The legal requirements for software companies servicing the financial or healthcare industries as well as the Global 2000 keep mounting. We are all familiar with intellectual property protection and why it’s necessary but current concerns for fraud and the release of confidential data keep escalating.
Due to the highly publicized breaches of credit card and social security information like T.J. Maxx and others, both government agencies and companies that are sensitive to data breaches (pretty much everyone today over a certain size but certainly institutions in the financial, e-discovery and health care areas) keep adding greater and greater safeguards.
One Federal law that mandates a variety of controls to protect against identity theft is the Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA, Pub.L. 108-159.) Massachusetts has also passed a new law (201 CMR 17.00 ) regarding securing of confidential data. It is so tough that some financial organizations are already using it as their standard for security even though they’re not Massachusetts-based companies. (Good thing for us – we’re in Massachusetts and have to conform anyway.) The law only took effect in May 2009 –so you know that companies are very concerned about being as timely as they can be with regards to conforming to the latest security standards.
Additional new concerns that we’re finding in customer agreements relate to background checks on employees and contractors, testing for OWASP Web application security vulnerabilities, mandated threat modeling against your software, review of development practices and financial health, heavy insurance requirements and more.
The challenge many companies find today is how to satisfy customers’ legitimate requests for confidentiality and security without being overly constrained in operating their business. It is the cost of doing business today but is it eliminating some of the smaller companies who are not equipped to handle the challenge?