'Lawyers little help' in international minefield

IT directors can expect little help from lawyers as they struggle to negotiate their way through a minefield of conflicting...

IT directors can expect little help from lawyers as they struggle to negotiate their way through a minefield of conflicting international laws and regulations, delegates attending the Infosecurity Europe show heard.

Although lawyers have a good grasp of the key laws in their own country, few of them have the breadth and depth of knowledge to identify every law that could leave IT directors open to liability.

"The lawyers cannot help. As an information security director, I have discovered that in a number of countries I can be held legally liable. But the lawyers have not looked at this. There are all sorts of requirements in all sorts of laws," said Michael Colao, global head of IT security at investment bank Dresdner Kleinwort Wasserstein.

Various European Union countries have interpreted VAT laws in different ways, making discrepancies in rules on sending e-mails containing financial information across national boundaries. This has profound implications for the design of IT systems, but is little known among lawyers.

It is important for IT managers in multinational companies to understand not only what the law says, but how it is applied in practice. The same European laws are often interpreted differently in different countries, said Colao.

The French authorities, for example, acknowledge that their data protection laws are in direct conflict with the US Sarbanes-Oxley Act, but they insist that multinationals comply with French law.

"Data protection law in Hungary makes it impossible to transfer data outside Hungary," said Colao. "But the regulators run a 'don't ask don't tell' policy. If you do it and it is not too egregious, they will not prosecute."

The UK information commissioner will rarely prosecute firms for breaching data protection legislation, but the Spanish will fine companies for even the most technical data breaches. "What do you do? Do you pay the fine or pull out of Spain?" said Colao.

John Meakin, head of security at Standard Chartered Bank, said IT departments were having to contend with large amounts of badly thought out legislation.

"Basically law makers do not understand what they are making laws to control. But every now and then they feel it is important to take action. Fortunately, in Europe, most laws have a non-specific impact on what I do," he said.

"Do what makes sense for good IT security first, and then check out the local laws. Try to understand the gist of what they are trying to do with the law, whether it is domestic law, regulation or EU law. Try to understand what is behind it."

It is important to make friends with your lawyers and to educate them on the legal risks faced by the IT department, Meakin added.

Brace for web worm chaos, users warned

Read more on IT risk management