 
|
|
In partnership with:
The law starts to bite backAndy JonesInformation security professionals need to start dealing with the law, before the law deals with them.Legislators are not making life easy for IT security professionals. Simply to identify the myriad laws related to information security is complex, let alone to interpret them. While some laws are specific to IT security, such as computer misuse and e-commerce, other general and regulatory legislation also affects information security. This ranges from data privacy and corporate governance to healthcare and even human rights. It is getting tougher to keep up. Advances in technology and the slow legal process mean that some laws are obsolete before they come into effect. Meanwhile, new laws sprout in response to new, increasingly sophisticated computer-aided crimes such as ID theft, spam and hacking. Border confusion As organizations expand and globalize they face greater exposure to worldwide legislation. They may have to comply with laws outside their home operating sphere that even contradict their domestic legislation. Companies worldwide are feeling the effects of the Sarbanes-Oxley Act, even though it was drafted and enforced in the US. In a recent survey of ISF members, which represent some of the largest international companies and organizations, more than half the respondents said they expect Sarbanes-Oxley to cost them more than $10m for information security controls alone. In the same report, ISF members identified unnecessary complexity, conflicting legislative requirements, and a lack of clear ownership of responsibility as key factors that hamper organizations in their drive for compliance with security related legislation. Tradition annulled Given the pressure to comply with the growing volume of legislation, there is a worry that it will lead to time and money being diverted from areas of critical risk mitigation. Given the fluidity of the situation, there is a real temptation to wait and see. But where legislators have previously struggled to compete with the swiftening pace of technology, they are now sharpening teeth and rattling sabres. Failure to take act quickly enough could prove very costly and damage corporate reputations. This was illustrated recently in the US. The Federal Trade Commission accused ChoicePoint Inc of Atlanta, Georgia, of violating consumers' privacy with its security and record-handling procedures. ChoicePoint admitted that financial records of over 160,000 consumers had been compromised and was fined US$10 million in penalties and US$5 million in compensation. This is a wake up call for companies where compliance is concerned. And while there is still little case law by which to examine the ambiguities of legislation or clarify interpretation, the law is certainly starting to bite back. In practical terms, it may be difficult to comply with all information security related laws, and a risk-based approach may still be appropriate. The ISF has established a process to help organizations to identify compliance requirements. It is also becoming more relevant with a legal repository that can answer questions such as, "What are all the privacy laws for our UK and German operations?" The ultimate goal is to establish a comprehensive global database of information security related laws, searchable by jurisdiction. Tempting though it may be, regardless of the complications and costs, organizations cannot afford to wait for enforcement officers to come knocking, They must establish procedures that ensure ongoing compliance. The courts do not always have to prove malicious intent or negligence, and ignorance is never a defense. About the author
|
|
