The United States is an exceptional country in many ways, not least of which is that we don’t like doing what governments tell us to do. It’s in our moral fiber to rebel. One telling example of this was expressed in a historical article comparing US railroads to European railroads in the nineteenth century.
What does this have to do with Information Security? Bear with me. It’s fun.
Featured in the article were two railroad maps – one American, the other French – that had the character of our two societies perfectly explained. The French railroad map looked like an elegant spider’s web. The routes were well planned for efficient coverage and population movement between and to cities. There was one gauge of track so one train could ride any rail throughout the country. The US map looked like shattered glass. Utter mayhem. All different gauges so if you were moving wheat from your farm in Kansas to New York, it needed to stop in several places to get moved to a train that could carry it up to, say, Richmond, and get loaded onto another to Newark and then, by the time your wheat was spoiled it arrived, finally, in New York City.
Why the difference in railroads? The French were happy to have the government’s engineers design the nation’s railroad. In the US . . . everyone wanted their own railroad and knew how to do it better than anyone else. So US local railroad entrepreneurs created inefficiencies in moving people and goods. It wasn’t until the demand for business efficiencies got to a certain level that railroad barons took ever these rails and standardized the gauges so Kansas wheat would not spoil on its way to New York.
In the U.S. it often takes market pressure to move business forward, whereas in Europe, central planning moves business ahead.
So when HIPAA’s security rule was found languishing for years, only making moderate inroads, the American Recovery and Reinvestment Act forced covered entities (hospitals and insurers) to demand that their vendors also become HIPAA compliant. It was through business contracts that companies started to care about being compliant. The Massachusetts law CMR 17.00 that forces companies to protect personally identifying information from breach also demands that they require from their PII-carrying vendors evidence of their compliance.
So contracts (business drivers) are being used by laws to make information security spread through business . . . like standard gauge tracks over the continental US. (The metaphor paid off, right?)
Now add to that the trend we’re seeing of major US companies who are pushing their vendors to become ISO 27001 compliant or EU Safe Harbor compliant. You know why? Because these are covers-all-bases security and privacy standards that can ensure that whatever information security requirements come your way, you’ll be ready.
So like it or not . . . even if you’ve been able to sneak under the legal radar, the requirements are coming your way via client contracts. So if you want to stay in business . . . it’s time to get command of this new business standard.