IT is one of the most rigorously regulated parts of an organisation, and legislation affecting information security is spearheading the legal changes.
The role of the IT function as gatekeeper to an organisation's most sensitive data means it is now also the most regulated department in the enterprise. The UK's most serious and far-reaching security breach – that's known of in the public domain, that is – is a case in point.
In November 2007 a CD containing the personal records of 25 million individuals was, in effect, lost in the post. The records, held by Her Majesty's Revenue and Customs, related to the payment of child benefit, and included more than enough information to carry out identity theft and fraud on large scale. So, it is not surprising that high-profile data breaches have had legal ramifications on the IT function.
An increasing amount of information being shared electronically has meant measures taken to safeguard its use and transmission have also come under greater scrutiny. The use of citizen data and services by local and central government organisations has helped move public services online to enable more efficient, cost-effective administration, and even self-service; but these services need to be developed in a way that reassures citizens that their data is safe from a variety of threats and misappropriation.
Electronic information has become a similarly valuable currency within the private, commercial space. While sharing more and data with customers, suppliers and partners can help streamline processes, by saving time and money, through automation, which can also expose companies to greater security risks. Such risks can involve the exposure of financial, competitive, or personal data, which are all protected by legal conventions and authorities. So, organisations now mitigate these risks by mandating partners and suppliers to have certain levels of security in place before they will transact with them.
New wave of legislation
Even so, the tide of information security legislation is only set to grow, according to David Lacey; he should know. With more than 25 years' professional experience, leading the information security and risk functions for the Royal Mail and Royal Dutch/Shell Groups and UK Foreign and Commonwealth Office, Lacey originated much of the content of the British Standard BS17799 – the information security standard. He is a member of the British Computer Society Security Strategy Panel, and a founder of the Jericho Forum, of which he is an Honorary Fellow.
'There is a wave of privacy and data protection legislation heading our way which started with California's introduction of data breach notification and reporting law,' Lacey forewarns. He said it was also understandable why this kind of statutory law swept across the US and further afield: 'It is citizen-friendly and easy [for lawmakers] to do,' he adds, 'but the creation of additional 'red tape' was only serving to 'stifle IT innovation' and shackle the IT function to a daily grind of perfunctory audits and ticked boxes.
Some of these information security requirements are legally binding, while some are stipulated in form of terms of business arrangements, which are, in effect,'contractually binding. The HMRC debacle, for instance, breached the seventh data protection principle in the Data Protection Act (DPA) 1998, which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing, as well as the accidental loss or destruction of, or damage to, personal data.
The Payment Card Industry Data Security Standard (PCI DSS), on the other hand, is administered by the card issuing organisations and regulates merchants who handle payment card data.
'The problem is that you get a wave of compliance when people aren't responsible with data; and there's no appetite to go back and design security in from the beginning, at testing,' explains Lacey. 'It is important that legislation is created, but it has a retroactive affect and is not forcing us to be aggressive or innovative enough. We need to move away from tick-box auditing and towards enforcing due diligence, by getting better at managing relationships and people.' This will become all the more important as data is increasingly mobilised too.
Smart technology, smarter regulation?
Another issue is highlighted by the rise of mobile technology through the use of laptops and smartphones. Like the HMRC example, and as mentioned by Lacey, mobility is throwing tremendous scrutiny on how enterprises manage the way employees use IT, where stories of lost laptops abound. Says Dai Davis, partner in law for Brooke North LLP: 'Every time there is a security scare, the government stands up and says that we need more legislation. [What we need is] better enforcement of the regulations that are already in place.'
Davis advised organisations to use existing regulations, not only as a way to remain compliant, but also as a way of enforcing best practice and mitigating risk. 'The DPA and Computer Misuse Act should form the foundation of information security policy, and its enforcement within public and private organisations,' he argues. Likewise, acceptable usage policies (AUPs) should be regularly updated and rigorously enforced, as should a thorough understanding of the appropriateness of data stored, used, and transmitted.
Stewart Room, a partner in the Privacy and Information Law Group of Field Fisher Waterhouse LLP, agrees that, despite increased legislative measures in reaction to information security related breaches, 'organisations are not fully attuned to the realities of the new legal environment this has created or aware of the consequences of non-compliance'. Like Lacey and Davis, Room contended that the solution was not a technical one, but one that 'requires a multi-disciplinary team outside of the IT function.
'That team should include the company secretariat, governance an d compliance officer, chief security officer, the IT director, and heads of every business unit; and it should focus on proving due diligence,' Room adds. Where IT may be used to talking about 'threat vectors' from a technology perspective, an holistic view of data protection and privacy needs to take account of security threats from both a people and process perspective, as well as technical one.
'There is an increasingly prevailing view that, no matter how much legislation there is, an organisation will never put its [information security] house in order unless there is buy-in from board level,' he points out.
How to use the E&T IT Security Legislation Guide
The table on the previous page outlines security-specific laws and regulatory compliances that apply to the IT function in the UK and much of Europe. The Guide thus provides an at-a-glance view of the information security-specific law load current and prospective, plus indications of the risks involved in non-compliance, especially for those executives mandated to ensure that compliances are observed, and that the requirements of the legislation are maintained. *
Data Protection Act (DPA)
Computer Misuse Act
Payments Card Industry Data Security Standards (PCI DSS)
Acceptable Usage Policy (AUP) covering IT access, including Internet and email usage from the workplace
The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data)
|1998||1990||2004||Organisations with employees that have information systems access should already have one in place, possibly as part of terms and conditions of contract of employment. Ideally AUPs should also be explained as part of new employee induction process||1995|
|To safeguard the privacy of information processed by anyone relating to individuals, including its acquirement, storage, use or disclosure. It also gives individuals rights over the use of their personal information||To deter criminals from using a computer to assist in the commission of a criminal offence, or from impairing, or hindering access to data stored in a computer||To help prevent credit card fraud through increased controls around data and its exposure to compromise||To outline restrictions to, and acceptable usage expectations of, employees with information systems access. To clearly delineate what employer IT access can and cannot be used for. To advise staff of unacceptable use, such as accessing inappropriate and disallowed websites, and using Web email accounts for work purposes. AUPs can also enshrine information security guidelines||Regulates the processing of personal data within the European Union, forming an important component of EU privacy and human rights law|
|Anyone who handles personal information, except in some circumstances, such as its processing without an automated system, such as a computer||Anyone who attempts or achieves unauthorised access to a computer or the data it stores, by inducing a computer to perform any function with intent to secure access||All organisations that hold, process, or exchange credit card payments cardholder information||Any employer with information systems that its staff regularly access||Any organisation processing personal data within the European Union. Every business using ICT systems to process personal data|
|CEO, CIO, IT director, data controller, legal and corporate governance functions||CEO, CIO, IT director, data controller, legal and corporate governance functions||CEO, CFO, COO, CIO, head of e-commerce, legal and corporate governance functions||Every business member with control over or access to ICT systems; but the IT and HR departments, as well as the legal and corporate governance functions. There remains in some organisations an ongoing debate over which function should enforce AUPs when necessary. Line managers might assume some responsibility in this respect||Every business partner with control over or access to ICT systems|
Costs of non-
|Up to £500,000 for serious breaches1||Unauthorised access to computer material is punishable by six months’ imprisonment or a fine ‘not exceeding level 5 on the standard scale’ (£5,000); unauthorised access with intent to commit or facilitate commission of further offences, or unauthorised modification of computer material, punishable by six months/maximum fine||Up to £200,000 for the largest merchants found liable for a fourth violation, depending on the card issuer2||Potential data breaches (see Data Protection Act entry for example) and resulting penalties; and lack of protection against legal action that may be taken by a user regarding privacy and monitoring issues||Potential data breaches (see DPA for example) and resulting penalties; and lack of protection against legal action that may be taken by a user regarding privacy and monitoring issues|
|Damage to brand and reputation; indication of substandard corporate governance, and ignorance of legal obligations and liabilities||Criminal record, imprisonment; damage to brand and reputation||Damage to brand and reputation; loss of customer and shareholder confidence, and sales; loss of partner confidence; denial of access to revenue streams; possible drop in share price||Potential negative impact of public policy failures could damage brand and reputation and lower share prices; a reputation of lax controls in this area might also act as negative when recruiting key staff. Unrestricted downloading on online content also introduces security vulnerabilities to enterprise IT system, as well as potential to clog-up shared data volumes with non-work-related material||Potential negative impact of public policy failures could damage brand and reputation and lower share prices|
|75, depending on how important personal data is to the business||99, applies to every organisation relying on computers||70-80, depending on how important credit card payments processing is to the business||80-90; most organisations should already have a policy, but it should be regularly reviewed and updated||80-90; most organisations should already have a policy, but it should be periodically reviewed and updated|
|The Information Commissioner’s Office administers the DPA, which is the UK’s implementation of the European Data Protection Directive||Principles should form part of an organisation’s Acceptable Usage Policies (AUPs) – see separate entry listed on this page||In the first two quarters of 2009, £200,000 a month was being collected in fines for non-compliance3||It is increasingly common practice to ask new joiners to sign an AUP before they are given access to its information systems||It is common practice to ask new joiners to sign an AUP before they are given access to its information systems|
1 New powers given to the Information Commissioner’s Office (ICO) that came into force on 6 April 2010.
2 Visa may also pass on issuer reimbursement of fraud losses, which is unlimited and dependant on each individual issuer’s claim.
3 According to Neira Jones, head of payment security for Barclaycard, speaking to a recent PCI DSS user group meeting in London.