CIO Australia recently posted an article suggesting that data breach notification laws drive compliance. Bob Russo is quoted quite a bit in the article, but there is a part that is missing. It’s not Bob’s fault, he is speaking from the Council’s perspective. He hit the bullseye.

But what Bob does not say is what is really driving compliance.

I’ve been doing PCI/CISP compliance work since 2004, not quite two years AFTER the September 26, 2002 filing of California’s SB 1386–the first State Data Breach Law. Unfortunately, many companies did not pay too much attention to it until several years later when other states started passing similar laws, especially when Minnesota passed the Plastic Card Security Act in 2007. Being in the trenches dealing with companies, I can definitely say that before 2007, the feeling in the PCI world was “We’ll get to it… if we ever do.” By 2007, I had a list of clients that had failed their annual assessment three or more years in a row, with little to no improvement year over year1.

During 2007, however, we saw a dramatic uptick in the reported compliance rates of Merchants2 of all levels. Let’s think back to 2007. Is it data breach laws that caused this uptick? It could have, but that’s a significant 4 year delay (allowing for some variance).

What else happened in 2007?

Visa announced their Compliance Acceleration Program! Remember that? The original plan was that fines would start if compliance was not reported by September 30, 2007. Visa later offered a three month rebate if compliance was met by December 31, 2007. Not to mention, if you were subject to Tiered Interchange, you did not qualify for the best available tier!

Holy crap, talk about lighting a fire!

One of our customers figured out that their cost of non-compliance was $40 million in lost rebates! WOW! That’s a motivator if I’ve ever heard of one–especially if your compliance costs are under $80 million over 2 years! Presumably, your maintenance costs should be SIGNIFICANTLY lower (especially if you purchased VeriSign’s PCI Program Management offering!). Shameful plug?

If anything has pushed compliance, fines (or a real threat of) seem to be the main motivating factor, not laws.

Now, one difference between the US and the rest of the world that could make a difference is that here in the US we are inundated by breach notices. For credit card breaches, the damage is pretty minimal (more than credit card such as SSN is definitely a MUCH bigger problem), and I think most of us ignore it and continue shopping. After spending a few days in the UK, there are some groups that believe required notification upon a breach will be a massive motivator, until THEIR citizens are inundated and then don’t care anymore.

The moral of this post? My experience tells me that fines are a much bigger motivator to pushing compliance to a particular standard versus data breach laws. If you want to get companies to comply, affect their business. After all, security and compliance is a BUSINESS issue. Properly motivated, it will be addressed.

This post originally appeared on

  1. Albeit, in the Merchant’s defense, CISP had changed several times since 2001, and the original PCI Standard was released and amended by 2007 such that we were then working under version 1.1. []
  2. Reported compliance is different from actual compliance…. remember that. []