Logo Rob Buckley – Freelance Journalist and Editor

The baby bull elephant in the room

The baby bull elephant in the room

"Compliance is like a baby bull elephant: it's big today, it's only going to get bigger and if you upset it, it's going to rampage." That's how one CIO describes compliance, a topic that should be a concern of every information security professional working today.

Page 1 | Page 2 | Page 3 | All 3 Pages

Certainly, CSOs in vertical markets such as the defence industry and healthcare have had to deal with compliance requirements for almost as long as there have been computers, but laws like the UK's various Data Protection Acts over the years have made virtually all companies the subjects of compliance requirements. Research by IT security integrator SecureData shows that 94 per cent of CSOs now have some responsibility for compliance in their organisations.

On top of existing legislation, there are new regulations coming into effect or being proposed that seem set to make CSOs' lives just a little bit harder - or a nightmare, depending on how prepared they are. The Information Commissioner's Office has published a code of practice concerning data sharing in the UK that covers both routine and one-off instances. The FSA has published new guidance on mortgage fraud and money laundering. The Office of Fair Trading has also published a code of practice about money laundering, while the Ministry of Justice has published draft guidance on the Bribery Act, which came into force on 1st July last year.

Perhaps the biggest and most visible bits of compliance legislation have come from the EU. These include a privacy law regarding cookies, which passed its enforcement deadline in May, and its proposed harmonisation and update of European data protection laws. The former requires all web sites to tell visitors what they use cookies for and to request their permission to use them. What it doesn't do is tell them how to do this. "People haven't appreciated how non-trivial it is," says Eduardo Ustaron, a partner at Field Fisher Waterhouse. "The technology is there, the solutions are there. What makes it a big deal is the need to make tricky decisions about balancing compliance with commercial imperatives so that it isn't intrusive."

"Sites are carefully constructed to maximise efficiency," explains Keynote Systems' director of privacy services, Ray Everett. Injecting a banner warning about cookies only reduces that inefficiency. In addition, with many web sites carrying advertising hosted by third-parties, it can be hard for organisations to know exactly what cookies are served by their sites. To counter that, Keynote's Web Privacy Tracking application not only crawls pages, it performs transactions, examines which networks are serving ads and details what cookies are consistent with the organisations policies and which aren't. But, he says, he still gets many calls from CSOs wanting to know how the 'cookie law' fits into their overall privacy compliance schemes.

The second of the EU's pieces of legislation is far more wide-ranging and, in fact, game-changing. It proposes changes to the previous 1995 data protection legislation that gave birth to the UK's 1998 Data Protection Act. Changes include the mandatory appointment of a data protection officer, the introduction of a 'right to be forgotten', a requirement to notify authorities of data breaches within 24 hours of their occurrence, and the ability of authorities to impose fines of up to two per cent of global turnover for companies that breach the rules.

Although this sounds stringent, particularly with regards to fines, Deema Freij, legal counsel EMEA and APAC at secure file-sharing service IntraLinks, says that because the UK already has quite strong privacy requirements, there will be comparatively little work for UK companies to achieve compliance compared with companies in EU countries like Spain, provided they've already tried to comply with the DPA. Importantly, it will also force cloud-service providers to become compliant, since now any data breaches that occur with clients' data will be as much their responsibility as it is their clients'.

However, the 24-hour breach notification rule could be very difficult to comply with, since it will require monitoring and logging systems and processes to act on them. Research from LogRhythm published in April found that of 200 IT decision-makers at UK businesses, 87 per cent would be unable to identify individuals affected by a breach within 24 hours, while 13 per cent said it would take them between one week and a month to pinpoint which customer data was affected, and six per cent did not believe they would ever be able to accurately obtain the information. Meanwhile, SecureData's research found that 59 per cent of senior IT managers believe draft data protection compliance rules will cost their businesses more, while 40 per cent think the proposed 24-hour deadline for notifying individuals of a data breach would advertise security weaknesses before an appropriate security review could be completely. Only 64 per cent and 58 per cent respectively believed that the proposed regulations would improve business security processes and consumer data protection.

As a result of these problems, Freij's feeling is that the issue is being "heavily negotiated" with the EU in an effort to water it down before the final version is published. This uncertainty about what the regulations will eventually contain certainly can't help CSOs begin to prepare for compliance with them.

Yet these are far from the only pieces of compliance legislation - just the ones that have hit the headlines. There are far more low key, simpler pieces that still have to be obeyed, whether CSOs have heard of them and it's possible to do so or not. The FSA has, for example, imposed the requirement on financial services companies to have all business-related mobile phone calls monitored and recorded. The deadline for this was in November of last year. Many CIOs and CSOs managed to put in place ways to record phone calls, although some organisations took the more radical route of banning the use of mobile phones for work-related conversations. However, according to Natterbox CEO Neil Hammerton, while many companies put in place their compliance solutions at the last minute through complacency, technical problems were as much a cause.

"There was complacency. They knew it was coming for two years, but they didn't believe it was going to be enforced. But the technology largely wasn't ready last year: we were only ready from September and few global organisations would risk using a small company - if there's a breach, who would be accountable?"

Page 1 | Page 2 | Page 3 | All 3 Pages

Interested in commissioning a similar article? Please contact me to discuss details. Alternatively, return to the main gallery or search for another article: