the law starts to bite back
TRANSCRIPT
41
Info
security To
day
May/June 2006
co
lu
mn
Legislators are not making life easyfor IT security professionals.
Simply to identify the myriad laws re-lated to information security is com-plex, let alone to interpret them.While some laws are specific to IT se-curity, such as computer misuse ande-commerce, other general and regula-tory legislation also affects informa-tion security.This ranges from dataprivacy and corporate governance tohealthcare and even human rights.
It is getting tougher to keep up.Advances in technology and the slowlegal process mean that some lawsare obsolete before they come intoeffect. Meanwhile, new laws sprout inresponse to new, increasingly sophis-ticated computer-aided crimes suchas ID theft, spam and hacking.
Border confusionThen there is cross-border confusion.Not only do organizations have to askthemselves ‘what business are we in?’,but they also have to ask ‘where do wedo business?’ For example, legislationdesigned for the banking and financesector, such as Basel II, can also affectany organization that processes corpo-rate or personal financial data.
As organizations expand and global-ize they face greater exposure toworldwide legislation.They may haveto comply with laws outside theirhome operating sphere that evencontradict their domestic legislation.
Companies worldwide are feelingthe effects of the Sarbanes-Oxley Act,even though it was drafted and en-forced in the US. In a recent survey ofISF members, which represent some of the largest international companiesand organizations, more than half therespondents said they expect Sarbanes-
Oxley to cost them more than $10mfor information security controls alone.
In the same report, ISF membersidentified unnecessary complexity, con-flicting legislative requirements, and alack of clear ownership of responsibili-ty as key factors that hamper organiza-tions in their drive for compliancewith security related legislation.
Tradition annulled Traditionally, the responsibility for cor-porate compliance lies with the legaldepartment. But where IT is concernedit is split between legal and informa-tion security (IS). Often, it is the ISteam that feels obliged to accept mostresponsibility for compliance.
Given the pressure to comply withthe growing volume of legislation,there is a worry that it will lead totime and money being diverted fromareas of critical risk mitigation. Giventhe fluidity of the situation, there is areal temptation to wait and see.
But where legislators have previ-ously struggled to compete with theswiftening pace of technology, theyare now sharpening teeth and rattlingsabres. Failure to take act quicklyenough could prove very costly anddamage corporate reputations.
This was illustrated recently in theUS.The Federal Trade Commission ac-cused ChoicePoint Inc of Atlanta,
Georgia, of violating consumers' pri-vacy with its security and record-han-dling procedures. ChoicePoint admit-ted that financial records of over160,000 consumers had been com-promised and was fined US$10 mil-lion in penalties and US$5 million incompensation.
This is a wake up call for compa-nies where compliance is concerned.And while there is still little case lawby which to examine the ambiguitiesof legislation or clarify interpretation,the law is certainly starting to biteback.
In practical terms, it may be diffi-cult to comply with all informationsecurity related laws, and a risk-based approach may still be appro-priate.The ISF has established aprocess to help organizations toidentify compliance requirements. Itis also becoming more relevant witha legal repository that can answerquestions such as,‘What are all theprivacy laws for our UK and Germanoperations?’
The ultimate goal is to establish acomprehensive global database of in-formation security related laws,searchable by jurisdiction.
Tempting though it may be, regard-less of the complications and costs, or-ganizations cannot afford to wait forenforcement officers to come knock-ing,They must establish proceduresthat ensure ongoing compliance.Thecourts do not always have to prove ma-licious intent or negligence, and igno-rance is never a defence.•About the authorAndy Jones is a senior research consult-ant at the Information Security Forum.The website is www.securityforum.org.
The law starts to bitebackAndy Jones
Information security professionals need to start dealing with the law,before the law deals with them.
Andy Jones
"More than halfsaid they expect
Sarbanes-Oxley tocost them more
than $10m."