Making sense of compliance and governance
- Article 22 of 33
- SC Magazine, June 2010
Whether it is one big Sarbanes-style law, or by many tiny amendments, compliance is here to stay. Don't let it faze you, says Rob Buckley.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages
In addition, this is going to be in response to public breaches and notifications of breaches, rather than through any investigative process.
Indeed, Carpenter says it's unlikely ICO boss Chris Graham would be interested in hearing from smaller companies or of examples of breaches at smaller companies. “If you have a hotline where someone can ring up to inform you of breaches and you don't have the resources to investigate, you'll open yourself up to attack – it'll be worse than if you hadn't had the hotline at all.”
A £500,000 fine will be large enough to bankrupt many a small business, so the full amount is unlikely ever to be used against any but the largest companies. “The ICO will take consideration of the sector and financial resources of organisations,” says Peter Gooch, head of Deloitte's privacy team. “It's not going to hit a small charity with a half million pound fine – the purpose isn't to impose undue financial hardship.” In the case of large companies in financial services, the ICO is more likely to defer to the FSA anyway, since the fines which that body can impose are much greater and more likely to affect large organisations, which could potentially shrug off even the full ICO fine.
Around the world, however, breaches are regarded differently. Germany has recently changed its laws to enforce greater privacy and to oblige organisations that lose personal data to disclose the fact; there are ‘huge' fines for those found breaking the law.
Similar obligations apply in individual states of the US, including Massachusetts and California. Massachusetts in particular, as well as requiring organisations to disclose when they've lost personal data, demands that any organisation that stores personal data on its residents have specific security controls in place, including encryption of personal information. Because of the way the US legal system works, that in effect means any company wishing to trade anywhere in the US has to behave according to the Massachusetts law on this issue.
“There's a domino effect,” says Sushila Nair, product manager at the managed security solutions group of BT Global Services. “Other US states are debating the same thing, and so is Europe.”
Rob Warmack, senior director of international marketing for Tripwire, says that the presence of disclosure laws in the US has made data breaches a boardroom issue, since no CEO wants the brand damage that a breach now results in. “Disclosure is the largest issue. In the US, everyone knows about a breach, and the CEO really doesn't want to read about himself in the morning paper.”
The debate in Europe is slow, however, with little sign of an EU disclosure law seeing the light of day in the next 18 months. Carpenter says that although there is US disenchantment with EU disclosure laws, the only organisations petitioning for change are enterprises.
Global compliance pressures are also coming from the credit card companies, whose PCI DSS guidelines mandate what kind of security technology and measures should be in place at any organisation that handles credit card data. Anyone handling this data needs to abide by the PCI DSS guidelines or else they can potentially be fined or forbidden from taking credit card orders. In the US, it's the credit card companies, such as Visa, that are imposing fines directly – as much as £200,000 per month last year – and certain security officers have been fired as a result.
However, in the UK and Europe, which is under the auspices of the likes of Visa Europe, fining has been delegated to the banks, which have had a lighter touch, mainly because the banks' own terms and conditions for merchants didn't allow them to impose any harsher penalties. But this lighter touch has started to become heavier of late, says Tripwire's Warmack: as terms and conditions have slowly been updated with customers, so banks have been able to impose more punitive fines when breaches have occurred.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages