As with SOX, HIPAA concerns are best validated and verified by analyzing the application itself. The transformation of the requirements into software is naturally complex, and the multiple points of contact with the data demand that the applications themselves be analyzed for consistency in protecting that data.
SB 1386 is a California Senate bill that amended existing privacy laws to include stipulations requiring disclosure of privacy violations. These apply to organizations that maintain personal information on customers and do business in the state of California.
The narrow scope and lack of ambiguity in the legal wording has given regulators significant power in their ability to enforce SB 1386 in a variety of cases. In fact, there have already been many documented cases where companies have been found to be in violation.
For practical purposes, this bill has two specific compliance steps:
The most common examples driving disclosure involve the accidental loss of data stored on physical media, e.g., back-up tapes and laptops. In these events, disclosure is required because of the unencrypted state of the data.
Use of encryption for data-at-rest and in-transit will minimize a company’s exposure. But companies should beware: encryption is often implemented incorrectly. As such, they should seek guidance and tools to help with implementation and verification of proper encoded data.
Understanding compliance can be difficult, and there are very few resources that map regulatory requirements to software development or management requirements. However, the difficulty in understanding the legislation does not lessen its importance. The ramifications of non-compliance are very real risks to a business.
The regulations themselves may be complex, but meeting their requirements doesn’t have to be. It boils down to following a few critical steps:
Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.
Jack Danahy is founder and CTO of Ounce Labs, a provider of software security assurance.