Security professionals need to be prepared for the effects of the latest wave of information security legislation to hit the UK in April 2010, says a privacy and information lawyer.
Information security law has been moving at "Olympian pace" since HMRC disclosed the loss of the personal details of 25 million people last year, said Stewart Room, partner at law firm Field Fisher Waterhouse.
Since then there has been a quick succession of regulations and laws relating to information security leading up to the Coroners and Justice Act of November 2009, he told the (ISC)² Secure London Seminar.
From April, this Act gives the Information Commissioner's Office powers that will eventually touch every organisation in the country, said Room.
This includes the power to conduct information security audits and impose fines of up to £500,000 for serious data losses.
Information security professionals need to be aware of the potential organisational and personal consequences of failing to ensure secure information systems, said Room.
In this sense, he said, information systems includes security policies and governance processes, which means security professionals who fail to ensure these meet the requirements of law could expose themselves and their organisations to punitive action.
A unified security policy that includes several key elements covered by the new legislation will provide quick wins for security professionals and their organisations ahead of 6 April, he said.
A unified data security policy must deal with:
• Contract initiation - data handling rules and procedures
• Protect initiation - data handling rules and procedures
• Worker adequacy - skills, security clearance, security training
• Third-party assurance - data handling rules and procedures
• Culture and governance procedures for ensuring data security