Print this - Vendors hype up compliance fears - Research - Breaking Business and Technology News at silicon.com

To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/datalockdown/0,3800014480,39184600,00.htm

Vendors hype up compliance fears
UK laws are relatively sparse…

By Danny Bradbury

Published: Tuesday 08 April 2008

Compliance. The word strikes fear into the heart of even the hardened executive. We're warned of dire consequences if we get it wrong - especially in data security. But could it be that suppliers are talking up the issue, asks Danny Bradbury.

Read the average vendor white paper on the issue and it seems that picking your way through the regulatory landscape is as dangerous as navigating a field of stinging nettles in your birthday suit.

Expert opinion from lawyer Stewart James:

Is encryption really the silver bullet for security?

But according to some legal experts, things aren't as bad for UK companies as you might think.

Tamzin Matthew, partner at law firm Blake Lapthorn Tarlo Lyons, says that when she does talks on subjects such as email archiving, people often express surprise at how few pieces of legislation there are that mandate businesses to handle information in a certain way.

"They're led to believe that compliance is a huge, appalling task and that there's lots of legislation out there that they won't be able to keep up with," says Matthew.

"It's the interest of some vendors to put the fear of God into people," she says, pointing out that the legislative framework in the UK is relatively sparse when it comes to prescribing specific information security measures.

Why the Chicken Little syndrome? Part of that is down to marketing hyperbole, and some of it is down to regional differences.

"The US is a completely different climate," she says. "Go to California and their legislation is red hot on data security." Vendors coming from that culture are bound to develop marketing messages that support it.

Data Protection Act

The most significant piece of legislation in the UK is the Data Protection Act, the principles of which govern the handling of personal information. But the information commissioner's powers are relatively weak, says Matthew.

"What he's taken to doing now is getting an undertaking from individuals and organisations that have breached the Data Protection Act, and naming and shaming them in press releases," she says.

Slapping someone on the wrist and making them promise them not to do it again might not seem exactly hardnosed but things can escalate.

If companies fail to comply with an enforcement notice, then it becomes a criminal offence. And Phil Huggins, CTO of security consultancy IRM, thinks the DPA will become more of an issue as the 2006 Companies Act begins to impact operations. The act confirms directors' duties to run their companies responsibly - something that was previously outlined only in case law.

That's something that might give the DPA as much impetus as section 404 of the Sarbanes-Oxley Act, which covers internal controls supporting financial reporting.

While this US act covers companies listed in that country, it can also affect UK firms that are subsidiaries or partners of US firms. A lot of Huggins' work today concerns Sarbanes-Oxley compliance.

Industry self-regulation

While legislation has been relatively sparse on this side of the pond, industry self-regulation has been aggressive. The Nationwide's £980,000 fine by the FSA in February last year following the theft of a laptop with unencrypted data highlights that.

Yet such regulations are often vague, dictating only a reasonable level of security. "You're reading the entrails of people who have been punished to find out what happened," quips Huggins.

In the main, industry regulations are so non-prescriptive that following them becomes partly a game of instinct. Matthew of Blake Lapthorn Tarlo Lyons says IT people often like things in black and white because they are process-oriented. "They hate the greyness that comes from all this."

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

She adds that what little government legislation there is can also suffer from this problem. "I've been dealing with the DPA since it came out and I know it intimately, and I can still say that there are certain areas of it that are very grey."

How can businesses address specific security concerns when dealing with sometimes vague regulations? Bob Tarzey, a service director at tech advisory firm Quocirca, says, "The question businesses should be asking themselves is, 'Are we reckless with the way we handle customers' data?'"

That will depend on a variety of criteria. How sensitive is the data, and where is it stored, for example? Some sort of framework is needed.

Stuart Okin, associate partner at Accenture, says, "A lot of people turn to the ISO standards, and some of the detailed security standards around encryption, to support them."

Generally, taking a risk-based approach and using the ISO 27000 standards as a framework will give companies a level of detail not found in some of the broader regulations - especially those that discuss data security in the context of wider operational risk.

However, that may not work with the PCI DSS standard. Imposed by the major credit card companies on those collecting payment, it makes strict, specific requests on data security.

Technically, the credit card firms have been within their rights for some time to impose fines on non-compliant firms but IRM's Huggins suggests the level of non-compliance is so high that they have been holding off, instead looking for at least some progress towards compliance by at least the major ecommerce players.

The UK may not be quite as litigious as the US but tiptoeing through the regulations and legislation that does exist may still be a little scary for companies because the rules are blurry in places. Navigating the landscape will require some gut instinct, common sense - and above all, a good lawyer.

Site Navigation:

Quick Sitemap Links:

Home

Membership Centre

About Us

Search

FAQ

News

Management news

Software news

Hardware news

Networks news

IT Services news

Comment & Analysis

Blogs

White Papers

Jobs

Resources

Videos

Verticals

CIO Insights

CxO Extra

Research

Special Reports

Advertising Features