Compliance Criteria for RetireYourWay hypothetical Case study

RetireYourWay Compliance Executive Summary There are many compliance related issues that must be considered by any company planning on doing business. While the punitive measures are different for noncompliance, as are the drivers of the business, each framework requires a fair amount of work. Whether it is PCI, HIPAA, SOX, or OPPA, the main issue to consider is information management. One has to review all the rules and consider risks of noncompliance. It may cost quite a bit to stay in compliance with PCI; for example, the loss of ability to accept payment cards. Introduction When organizations begin to operate, there are a number of issues the company’s leadership needs to consider with respect to compliance. Depending on the type of business, numerous hurdles may be faced on the road to success. The business, location, and clientele are all important factors, which need to be considered in compliance frameworks. When RetireYourWay decided to enter business, their goals may have been simple; however, there are a number of compliance-related changes to how RetireYourWay does business in order to maintain their high level of success. Payment Card Industry Whenever payments are accepted via debit or credit cards, Payment Card Industry (PCI) must be addressed. PCI was originally created in 2006 (ControlScan). PCI relates to any company that accepts, transmits, and stores cardholder information from American Express, VISA, MasterCard, Discover, and JCB. This framework has everything to do with financial drivers for RetireYourWay. They use a special credit card rounding the amount to the nearest $0.50 and provide a 1% award. Then the cards are used to withdraw money and give rewards again for withdrawing. Whether RetireYourWay is processing the cards themselves, or they choose to use a third party vendor, there are stiff consequences for noncompliance. The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. (ControlScan) One way to avoid this potential repercussion is to have their system scanned by an approved vendor and then makes any adjustments accordingly. For example, if they have web transactions, using a vendor like WhiteHat to scan the web site will enable expert advice on what needs to be accounted for to remain in compliance. Sarbanes-Oxley Act By the sheer fact that RetireYourWay is a publicly traded company, they also fall under the compliance framework of Sarbanes-Oxley Act (SOX). Of all the frameworks, this is by far the most challenging to set correctly, if not started towards the beginning. SOX is a regulatory process whose goal is simply to provide transparency within leadership of the organization. SOX primarily uses audits to leverage the awareness it demands. A traditional IT audit typically focuses on component, subsystem and sometimes on the system level auditable issues of the environment being audited with a strong bias towards security matters. Sarbanes IT audits add an entire layer of governance, financial, and controls matters to the audit process. The literature documents that a Sarbanes IT audit would rarely delve deeper than the system level since the primary objective of the Sarbanes audit is to assure the CEO, CFO, and Audit Committee that the financial information that is in the IT systems and being reported to the SEC is accurate and reliable. (Seider, 2004) When a company does not foster a sense of transparency by nature, or lack understanding the need for it, it causes quite a bit more potential hassle. According to Seider (2004), the point is to ensure the Securities and Exchange Commission (SEC) receives all the correct data, but in the event that does not happen, the aforementioned executives are squarely in the bulls-eye. All fines and punitive measures would fall directly on them. Health Insurance Portability and Accountability Act Because RetireYourWay has its own onsite health and fitness facilities, they also fall under The Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires specific procedures and notifications for medical files. Even if they are only internal employee health files, RetireYourWay is still required to fall under this framework. One point to consider is whether or not they transmit employee health data electronically. If so, they are definitely required to comply with HIPAA. The Privacy and Security Rules apply only to covered entities. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. (HHS.gov) If RetireYourWay does not provide their employees access to their records online, then they need not comply with HIPAA regulations (HHS.gov). However, there is a strong possibility, with the size of the organization that they will offer online access to their staff for self-service of medical and fitness records. California Online Privacy Protection Act One other major framework to comply with is the California Online Privacy Protection Act of 2003. This act is a regulatory act requiring companies who either operate in, or have consumers in California to post privacy notices on the website. OPPA's reach extends beyond California's borders to require any person or company in the United States (and conceivably the world) that operates a Web site that collects personally identifiable information from California consumers to post a conspicuous privacy policy on its Web site stating what information is collected and with whom it is shared, and to comply with such policy. (Cooley, 2004) What this means is the company must publish the privacy policy on their website and must, among other things, notify their California resident employees in the event of data breach. An amazing aspect about this framework is it deals with a geographic region and particular demographic of people. Because this rule applies to California residents rather than the individual organization, it enables this law to be much more powerful than other regulatory compliance laws. References ControlScan. (n.d.). PCI FAQs and Myths. Retrieved October 19, 2012, from PCI Compliance Guide: Guide to Data Secuirty Standards website: http://www.pcicomplianceguide.org/pcifaqs.php#8 Cooley LLP. (2004, June 29). California Online Privacy Protection Act of 2003. Retrieved October 20, 2012, from Cooley LLP website: http://www.cooley.com/57676 Department of Health and Human Services. (n.d.). Understanding Health Information Privacy. Retrieved October 20, 2012, from Department of Health and Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html Seider, D. (2004). Sarbanes-Oxley Information Technology Compliance Audit [PDF]. Retrieved from http://www.sans.org/reading_room/whitepapers/auditing/ sarbanes-oxley-information-technology-compliance-audit_1624