Keep the Government Off Your Back

Once upon a time, IT managers could be content to be experts on servers, operating systems and networks. But not anymore. Now, add public policy to that list. The trend in government, both domestically and internationally, is toward more regulation that affects technology. And IT managers say they have no choice but to examine how to keep the government out of their companies' systems.

"Any company that is becoming involved with the Internet has to keep abreast of what the feds and the state governments are doing," says Ken Cohn, CIO at Potomac Electric Power Co. (Pepco) in Washington.

PEPCO's Ken Cohn: "I think we're going to see more government regulation, both on federal and state levels."

Regulation can affect how a firm stores and shares data, and staying up-to-date is "part of the job nowadays," says Jerry Rode, IT director at Saab Cars USA Inc. in Norcross, Ga.

There are three major regulatory issues that should be on your radar screen this year: privacy, taxation and security. Privacy concerns are prompting regulatory action in Congress, and a further tightening of controls is expected in Europe. As for taxes, governments worldwide are searching for ways to ensure that e-commerce transactions won't undermine sales tax collections (U.S.) and value-added taxes (Europe). Businesses are also seeing a government demand for improved data security as a matter of privacy and national security.

"I think we're going to see more government regulation, both on the federal and state levels," says Cohn.

The specter of more regulation makes improved interaction between the CIO and other business units an imperative. For instance, this past summer, Pepco created a security committee led by its general manager of internal audit. Its members include the CIO and representatives from legal and government affairs. The committee is working to ensure that physical assets and cyberassets are protected from intrusion and that all of the company's key departments are kept informed of government regulatory and legislative activities, says Cohn.

Companies must ensure that they have mechanisms in place for sharing information, says Robert Rothman, director of legal affairs at e-GM, the e-commerce division of General Motors Corp. in Detroit. Rothman is part of that division's management board, whose members include IT as well as representatives from the company's other major business units. All of these managers discuss government regulation issues, he says.

Decisions are made with input from all parts of a company today, says Rothman. "It would be foolish to try to silo that stuff - that doesn't work," he says.

Help Shape Regulation

The key is to get involved; don't just wait for regulation to arrive.

Many Fortune 1,000 companies have government affairs offices to lobby, monitor and report on regulatory trends. But as an IT manager, you also have the power to directly influence the outcome of legislative and regulatory issues.

Peter Browne, who heads information security at Charlotte, N.C.-based First Union Corp., is among those in IT who take an active role in shaping regulation.

You have to be proactive and interactive with government bodies on issues that affect your systems, Browne says. He does so, in part, by making sure he responds in writing to requests for comment by government agencies on regulatory proposals, such as the information security regulations for financial institutions that are being developed by the Office of Comptroller of the Currency, the Federal Reserve and other regulatory agencies.

And get involved with others who share similar concerns - there's strength in numbers. CIOs should network on government issues and attend industry meetings.

"It's really going to be tough if everybody tries to go it alone. I just don't think that's going to work," says Ronald Plesser, a Washington attorney who represents several companies on privacy issues.

Keep an Eye on Washington

Most experts say they believe that Congress will almost certainly pass some kind of comprehensive privacy legislation in 2001 that will affect e-commerce. But almost any legislation, no matter how broadly written, could have a very detailed impact on a company's systems, so it's important to stay in the loop.

For instance, when Congress approved the Gramm-Leach-Bliley Act in 1999, the landmark financial-modernization measure included a provision on consumer privacy and the security of consumer information. The language in the legislation was very general, but it led to a lengthy and complex series of proposed rules written by federal regulators that may affect financial services in very specific ways.

The proposed rules would require safeguards such as penetration testing by an independent third party or internal independent party, encryption of data and increased responsibility for an outsourcer's data security practices.

The health industry is facing similar regulatory controls through the Health Insurance Portability and Accountability Act, passed by Congress in 1996, which also mandates data security protections. As part of that ongoing regulatory effort, the U.S. Department of Health and Human Services recently unveiled standard formats for processing claims and conducting other administrative tasks electronically.

"We're starting to see regulatory interest" in security issues, says Robert Miller, deputy director of the federal U.S. Critical Infrastructure Assurance Office in Washington, which has been working to increase national security through improved data protection in government and in the private sector.

"This is hardly coordinated government regulation; this is not being done by the administration, but I think it's a harbinger of where informed opinion is coming out on this," says Miller.

Run a Textbook Network

Privacy abuses and more security breaches at companies could also spur government regulation and legislation. Congress has expressed enormous interest in these areas and holds hearings on the latest headlines, such as this past year's massive distributed denial-of-service attacks. Congress has been critical of companies that either publish convoluted online privacy policies or don't post their policies at all, so make sure your policy is posted and to the point.

A good defense is to "be on your best behavior and essentially run a textbook network," says Karl Dubendorf, an information risk expert at KPMG LLP in New York. "What I think that sends [is a message] that we're responsible" and that IT doesn't need the government\ to be "looking over our shoulders to see that we do our job right."

In this regard, industries would be much better off regulating themselves, says Mark Barry, vice president of IT at Chicago-based railroad car provider TTX Co. and president of the Chicago chapter of the Society for Information Management.

"We jealously guard all information about business partners and users because we consider it a competitive advantage, not because the government told us to," says Barry.

But regulation, he says, will be primarily aimed at companies that sell to consumers, where data protection is more of a public issue with lawmakers, and not at business-to-business firms. "I think [business-to-consumer] models are more subject to regulation because consumers want their rights protected and their privacy protected," Barry says.

Join the Tax Debate

You'll also need to weigh in on the online tax question this year. Thirty-seven states are currently at work on plans to simplify taxes through legislative changes and the development of a system for handling sales tax transactions over the Internet. The states might create a third-party intermediary for online tax collection between a business and consumer. As envisioned, such a third party could reduce the administrative burden for businesses by collecting taxes and ensuring that the states get their shares.

Many states rely heavily on sales taxes to fund basic services and see the expansion of online sales as additional revenue for their tax bases, say experts. Businesses will need to consider how debate over this issue may ultimately affect their e-commerce systems.

"The states aren't going to give up on this; it's just too big. So they are going to strive to find a way to get that revenue," says Kent Johnson, a tax expert at KPMG.

"Companies ought to get involved in the process, because they are going to have to live with the result," he says. "If they are involved in the process, they can at least have a say in fashioning it."




Stay abreast of government actions. Big-picture legislation can affect systems in complex and specific ways.


Respond to government requests for comments on regulatory proposals, and network with others in the industry.


Be good. Lawmakers are on the hunt for examples of privacy abuses and security breaches to illustrate the need for new laws.


Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon