Friday, January 19, 2007

Comply, Submit, or Obey?

A post and response from and cogent commentary from Mike Rothman.
My issues are primarily with Eric Ogren who cites "the only two effective regulations."

1. Executive accountability of SOX.
Accountability is a good idea, and formalized some of the accountability that existed de facto. However, it is currently implemented by a legion of auditors with blank checklists seeking billable hours. Accountability could be frightening to the honest CEO, but SOX will just double the thrill factor for the corrupt.

2. SB1386 Disclosure
SB1386 as a shaming device? I believe it was designed to function as a means to protect the consumer. If its objective was to shame the violating corporations in the marketplace, it has failed. I believe there is sufficient evidence that public notification of a privacy breach is not a significant indicator of long term market performance. Other non-security, non-privacy related factors have more influence, and the investing/consuming public has become somewhat inured to notification after 2006's breach-o-palooza notification blizzard. If it was designed to punish corporations, it would have provisions of fines, jail time, drawing and quartering for the execs (not unlike SOX). Market impact is a mild, short term side effect, equivalent to postage and printing notifications.

EO also cites the ineffective enforcement of HIPAA and PCI "regulations." Well, I'll go along with HIPAA, which was a bitter sausage long in the making, shoved in a casing of some of the weakest enforcement mechanisms this side of the FDCPA. I don't understand all the byzantine economics of the health care industry, so I have a hard time imagining an FFIEC correllary that could oversee physicians, dentists, hospitals, clinics and insurance companies.

But PCI compliance brought CardSystems to its knees precisely because it was not a regulation, but a business agreement.

All in all, I have to agree with Rothman. I'll even go beyond that. Compliance is a by-product. If your focus is on protecting the customer's information, compliance will occur. If your focus is on compliance, you will likely waste resources chasing the wrong rabbit down the wrong rabbit hole, and never really achieve your objective. So, what are you trying to do?

No comments: