How much legislation would a legislator legislate if a legislator could legislate legislation?
So far, the answer is finite, but to a business struggling with compliance it probably doesn't seem that way.
A casual glance at the Department of Business, Enterprise and Regulatory Reform (BERR) website's page of infosecurity legislation, standards, and policies reveals a list of relevant acts: computer misuse, data protection, regulation of investigatory powers, health and safety, and copyright.
Most aren't new, although some have been updated recently, sometimes indirectly. Depending on where and how a company does business, other nations' laws may also be applicable, most commonly the US' accounting reform act, Sarbanes-Oxley.
"How much legislation would a legislator legislate if a legislator could legislate legislation?"
The most important law that affects every business is data protection law, originally passed in 1984 and updated in 1998. The 2007 loss of the HMRC discs and more recent breach of prisoners' data have given data protection new visibility.
But, says Chris Potter, e-business security partner at PriceWaterhouseCooper, the key update is the Criminal Justice and Immigration Act (May 2008) which changes the consequences of non-compliance.
"Effectively, it now gives the Information Commissioner's office the power to levy significant fines on organisations that deliberately or recklessly have a serious breach of the data protection act." The prospect ought to be enough to scare any company into taking compliance seriously.
But doing so requires cultural change involving people, processes, and technology to recreate the barriers that in the physical world stopped people from, say, copying a company's entire filing system and taking it home.
"All of the barriers that would prevent people from doing silly things from a security perspective but expedient personally have evaporated", says Potter. "A lot of the focus [from] leading organisations is to try to change people's behaviour so that when they get a job they don't think, how can I get rid of it as quickly as possible, but how to do it."
A company needs an authorisation process in place; it needs managers, and most of all it needs a pervasive consciousness that everyone owns the data and is partially responsible for it.
It's only, he says, when you get the combination of line management, awareness and training, and funding that you get effective processes in place that ensure compliance.
Ignorance is bliss
"It's quite easy to fool yourself into thinking you're doing what you need to be compliant", he says. "You could have a very rudimentary tick in the box for giving computer-based training on the data protection act to everybody once a year for half an hour and then signing that they understand the act. In one sense, you'll have done something vaguely defensible, but it won't have changed people's behaviour in practice. The organisation won't be any more compliant than it was if it didn't do that exercise, but sometimes people get locked into measuring the inputs instead of the outputs – 'I have trained this number of people' instead of looking at the behaviour of those people. Organisations really need to have a balanced scorecard of metrics – no single one will tell you the full answer."
The other most significant piece of government action, says Simone Seth, a senior research analyst for the Information Security Forum, is the compliance guidelines recently issued by the Financial Services Authority.
In general, though, she says that members are saying that little pressure for compliance has been added in the last year.
"There's a lot of confusion within organisations about the difference between compliance and security", she says. But, she adds, "A robust security control framework and good security practices do for the most, part comply with the requirements of assorted legislation."
The key to how deep into an organisation compliance goes, she says, lies in what goes before: "What is the genesis of non-compliant behaviour? If the genesis is that the non-compliant organisation is trying not to spend money, as opposed to malfeasance, then I think companies will try and take shortcuts and do just enough."
"The majority of companies I would deal with have little or no IT expertise and therefore only the vaguest idea about data protection compliance and so on"
Peter Scargill, FSB
In most cases, however, she says, the incidents that take place when organisations are non-compliant are due to poor processes or areas they didn't think about – poor data destruction, inappropriate sharing.
The really bad data breaches, she argues, make up only a small percentage of incidents.
“If you look at the genesis of big breaches it's generally carelessness. It's interesting that when people write on compliance they use security compliance – but they don't see compliance as a result of securing the organisation."
Still, she says, "I genuinely do believe that the intent for most companies is to do a great job of implementing a control framework that will safeguard themselves and their customers."
A costly oversight
One area where specialist vendors can help is in copyright; for large organisations, managing software licences is an expensive proposition, not least because of the costs of non-compliance.
It can be fairly costly if a company with licences for 100 users or four CPUs gets caught with 150 users or eight CPUs, says Vincent Smyth, general manager for Acresso (licence management software suppliers).
"It's a bigger issue for many commercial companies than some of the regulatory compliance issues because there's a very immediate cost when they get an order from a software company – they end up then having to pay full price for any licences."
A second area where vendors can help is also one where the significant influence is not actually legislation: the credit card industry's payment card infrastructure. Richard Moulds, executive vice-president of product strategy at the cryptography specialist company nCipher, says, "We're starting to see some evidence to say that government legislation is picking up on the standard as a convenient way of defining a tougher privacy law and taking advantage of the pre-built community of auditors. I think we will see the PCI specification spreading way beyond credit card information."
One of the triggers for PCI, he says, was a clause in the California disclosure law covering data breaches that says the customer base does not have to be notified if data is encrypted. "It was the first time that any government – federal or state – had explicitly specified a technology."
Similarly, Sarb Sembhi, London chapter president for ISACA (Information Systems Audit and Control Assocation), whose website hosts many downloadable documents on regulatory issues, says of PCI, "Having a standard is a good thing because if it weren't for those, some small companies wouldn't do anything at all."
Hall of mirrors
For much of regulatory compliance, it can be hard for a company to judge its own levels of compliance because there are no technological aids. They can test employees' behaviour as pen testers measure a company's network security and apply metrics - although PwC's Potter notes that many of these can be two-edged.
Disclosure laws, for example, can create the impression that breaches have increased, when all that's increased is reporting. The upshot is to create an ecology of independent auditors.
But even that doesn't solve everything. As Sembhi points out, many of these laws are still untested in the courts, and when there are ambiguities they are likely to remain so because lawyers don't like to take chances.
In general, he says, good intentions, as demonstrated by trying to understand the regulations and attempt to comply, count: "The ones who haven't tried are more likely to be penalised. So most organisations have tried in some way or another."
A big problem for small businesses
According to the latest figures from the Federation for Small Businesses (FSB), 99% of the UK's businesses have fewer than 50 employees. That's 4.3 million small businesses – and 2.2m of them are sole proprietors.
"That's an awful lot of people without an IT department", says the FSB's national IT director, Peter Scargill, who counts his independent consultancy as one of them. "The majority of companies I would deal with have little or no IT expertise and therefore only the vaguest idea about data protection compliance and so on." And these days, even a non-technology company may be selling over its website and collecting customer data.
The FSB generally fights regulation for this sort of reason. How can a small business with no specialised staff and an owner whose time and energy is fully occupied running his/her business cope with today's regulatory environment?
"There's no way other than to seek outside help," says Scargill. But then more questions arise. How do you find an advisor? How do you know you've found a good one? "It's the same as with web development or deciding what equipment you should have. People in the non-IT industry cannot be [expected to be] experts on this stuff, and the complexity is growing exponentially."
Scargill believes that the biggest difficulty with compliance in small businesses is not cost as much as lack of knowledge. "Because the press is general-purpose, how do they find out when laws are updated? They can't spend their entire lives looking for updates."
Organisations like the FSB that hold local meetings that allow small business owners to interact can help. But for a view on what the FSB's 215 000 members are most concerned about, Scargill points to the FSB's web forums. There, by far and away the biggest topic of conversation is copyright because for the last two years the two big digital photography agencies, Corbis and Getty, have been relentlessly sending small businesses invoices for £1500 to £2000 a time for (usually unwitting) infringement.