that explain the financial institution’s information collection and sharing practices.
The GLBA Safeguards rule is where most of the impacts on IT security arise. The language and provisions found in the GLBA Safeguards rule are too general and insufficient to use as the basis for a measurable security program. In order to add the required level of detail, a cross-agency group of financial industry regulators called the Federal Financial Industry Examiners Council (FFIEC) developed a set of more detailed requirements known as the Interagency Guidelines. The InterAgency Guidelines are much more specific as to the security program requirements, and the detailed security measures that must be put in place.
Regulatory oversight and enforcement of GLBA and the Interagency Guidelines depends upon the kind of financial firm:
Banks- Office of Comptroller of Currency, Federal Reserve
Savings & Loans- Office of Thrift Supervision
Credit Unions- NCUA
Securities firms- SEC
Other financial institutions- Federal Trade Commission (mortgage issuers, brokers insurance companies, tax firms)
In the financial industry, the impact of failing to adequately protect the private financial data of customers and consumers is significant. Possible consequences of failure include fines from regulators, brand damage and loss of confidence among customers, lost business, and loss of market value.
The credit card industry developed the Payment Card Industry Data Security Standard to attempt to protect personal financial information associated with credit card use. PCI DSS applies to firms throughout the payment card industry, from the smallest retailers, to very large credit card processing agencies. PCI DSS contains twelve high level requirements, each of which has many more detailed sub-requirements.
PCI DSS applies to all participants in the credit card processing industry, however the level of scrutiny and evaluation of compliance status varies based upon the size of the participant.
The consequences of failing to adhere to PCI DSS are considerable, and can include losing the ability to accept credit cards for payment.