United States Constitution, rolled in a scroll on a vintage American flag and rustic wooden board

Listen to associated Podcast: Law, Policy, and Compliance: RDT&E and Standardization

What is it, where do I find information on ‘compliance’ and what it means to Information Technology? Is it truly a departmental necessity in every company, or is it built into the research, development, and test phase of the software development lifecycle.

What about compliance in software support, maintenance, and versioning for improvements, as well as integration with other new and existing systems?

Has IT forced odd compliance and created unnecessary conflict and what do the laws look like? They are in fact, in conflict, create conflict, and eventually lead to improvements – I think it’s called growing pains.

Research Topic:  IT Assurance, Policy, and Compliance as it relates to standards, regulations, and risk.  You have the freedom to do whatever you want, but you risk it, the rewards, healthy societal contributions, and more if you violate law and policy.  Some original equipment manufacturer (OEM) policies are clear and affect warranty and service status if violated, while other policies are not clear, not established, and no one is directly assigned to create them.  Not all companies have a compliance department.  Assurance and standards with specific codes, such as the Penal Code, are not systematically itemized.  Technology is secure in its offering to enable the creation of products that work with related and necessary products, meeting compliance terms with each other, but the use of the word is directly applied to a specific regulation, which varies.   Code compliance, or software Quality Assurance and Quality Control processes are somewhat standardized, but not down to the point they are ‘automatic’ or that every company in business follows such process.  Rather than verbalizing associated or governing regulations, it’s better to understand how a compliance department works and its roles and responsibilities.  No single office, organization, or group follows one single regulation for doing business in IT.

Research Problem:  The areas of compliance, policy, regulation, law, and standards are mixed, generalized, and varied.  The theory is that the law doesn’t understand and cannot correctly lead or govern IT because of the design.  Humans know that the laws must be followed with a standard of service, and obligation to conduct business ethically, as well as create systems with good support.  Since processes and policies vary, results vary, which is the way commerce works to follow the laws of fair competition in the marketplace.  While manufacturing seemed like a good system to model the IT industry after, the creation of IT products and their support lifecycle is different, so IT is challenged to create its own and determine how different it should be, with the intent to reduce the problem of society, for the betterment of civilization.  Not all companies share or publicize this great ethic or value.  It is not known if there is a Strategic Command or industry leadership that leads all companies with audits aligned with top objectives for its IT creations and global investment strategies.  The creation of the Internet proved America has greatly improved, but if it continues to operate similarly to human life and doesn’t understand that its purpose is to eliminate problems humans face by using a different approach, then the systems just become replicas of each other, standardized, and similarly dysfunctional.   Generally, world views vary, in that some believe the world is a good place, while others see it as unsafe, impoverished, and not improving, while others accept it as is, with purpose and intent to follow the laws and rules as they are or to seek change.  Some systems have made such change impossible, just as some technology has damaged or destroyed prosperity and happiness in many areas of human life.  It becomes a matter of force and compliance in social order on the wide world view, but of efficiency, value, and economic prosperity on other fronts; aligned with what is written in the constitution, or what our world presents as necessary for survival.

  The fact that standards are created by technology leaders, one following the works of another, or delivering to customer specification and requirements, following contract law, often created with formal or non-formal verbal exchanges.  No further lesson be taught or learned that delivering to customer specifications or requirements is the right answer.  In IT, it must be established that the customer is not designed to manage the design and delivery of the product, that they are not always right, and they often do not know what they need or what is truly possible in IT, just as IT experts do not have every answer to every business problem without a valid business assessment.  At some point, all business processes will be known, correctly assessed, with a standard process, some with variation, that technology can improve with a review and innovation occurring on regulated timelines.  With changes, the business landscape changes, as does policy and compliance.  Some things that once needed oversight and proof or compliance, are automated and proven, thus the need is eliminated.  Compliance in terms of delivering to customer specifications is dependent upon contract agreements, governed by contract law, using limited IT laws.  Because of the changing landscape of technology, some terms and conditions cannot be thoroughly defined and scoped.  This is the dynamic of IT; that investments are not single buys of over-the-counter software, but that over-the-counter buys are certified through a system of standards and compliance, having been tested to work correctly, with a set price and procedure and some form of support or maintenance system.  New technology ventures work differently; thus, compliance works differently.  Some companies might be forced to change their processes to comply with established technology to standardize and improve business.  This area of IT should be known and clarified, and participation or compliance encouraged, not by a governing law or regulation, but understanding of national or global strategy and its effects.

There are few laws that attempt to govern technology, such as the Sarbanes Oxley Act, the Privacy Act of 1976, the California Consumer Protections Act, The Healthcare Information and Portability Act, and Anti-CanSpam Act and the outrageous number of articles in the Constitution and case law that set precedent or regulations.  While these laws have good intentions, laws designed for systems that are built incorrectly, or are merely functional, with good intent to follow the law, do not often enable the best means to do so.  For example, the Anti-CanSpam Act requires mailers to provide certain means for removal and no contact, but the means place a major a standard for every business that burdens on every user, when if better written, with a full understanding of technology capability, the law would’ve required a central management system and enforce efficiency of mail management, to address more than a single problem.  Such burdens should be investigated for IT opportunity, consolidation, and efficiency, and only then, the laws should be written, but with whose leadership, timeline, and expense?  The FCC, in writing the Anti-CANSpam Act thinks it is protecting consumers, yet consumers have no real way to manage and remedy the many ongoing violations.  This is one of the best lessons learned in compliance, that policies and regulations cannot and should not be written without considering the possibility of the creation of a more efficient technological approach or technology change, written to and for the correct persons, agency, or group.  Can you imagine a courtroom full of email recipients arguing complaints of unwanted emails on a constant ongoing daily docket when the real solution is to form a review board of Email Solutions, and form policy, and system standards to monitor and prevent?  Systems can monitor email content using a rule-based system so why are the rule-based functionality and expectation of management placed on individual users, and further, why must it be managed per each email, sender, and site?  Why write laws and not just create an automated procedure?

Just because something works and is profitable does not mean it’s the best it can be, is in adherence to law and policy, or is healthy for society.  The fallacy of artificial intelligence leading in business must end and humans must take responsibility for what they do and have done.  Letting the law be the guiding force, or policy being the guiding force determining ethical interaction and compliance is also wrong. 

Assurance, policy, and compliance differ depending upon the maturity of the product, and how it is delivered.  The problem is that there is no set standard and written set of laws, requirements, and policies already established for information technology and it might be wrong to assume that law and policy must be written for technology and its users.  The congressional powers of government have attempted to write laws that affect IT, and create governing policies on the protection of data, use, and the development of the system, but it has greatly fallen short in being able to directly show areas of responsibility in terms of what is required of buyers, creators, data owners, users, and its policymakers and governing bodies as well as how it compares and differs in physical and virtual realms.  Roles and responsibilities, along with risk are transferred, and adherence is unmeasurable, never reaching 100% compliance, perhaps because there is a better design that technologically eliminates the need for enforcement. 

The laws that apply to information sharing do not adequately address problems brought on by the Internet.  Companies and users do their best to adapt to what exists, with few able to lobby for changes.  No studies exist that evaluate in depth what technology enables and what it can eliminate in terms of the law.  A national peace treaty does not bring peace to a nation; it ends the war, and much change, rehabilitation, and cleanup must take place, just as a policy implementation requires time to see its benefits.  Technology implementation is the same; it is not instantaneous prosperity, efficiency, capability, and happiness.  Compliance with policy is critical, but some policies we think are inherent in our design as compassionate humans cannot be proven, it is not the same in all, thus the need for the establishment of rules, laws, and policies.  Similarly, we assume security is inherent in the operating system and internet systems, yet companies still capitalize on security vulnerabilities and attempt to make it a user’s responsibility and individually create policies, leading it to become a profitable opportunity for security companies.  This indicates a possible problem with priorities and ethics, but necessary because of the design of the financial requirements of life, cost to do business, and spending habits.  If we expanded beyond money, as if there were no limitations, we’d have better ideas and possibly better results.  It’s not the only problem or answer to compliance with the constitution.

HIPPA Compliance – A View of an Electronic and Human Laws

Another valuable example is how humans communicate and do not follow the same laws that are written for the protection of information in electronic systems, such as the Healthcare Information Portability Accountability Act (HIPAA).  People freely share healthcare information with others, using verbal communication, without permission.  If laws could be designed and applicable to both human and technical systems, it would be a more efficient system, but it needs the ability to track and monitor such changes in social environments.  Just as the person with a healthcare record has a right to privacy, so does the person with whom that information is shared, even in non-formal settings that are considered out of bounds, such as unpermitted or unwanted conversations about personal topics.  Permission-based communications require a two-way understanding; that there are two or more parts that need protection; the receiver and the sender or sender to sender.  In the simplest of terms, humans should learn to ask themselves permission, along with the person they are sending it to before sharing their personally protected information in all areas, not just healthcare.  This type of policy governs sensitive information in questionable topic areas of sending or sharing unwanted information.  It makes no sense to have a patient fill out a form and grant express permission to share healthcare records with another agency in professional dealings; it is expected that they share information, otherwise, there would be no information given to Health and Human Services for compilation to understand American Health.  What is more beneficial to society is a human communication policy to protect the receivers from unwanted material, such as the Anti-Can Spam Act and those who violate the health and comforts of others.

Right to Privacy

For some, parts of Internet Systems and others have been seen as an invasion of personal privacy, where our general understanding is that humans have such a right to privacy protections in their domicile or domain.  Sometimes it is not in everyone’s best interest to keep things private, or personal.  Not every personal computer performs as a host machine.  Hosting a party and being responsible for the activities of humans during and after the party are not the same as the laws, regulations, and policies surrounding virtual host computing machines.  This is where technology terminology collides, using Domain Name Servers or hosts responsible for managing the privacy of their visitors, a similar design to human contact, with limited responsibility.  Human policies are not entirely well established and standardized throughout society, nor are IT Policies.

How can the Risk Management Framework, or an invisible set of policies assist an organization or company if they have no “Risk Management” and or “Compliance” department?  They simply follow the established laws as it pertains to them.  DoDI 8510.01, Risk Management Framework for DoD Systems is the regulation that partly governs IT Acquisitions.  On its first list of policies it incorrectly states:  “The RMF process will inform acquisition processes for all DoD systems, including requirements development, procurement, developmental test and evaluation (DT&E), operational test and evaluation (OT&E), and sustainment; but will not replace these processes.”  How does one process inform another process?  It’s written in automation technical terms, as if procurement and risk assessments are automated, non-human, and communicative; a false representation of the process and how decisions are made.

Many companies doing business and interacting online do not have a written set of policies or a Risk Management Framework.  They take risks as they deem fit, depending upon their level of trust, faith, or understanding of what the system presents.  It only takes a few warnings, bad media articles, and bad comments from others to damage their computing experience.  Because there is no legal system for such slander, libel, bad media, or negative spreading that damages perceptions of safety and quality, people somehow manage, either experiencing damage firsthand, adding to the problem of bad media and the creation of more bad experiences, or they dismiss the warnings or perceived risk passed on by someone else.  The other area of value in the subject of compliance is human reaction to change, where compliance is forced, a new way of interacting is required, and is less than desirable, or worse than their original process.  This happens often with new technologies when people do not want to change or are forced to learn and change.  Not all social or information changes from new technology bring civil unrest and riot, but many complaints have been received or heard from publicly shared information where permission was not given, and where there is no obvious corresponding protection system, such as the publishing of Google Earth and photographs of residential or commercial ownership of property.   If it were built with a protection and security system, that was not profit-based, such as Google information protection, it would be a better product, but because technology professionals operate with a business mindset, security services are available for a price.  This begins to create a problem when you understand that information on Google is free, but the security of your information is limited, and the ideal that collective behavioral control and leadership or governance is only possible from using the existing structure or design; innovation is required. 

Is it considered fair information practices and fair business to publicize someone else’s address in an information system, allowing access to anyone and everyone, and not protecting it, even though it can provide advanced information security that can prevent and reduce crime?  Where does compliance fit in these types of scenarios, beyond information security?  Can corporations such as Google, Inc., be held liable for allowing access to such information that would’ve normally been protected by a technical system, physical agency, or group of persons if a law were to be violated, such as internet or stalking of a person?  Due process and access to equal protection under the law must also be considered and someone or something must take charge of protecting those who cannot protect themselves.  Does adding oneself to a Do Not Call List prevent excessive sales calls?  The Anti-CanSpam Act does not prevent spam and the California Consumer Protection Act does not prevent or protect the sale of personal information. 
“This Act establishes requirements for those who send unsolicited commercial email. The Act bans false or misleading header information and prohibits deceptive subject lines. It also requires that unsolicited commercial email be identified as advertising and provide recipients with a method for opting out of receiving any such email in the future” (Anti-CANSPAM Act, 2024).  It forces action by its users based on unwanted contact and the fact that there is more than one way to manage contact and information, as well as more than one law, it’s obvious that lawmakers and policymakers do not understand how simple technology works in data management.  For some reason, they did not know they should regulate or direct technology to provide a more effective solution.  They’ve complicated it and attempted to create some remedy for violation using the courts.  Without going into detail, they are adding layers of law and regulation on a merely functional system that sounds good, but in real life is nearly impossible to prosecute.

The term compliance means, by definition, the action or fact of complying with a wish or command.  Where does compliance fit in command-and-control systems if those are solely designed for the US Military?

“they must secure each other’s cooperation or compliance”.  A simple google search for IT Law and Policy returned only law schools, with no governing source, national institute, or specific set of laws (Google Search:  IT Laws, 2024)

International Business and Law – No Remedy

In another perfect example, customer service operations were available to confirm or address problems that a technical system managed.  It was a discount/rebate for Internet Services, confirmed from another government internet site; integrated with a United States technology company.  Customer Service, as usual, is available 24 hours per day to answer questions and troubleshoot the system, which reported an error; unable to process.  The Customer Service Agent was not a US Citizen, could barely speak English, and was unable to answer the questions directly asked; the information from the recorded system was in conflict with what was promised and it required two foreign customer service agents to simply say what the computer system should’ve correctly displayed:  the application would take approximately 24-48 hours to be approved and the change will be reflected on your next bill.  If a technology company that has been in business for twenty years cannot effectively implement a government subsidy rate change without human intervention and utilizes foreign services, there is no way we can trust that technology can evolve.  It’s like we are still fighting terrorism but in a new department, forcing us to comply with bad service because the Internet has become a necessity.  It’s a clear case of international business holding information hostage; a power and control imbalance with forced compliance from the wrong side.

The major problem was communication failure in 2 parts, with a greater issue of forcing Americans to work with Foreigners on Government Technology Programs who have consistently caused problems in their roles as Customer Service Agents.  There is no one to escalate the call to; therefore, the customer is forced to comply with foreign demands and receives low-quality service.  There is no global anti-terrorism compliance team; just as there is no recorded training quality assurance and quality control system, but there are standards of service, of which they are trained to hang up on customers without resolving the issue if the decibel level rises or if there is a single use of profanity.  Nothing gets resolved in a 3-part equation that is completely against American values.  Technology is expected to work correctly and if it does not, a qualified US Citizen is expected to complete the transaction using the phone.  The foreigners do their job, attempting to use some level of demand in control of process data necessary to get what is needed, the Americans remain dissatisfied, and the rest of the parties involved still think we can achieve world peace.  Just like there is no such thing as standardized corporate compliance for every company, automated and ready, there is also a different set of ethics among humans, regardless of their cultural and economic differences. 

At some point, the fake media must stop, artificial intelligence must step aside, and the idea that foreign services are cheaper and that anyone can be trained in technology and can or should be employed is faulty thinking.  There is no human or American alive in business that can promise top-quality service that technology is protected and that it will never happen again.  No law or regulation was violated, other than the right to happiness, but there’s no one to sue, no one to defend, and no one to change it.  If it’s not a compliance, assurance, and regulation matter, then who or what is it?  And further, why would America seek to do business with foreigners if they have yet to master social and economic American control, improvement, and compliance?

Requirements, policies, and regulations are lax when new technology arrives.  It is not that the technology creators did not follow laws or adhere to a specific set of standards, but that policies amongst buyers must change and adapt.  Effects from technology are not immediately known and some systems create socio-economic change that was unexpected, unplanned, and unintended.  These outcomes can be managed by planning for the long term, but success can be destroyed, along with opportunity in a faulty risk management office establishing and forcing compliance with bad ideals and policies.  Is this one single issue a matter of some written foreign policy that now requires military intervention and an act of Congress to change?

References

DOD INSTRUCTION 8510.01, Risk Management Framework for DOD Systems, Office of the
    DoD Chief Information Officer, dtd July 19, 2022, accessed via the Internet at
     https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf on January
     16, 2024

Google Search:  IT Laws, accessed via the Internet at   
https://www.google.com/search?q=IT+Law+and+Policy&rlz=1C1CHBF_enUS955US955&oq=IT+Law+and+Policy on January 16, 2024  (MS Word, Refusal to comply with indent feature)

Federal Trade Commission, Anti-CANSPAM Act, Controlling the Assault of Non-Solicited
     Pornography and Marketing Act of 2003 (CAN-SPAM Act) accessed via the Internet at https://www.ftc.gov/legal-library/browse/statutes/controlling-assault-non-solicited-pornography-marketing-act-2003-can-spam-act

By Sheri L. Wilson

Author, PhD Student; Doctor of Technology, Research