EU privacy law poses compliance challenge for IT, warns Gartner


EU privacy law poses compliance challenge for IT, warns Gartner

Cliff Saran

Preventing the release of confidential information will be a major challenge for IT directors as they strive to comply with the EU Privacy Directive, analyst firm Gartner has warned.

One of the main security issues facing IT directors is how to cope with requests made under the Freedom of Information (FOI) Act, which can affect all public sector bodies and private sector companies contracted to them. Jay Heiser, research vice-president at Gartner, said, "Government and organisations will have greater responsibility to protect the identity of people."

Heiser warned that local authorities dealing with FOI requests could inadvertently leak confidential information. If someone received two or three pieces of unrelated information under the FOI Act, which were then combined, this could constitute a major leak of information, breaching the Data Privacy Directive, he said.

"There is very little guidance for local authorities. Policy and technology need to be in place to prevent local authorities from releasing proprietary information," said Heiser.

Privacy concerns have also been raised around the national programme for IT in the NHS on the basis of the access to electronic patient records of various staff. One of the stated aims of electronic records is to provide researchers with a wealth of anonymised information.

"The implication of collecting sensitive personal data on a national scale is that a sophisticated attack could infer information from data that has already been scrubbed away," said Heiser.

As well as compliance issues, Heiser warned of the growing threat of intellectual property theft. The case of Trojans being used for industrial espionage in Israel was a worrying development, he said. "Malware was purpose-built to attack a specific organisation."

In such an instance, users cannot rely on anti-virus protection, as the attack is not considered to be in the wild. To protect against such attacks Heiser advocated taking a process-oriented approach to security based on vulnerability management, intrusion prevention, identity and access management and network access control.

Another security weakness where intellectual property theft could occur is via USB memory sticks. Heiser said, "A huge amount of valuable data is leaking through the USB."

He advised users concerned about this type of data theft to invest in a content monitoring system. "This can be used to monitor how much sensitive information is being accessed," Heiser said.

Wireless networks pose a similar risk, with people connecting to corporate networks from almost anywhere. "It is a huge challenge for security staff to allow flexibility," said Heiser.

Compliance will be a key theme at the Gartner IT Security Summit in London from 14-15 September

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy