Regulatory Compliance
The term regulatory compliance refers to the adherence of an organization to the laws, specifications, regulations, and standards required for an industry. Companies in each industry face unique criteria specific to their industry, and must meet those conditions. Enforcement of standards varies by industry and situation, though penalties for failing to meet them can be severe.
Many regulatory standards exist to protect individuals’ and companies’ data. Examples of protected data include driver’s license numbers, social security numbers, account numbers, credit card numbers, medical records, claims submissions, and any other private information.
Federal Regulations
If you are doing business in the US, here are some of the most important regulations, described in relation to their impact on performance:
- Gramm-Leach-Bliley Act (GLBA), 1999
- GLBA is focused on protecting the privacy of consumer information held by financial institutions. It requires companies to provide consumers with privacy notices that explain the financial institutions’ information-sharing practices. Consumers have the right to limit some sharing of their information. User access to systems must be recorded and monitored for potential abuse of that data. This requires logging and access controls, which can impact performance.
- Health Insurance Portability and Accountability Act (HIPAA), 1996
- HIPAA includes a few key goals. The act requires the protection and confidential handling (encryption) of protected health information (PHI), gives American workers the ability to transfer and continue health insurance coverage for themselves and their families when they change or lose their jobs, and mandates industry-wide standards for health care information for electronic billing and other processes. User access to systems must be monitored, and data must be secure throughout all transactions. The requirements for confidentiality and access control can impact performance.
- Sarbanes-Oxley (SOX), 2002
- The purpose of the SOX Act is to oversee financial reporting processes for finance professionals. It includes reviewing legislative audit requirements and protecting investors through more accurate corporate disclosures. The act established a public company accounting oversight board and deals with issues of auditor independence, corporate responsibility, and enhanced financial disclosure. User access, including login and transactions, must be recorded and monitored, adding overhead to all activity.
- Children’s Online Privacy Protection Act (COPPA), 1998
- COPPA prohibits websites from collecting personally identifiable information from children under 13 without parental consent. It mandates website operators to collect only “reasonably necessary” personal information for an online activity. Recent revisions (2013) to this act address changes in the way children use and access the Internet, including the increased use of mobile devices and social networking. The modified rule widens the definition of children’s personal information to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings. Requiring an online “permission slip” adds system activity to check if permission has been granted, in addition to the overhead of the transactions required to obtain the authorization initially. Rules for captured data must also be configured to support this data access. This requires access controls, which can impact performance, as the authentication and authorization requirements require additional system activity for each request.
- Family Educational Rights and Privacy Act (FERPA), 1974 and 2011
- FERPA is intended to protect the rights of students and to ensure the privacy and accuracy of education records. The act applies to all institutions that are recipients of federal aid administered by the Secretary of Education. It prevents the disclosure of personally identifiable information (PII) in a student’s education record without the consent of a parent or eligible student. As with COPPA, the checks for permission to access data—including rules, access controls, and authorization checks for each system request—result in additional system activity.
International Laws and Regulations
Globally accessible applications may need to comply with multiple laws and regulations from other countries. An example of this is the European Union (EU) Data Protection Initiative (Directive 95/46/EC), which requires protecting the privacy of all personal data collected for or about citizens of the EU. In these cases the application architect must consider if it makes sense for the application to adhere to a superset of regulations, if one can be found (e.g., use the highest encryption level that is required across all the countries), or to selectively implement different regulations based on each country. Multiple code bases may be practical, with the goal of achieving optimal performance for the user base.
For example, the security requirements for 10% of users may impact performance severely for those users; the other 90% of users may require a lower level of encryption, and implementing a two-tiered system can rsult in increased performance for the vast majority of users. The trade-off is based on the performance impacts of implementing different levels of regulations versus the operational impact of managing the diverse implementations. The latter may require multiple deployments of some components based on country, or additional code complexity to handle the country differences.
The Foreign Corrupt Practices Act (FCPA) is also worth noting. FCPA prohibits companies from paying bribes to foreign political figures and government officials for the purpose of obtaining business. Many companies may use third-party vendors as representatives in foreign countries. This isn’t as much of a technical issue but may hinder a company’s ability to choose vendors.
The Primary Challenge
Considering these well-known regulations, which represent a subset of federal regulations, it quickly becomes apparent that systematic controls must be put in place when building systems to ensure compliance. The primary challenge and objective is achieving the non-functional goals of performance while meeting key regulatory requirements with regard to access control, confidentiality, and logging.