Trilight Zone

[tricore]

One of the main goals of recent regulations, and of newer products to facilitate compliance with those regulations, is the protection of Personally Identifiable Information, or PII.

PII is data, like social security numbers, that can be abused if allowed to slip into unauthorized hands.

Very expensive tools known as Privacy Compliance Systems (PCS) are emerging to address these markets. These products take on an imposingly difficult, seemingly open-ended task: to monitor all PII on systems and to enforce privacy policies based standard rule sets (such as HIPAA or GLB).

Since it's early-adopter time for PCS, some aspects of the products are weak, such as integration with other software. And while they attempt to plug all outbound avenues from a system, from USB flash keys to every network protocol, it's not hard to imagine ways they might be bypassed.

One can also imagine ways, after years of maturing, in which such products would operate for optimal performance and efficacy. For instance, there are a number of protocols for interfacing with databases, from ODBC to more product-specific and faster ones. Many current PCS products don't work with databases directly, but require tedious manual updates.

There's no direct upside to using PCS products; the benefit is largely in the downside of managing PII badly. Do you really want to be the next company on the list with news stories about how 75,000 of your customers' records were exposed? Of course not, and then the question becomes the efficacy of these products and the cost/benefit.

So even if the perceived benefits are compelling, carefully examine the costs of the products and the commitment, and choose a vendor that will be there for you for the long haul.