One of the interesting things about architecture to me has always been finding a happy medium between what a business can afford and what it really needs to get done.  For a long time, I have been a big proponent of adding small chunks of architecture to existing projects to gradually get things done. In a lot of cases this really works, but sometimes external forces come into play that make me hold up the banner and really push for architectural change as a project on it's own.

Thanks to the local, state, and federal governments that have a direct effect on me and my job, I'm holding up the banner today.  We are in big trouble and now the sins of the past are going to start costing us money.  We haven't been creating systems that were as secure as they should be for a variety of reasons.  I'll be sarcastic here but you'll get the point.  Developers don't care about infrastructure.  IT pro's don't care about development.  Management is very rarely built into applications at the core.  Bean counters aren't being exposed to the risks associated with minimalist implementation budgets. on and on...

So here are the things that scare the crap out of me and they aren't technology.  They are the well meaning politicians of our country creating laws without an understanding of the direct cost associated with them.  There is uproar over something and they create a law with advice from their yes-men to supposedly fix the problem.   Too bad they can't buy a clue about technology and don’t understand that you just can’t throw a switch to implement their great ideas.

First, for financial institutions we have the FTC Safeguards Rule:

The Rule will require financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards. As part of its program, each financial institution must:

  • Designate an employee or employees to coordinate its information security program.
  • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of information and assess the sufficiency of any safeguards in place to control the risks.
  • Assure that contractors or service providers are capable of maintaining appropriate safeguards for the customer information and requiring them, by contract, to implement and maintain such safeguards.
  • Adjust the information security program in light of developments that may materially affect the entity's safeguards.

And if you get it wrong, here is an example of what happens (Read the complaint): Federal Trade Commission File No. 052 3136

If that doesn't scare you enough, maybe these will (from http://www.privacy.ca.gov/lawenforcement/laws.htm )

Financial Information Privacy Act, California- Financial Code sections 4050 - 4060
This law prohibits financial institutions from sharing or selling personally identifiable nonpublic information without obtaining a consumer's consent, as provided. It provides for a plain-language notice of the privacy rights it confers. The bill requires that (1) a consumer must "opt in" before a financial institution may share personal information with an unaffiliated third party, (2) consumers be given an opportunity to "opt out" of sharing with a financial institution's financial marketing partners, and (3) consumers be given the opportunity to "opt out" of sharing with a financial institution's affiliates, with some exceptions. When an affiliate is wholly owned, in the same line of business, subject to the same functional regulator and operates under the same brand name, an institution may share its customers' personal information with the affiliate without providing an opt-out right. It takes effect July 1, 2004.

AND

 

Security Breach Notice - Civil Code sections 1798.29 and 1798.82 - 1798.84
This law requires a business or a State agency that maintains unencrypted computerized data that includes personal information, as defined, to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The type of information that triggers the notice requirement is an individual's name plus one or more of the following: Social Security number, driver's license or state ID card number, or financial account numbers. The law's intention is to give affected individuals the opportunity to take steps to protect themselves from identity theft.

 

AND

 

Social Security Number Confidentiality - California Civil Code sections 1798.85-1798.86, 1785.11.1, 1785.11.6 and 1786.60 This law restricts businesses and state and local agencies from publicly posting or displaying Social Security numbers. It also bans embedding SSNs on a card or document using a bar code, chip, magnetic strip or other technology, in place of removing the number as required by law. The law takes effect gradually, from 2002 through 2007.

 

 

After speaking with many businesses, these laws are a simple matter of risk/reward.  In some cases it will cost them millions of dollars to go back and completely correct all of the issues with their systems OR hundreds of thousands of dollars in penalties when they get caught.  If you were the CFO, which solution would you choose?  Probably wait and pay the penalty because you don't have the budget anywhere to fund the fixes.  But what if you were the CEO who had to worry about your company’s reputation and it's affect on stock price?  Maybe if you understood the risk to the bottom line of your business you might find a way to open up some budget to fix the problems or at least get a handle on the extent of problems.

 

Yes, I completely understand that most of these things are GOOD for society at large but this is again another great display of the government not applying the same rules to technology as they do to other industries.  Or is our industry just doing a horrible job of keeping up on legislation that is affecting us, educating law makers and providing more balanced guidance to help solve these problems.  The parallel I'll draw is that if government told the auto industry tomorrow that every car being built next year needed to run on Hydrogen.  They could do it but at what cost.  The auto industry spends a lot of resources making sure that changes like this will take place over decades and not months. 

 

These are serious issues affecting both our business and our customers today and much of the blame lies directly on our doorstep, but many of these issues were not know ten or even five years ago so why should we have the burden of trying to correct them overnight?

 

What do you think?

 

-Scott