Ask any group of information security professionals what factor is driving investment these days, and they will almost certainly reply with one word: compliance.
Like it or not, the amount of new regulations affecting the acquisition, processing and storing of information have mushroomed in recent years. In the U.K., the Data Protection Act (DPA) has been joined by a range of other regulations, some of which, like the Freedom of Information Act, can sometimes appear contradictory and hard to reconcile with each other. And for companies operating internationally, the picture is far more complex.
The sheer volume of legislation and regulation can be mind-numbing and confusing, but a new book aims to pull together all of the relevant security regulations and provide insight into how companies should go about their compliance efforts.
Stewart Room, the author of the compliance handbook Data Security Law & Practice, is a lawyer with Field Fisher Waterhouse and an expert in the technology aspects of the law. "I've tried to cover everything that counts for anyone interested in information security," he said. "I have written this book for security professionals in the broadest sense, including not only CISOs and CSOs, but also the head of risk, the company secretary, head of legal and head of compliance."
Room said that while the law has provided some privacy protection from the 1950s onwards, and further safeguards have been added since the 1970s, the last six years have seen a barrage of new rules governing information handling.
According to Room, the information security world is experiencing a new cycle of legal development, something he refers to as a "regulatory bear market," where politicians and industry bodies are rushing to pile on more rules, often in response to a big accident, like a large data breach, or a corporate crime like the Enron scandal.
He dates the start of this latest legal cycle to July 2003 when the California Security Breach Information Act (known as SB 1386) came into effect. The legislation established the principle that if companies lost or exposed personal data entrusted to them, they had to disclose the fact and inform those potentially affected. The principle was soon adopted across most American states, and there has been growing pressure for similar disclosure laws to be introduced in the U.K. and the rest of Europe.
The next big milestone in the U.K. was the loss by HM Revenue & Customs in 2007 of two CDs containing personal details of 25 million people. The political fallout from that single event marked a sharp change of policy by government and regulators.
"Up to then, the Information Commissioner had repeatedly called for tougher data security laws and was getting nowhere. After HMRC happened, that all changed," Room said.
"The government announced the loss of the HMRC disks on November 20, 2007. On the same day, it made proposals for law reform of data security and also commenced the Data Handling Review under Gus O'Donnell."
Since then, the U.K. has seen the passing of the Criminal Justice and Immigration Act, which will give the Information Commissioner's Office powers to fine those who wilfully breach the Data Protection Act. Another piece of law, the Coroners and Justice Bill, will allow the ICO to do spot-checks on organisations it believes may be breaching the DPA.
And yet, as Room pointed out, the HMRC incident was "benign" -- although the CDs were never found, no one is thought to have suffered as a consequence of their loss. However, if a truly serious event were to happen, he said the regulatory regime would get much stricter with violations.
"HMRC has led to the development of an exceptionally tough legal environment that is only going to get tougher because we have a regulatory bear market dynamic," he said. "When we get a truly malign incident, such as an attack on some part of the critical national infrastructure, then we'll see a huge amount of change [in regulation], and it will become a very difficult environment in which to operate."
Companies therefore need to be well prepared and confident they are on the right side of the law. "If my prediction about the regulatory bear market proves to be true, then there is only going to be more disputes and more litigation between the regulators and regulated, and between individuals and [corporations]," he said.
Expect also to see 'ambulance chasers' advertising their services to help victims of data breaches, similar to those who currently tout help with personal injury claims, he said. "You can imagine the ad: 'Are you the victim of a security breach? Phone 0800 xxxxxx, and we'll litigate on your behalf for free'. It is easy to prove distress and damage. All you have to do is to subscribe for one month to a credit reference agency to prove how you've been affected. That could open the floodgates to distress compensation claims."
Room warned that organisations that fail to get to grips with their legal obligations are the ones that will suffer most. And that is why he has written the compliance handbook, which at 1,000 pages, is an up-to-date and comprehensive effort.
"If security professionals read this book, or just consider the content list, they will get a better understanding of what is at stake. There is so much weight behind the dam that it's going to burst all over them, unless they are properly prepared," he said.
And he concluded on a grim note: "The sad truth is that the state of compliance is getting worse, mainly because of the explosion in data volumes. There is greater risk and exposure, and organisations that stand still are getting further behind the curve," he said. "The criminals understand this -- they are adding more value to data than we are in our protection."
* 'Data Security Law and Practice' was published by Butterworths on 10 November 23, and costs £200. SearchSecurity.co.uk members may buy the book at a 15% discount, by ordering at Lexis Nexis and quoting the promotional code 9946.