The Big 5 Compliance Laws

Updated: April 30, 2009

As the government places an increasing number of compliance requirements on businesses, IT departments are struggling to keep pace with the increased workload. A study conducted in 2006 by technology research firm Gartner Inc. estimated that 10 to 15 percent of that year's corporate IT budgets would be spent on financial compliance management. According to Gartner Inc., professional services focused on consulting, audits, process management/workflow, documentation and planning are responsible for most compliance expenses.

Here's a look at the five big laws that are driving regulatory compliance and the burdens they place on IT departments:

The Sarbanes-Oxley Act of 2002
Enacted in response to a series of high-profile financial scandals, the Sarbanes-Oxley Act (SOX) is designed to protect shareholders and the general public from enterprise accounting errors and fraudulent practices. The act is administered by the SEC (Securities and Exchange Commission), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records. Instead, it defines which records are to be stored and for how long. Sarbanes-Oxley is all about ensuring that internal controls or rules are in place to govern the creation and documentation of information in financial statements. Since IT systems are used to generate, change, house and transport that data, IT departments have to build the controls that ensure that SOX information stands up to audit scrutiny.

The Health Insurance Portability and Accountability Act of 1996
Created to establish standardized mechanisms for EDI (electronic data interchange), security and confidentiality of all health care-related data, the Health Insurance Portability and Accountability Act (HIPAA) features two distinct sections. HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs. HIPAA Title II includes an administrative simplification section that concerns the standardization of health care-related information systems. To organize and protect medical records, IT departments need to invest in and operate an array of technologies, including EMR (electronic medical record) solutions, firewalls, remote monitoring systems, intrusion-detection technologies, auditing software and encryption programs.

The "Do Not Call" List
A registry of U.S. phone numbers that telemarketers are prohibited from calling under most circumstances, the "Do Not Call" list is maintained by the FTC (Federal Trade Commission). Consumers can contact the agency to have their numbers registered. Organizations are prohibited from making calls to sell goods or services to any numbers consumers list with the National Do Not Call Registry. Violators are subject to substantial fines if they fail to comply. IT departments need to install software and policy safeguards that ensure outbound call centers don't violate the law's provisions by contacting individuals on the "Do Not Call" list who have no direct business contact with the organization.

The "Can-Spam Act" of 2003
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, informally known as "The Can-Spam Act," allows courts to set damages of up to $2 million when spammers break the law. Federal district courts are allowed to send spammers to jail and/or impose triple damages if the violation is found to be willful. IT departments need to install software and policy safeguards that ensure that bulk emails don't violate the law's provisions.

The Gramm-Leach-Bliley Act of 1999
The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act, is a federal law designed to control the ways financial institutions deal with consumers' private information. As with other privacy-related mandates, affected IT departments need to spend heavily on data-protection technologies.

Enterprises and their IT departments should look for compliance solutions that simultaneously satisfy multiple regulations covering several business units. At the same time, IT managers and their bosses should adhere to a sensible strategy when deciding on a solution and not rely on a stopgap measure to comply with a single regulatory act. Organizations that choose one-off solutions for each regulatory challenge could spend up to 10 times more on IT compliance solutions than counterparts that take a sustainable programmatic approach.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more