advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

17 July 2006

Industry guide to international law updated

William Knight

The Information Security Forum's (ISF) has released version III of its legal repository, bringing together laws relevant to information security and professional legal interpretations.

Information security practitioners need to identify individual laws relevant to the event they are analyzing. The ISF repository is intended to answer such questions as: “Show me all the privacy laws for Canada and Germany”, says Andy Jones, senior research consultant, ISF.

It is being used by individuals who “want to know enough to have intelligent conversations with their legal departments,” explains Jones.

The repository was begun in 2005, answering a demand for legal clarity on the part of ISF members. Members had identified over 250 different laws applicable to information security, and painted a confused picture of overlapping jurisdictions and even contradiction.

Members were keen to find understandable advice without recourse to law firms. "It was evident that lawyers did not talk the same language as IT professionals,” says Jones. “Lawyers are expert at talking to lawyers.”

International laws can seem arbitrary and confusing. Organizations can fall within the scope of legislation not related to their primary business. Examples of law in this class are Sarbanes-Oxley 2002, which applies to any US quoted organization, and the Financial Services and Markets Act 2000 (UK). Or the jurisdiction may be baffling. US federal law can deliberately override (pre-empt) state law. A notable example is the Health Insurance Portability and Accountability Act of 1996, the privacy requirements of which pre-empt state requirements.

"The situation is similar in Canada with its provincial based laws,” says Jones.

And with regard to personal data, the EU admits in its first report on the implementation of articles 25 and 26 of the Data Protection Directive (95/46/EC), ‘Divergences between member states' laws on the implementation of these two provisions are very broad indeed.’

Laws may even contradict each other. Under the cold war Wassenaar agreement, it is still technically illegal to export encryption algorithms to China, but data centres consider encryption an essential part of information security, which could put any Hong Kong services centre serving EU customers in breach.

Jones argues that this complexity will only escalate as organizations globalize. Organizations will face greater exposure to worldwide legislation, and may have to comply with laws from jurisdictions outside their own operating sphere. As one ISF member puts it, “We are hampered by various laws popping up all over the place.”

Louise Townsend, senior associate at law firm Pinsent Masons, and specialist in data protection, says initiatives like the ISF's are useful, and a “good thing to improve communications between IT and the law.” She admits the legal situation is confusing but says that companies adopting good best-practice will mostly be over and above the standards required by legislation. However strategies should be “joined up globally, not piecemeal,” she warns.

Townsend believes IT professionals should place more emphasis on legal compliance for protection of the organization's reputation and because punishment for non-compliance can be severe. This was recently illustrated when the US federal trade commission fined ChoicePoint, US$15 million in penalties and compensation for its admitted compromise of over 160,000 consumer financial-records.

Helping resolve responsibilities

But despite the obvious importance of legal compliance, there appear to be few organizations that have resolved all their internal responsibilities, says Jones.

Traditionally, it is the role of the legal department to advise when asked specific questions, but proactive monitoring of new laws, or oversight of jurisdictional issues, are beyond their remit. But IS professionals are not expected to trawl legislation looking for relevant laws either.

So critical requirements were that the repository should be aimed at IS professionals, be independent, and provide a basis for asking the right questions of lawyers. "Some law firms do offer this sort of advice as a service," says Jones, "but ISF members weren’t interested in a services aimed at lawyers."

Version III of the ISF's repository is an HTML front end linked to a database and distributed on compact disk. It covers six countries (China, India, South Africa, England & Wales, France and US federal laws), and three areas of law (electronic communications and contracts, signatures and encryption, data protection and privacy).

"There are over 350 laws in total and we're only scratching the surface,” says Jones, and he is acutely aware of the part of due diligence in keeping the repository current; a task that will only become more important as jurisdictions are added.

"Assuming the repository keeps going, between twenty and thirty jurisdictions will cover roughly 80 per cent of situations,” he adds.

The future of the repository is for ISF members to decide. The project has so far been funded through ISF subscriptions and there are no current plans to make it a commercial product – though it has been discussed, admits Jones.

Back to news index



 

 
Search this Site:
Google Custom Search



Click here...