With the advent of big data, businesses today are managing databases of unprecedented size and complexity. With that size and complexity comes myriad legal and compliance challenges.
Foremost among them, the almost insurmountable task of complying with an alphabet soup of privacy and data security laws and regulations. In addition to local, state, national, and, even, international laws and regulations, there are many other potentially applicable standards and guidances.
In the financial services and healthcare industries, there are many non-binding, but strongly recommended, guidances from a variety of regulators. There are also contractual standards, such as the Payment Card Industry Data Security Standard ("PCI DSS"), which governs cardholder information in credit card transaction. Finally, there are various industry standards for information security published by organizations like the Computer Emergency Response Team ("CERT") at Carnegie Mellon and the families of standards from the International Standards Organization ("ISO").
Reconciling all of these laws, regulations, standards, and guidances can be, at best, a full-time job and, at worst, the subject of fines, penalties, lawsuits, and, frequently, very adverse publicity and loss of business. In many instances, these obligations are vague and ambiguous, with little specific guidance as to compliance. Worse yet, the laws of different jurisdictions may be, and frequently are, conflicting. One state or country may require security measures that are entirely different from those of another state or country. Finally, the creation and use of the extremely large databases constituting "big data" is a relatively new phenomenon that has not yet been fully tested in the courts, particularly with regard to privacy and security issues.
The challenges of compliance with this ever increasing morass of laws, regulations, standards, and contractual obligations can be overwhelming. Even if no personally identifiable information is at risk, businesses have obligations to implement appropriate security measures to protect other highly sensitive information relating to, for example, their trade secrets, marketing efforts, business partner interactions, etc. All too often, businesses become fixated on a single tree or branch in the forest of laws, regulations, standards, and guidances and fail to appreciate, or even see, other nearby trees and their relationship and, certainly, seldom step back a sufficient distance to gain an overall view of the compliance forest.
We have sifted through various privacy and security laws, regulations, and standards to identify three common, relatively straightforward "threads" that run through many of them. By understanding these common threads, businesses can better understand their overall information security and compliance obligations with regard to big data. With this understanding, businesses may more readily address not only their current obligations, but have a framework for assessing new laws, regulations, and standards that may arise in the future.
Sign up for CIO Asia eNewsletters.