A Culture of Compliance or a Culture of Security?

In 2007 the Federal Trade Commission published a small booklet called Protecting Personal Information, a Guide for Business. It lays out steps any business should look at to improve its internal security practices. One of the paragraphs begins, "Create a Culture of Security". That term stuck with me and has become part of my personal lexicon when I talk about data loss in a business setting.

GLB and the new Red Flags Rule lay out in pretty specific terms a short list of simple steps every business needs to adopt across the board regardless of the industry. There are fundamental file types shared by all businesses like payroll and HR records, receivable accounts, and so forth that need to be safeguarded. Add to that client personal information, patient records for medical organizations, company intellectual property and strategies, and then the access other businesses have to that information by way of contract arrangements, and you have quite a lot to keep track of. Therefore, whether a business is an accountancy covered by GLB, or a bank subject to FACTA Red Flags, or any other business type, a written identity theft prevention and response policy adopted by a board or owners is the basic element. From that policy flows company-wide training, and documentation. Next, oversight into the identity theft prevention policies of the other businesses that can access the information makes sense to tie the program together.


Whether it is apparent or not every business looking into adopting an identity theft strategy has two basic choices in philosophy as to how they will approach their program.

First is what I call a Culture of Compliance. A culture of compliance is simply that. Looking at the letter of law and taking the traditional step by step route of signing off on each point of compliance. Now, this business might well be concerned about losing valuable information, and implementing their program for all the right reasons, but is their goal more skewed to compliance and business liability, or to lowering the risk of identity theft? The reason I say that is not to impugn anyone’s compliance program but to point out a subtle difference that can make a very large difference in how effective the program will be when it is put to the test. Compliance is almost always a top down policy adopted by management, explained in some detail to department heads and managers, and then finally presented to the rank and file as the new way to perform certain tasks. Employees are then instructed to sign off that they understand the new procedures, and that’s pretty much it.

Now on to the second choice a business has, a Culture of Security. In this mindset the policy begins in much the same way by being adopted by the board and then explained in detail to department heads, etc. Here is where the different mindset comes into play. It needs to be understood that no matter how simple or extensive a program it is the employee that protects the information, not management or department heads. While ultimately responsible management doesn’t necessarily handle the data personally. So it is essential to thoroughly educate the staff. Not just the IT or records keeping personnel but all staff.
Identity theft is a real crime with real victims. I don’t know anyone that doesn’t at least know one victim of identity theft. It touches all of us in some way. I hear devastating stories from victims all the time. This is at the heart of why a company needs such a policy. Certainly the business logic of preventing data loss is key to survival. I don’t want to minimize that, but I also don’t want to minimize the risk to the employees themselves, or the individual client. Their lives can be ruined by identity thieves in a number of ways. That can have a serious impact on the business too, from lost work-time to loss of public confidence and potential loss of clientele.
Training the employees, and I mean all employees, needs to include a solid awareness of the crimes of identity theft and how they themselves can learn to mitigate their personal risk as well as that of the clients. Those trainings are also an opportunity for the employees to offer their own solutions to how office flow might be tightened up and certain procedures changed to increase security. I have not visited a business yet that did not have issues that need improvement. That not only has the net effect of helping the staff but also sensitizing them as to the risk to the client. If you make the staff a part of the solution you have a much more effective program that grows away from management and takes on a culture of security. "When you protect the information you keep on others you are protecting them. When someone else does it they are protecting you." It is also imperative to offer the entire staff a mitigating identity theft service. It is not a matter of whether the company pays for that or if it is an employee option. It will have the net effect of protecting the company and the employee, and saving both money and time.

Which method will you choose for your business?