Info World has posted an article casting doubt on the wisdom of using self-regulation to ensure compliance. The article highlights a story in which Macy’s has refused to provide contact information for customers who bought toy necklaces later found to contain lead. From the article:
Macy’s was one of the retailers that pulled the necklaces. But when L.A. Deputy District Attorney Daniel Wright asked for the records of customers who bought the necklaces, Macy’s refused to turn over any information. At issue is the ability to notify parents who purchased the necklaces for their children.
The article speculates that the reason for Macy’s refusal may be that the retailer is not in compliance with Payment Card Industry standards. That aside, the bottom line is that self-regulation is being given a black eye.
A study released in December of 2008 pointed out issues with respect to the EU-Dept. of Commerce Safe Harbor scheme. That study claimed that only 22% of those companies that were “self-certified” as compliant to safe harbor principles were actually compliant. The report’s basic conclusion was that the program had been ineffective.
The operational rationale behind self-regulation is undermined when we see figures such as those reported above. Information Technology’s best practices contain, as a substantial portion of its foundation, the principles embodied in active self-regulation. Recent events, from the collapse of the financial sector, to the misdeeds behind the situation facing mortgagees, illustrate the limits to self-regulation, and recall to our consciousness the maxim: trust…but verify.