The number of laws and regulations that have an impact on organisations operating within the EU can be bewildering. Many of these European privacy laws have a direct bearing on how organisations must operate, which, in turn, can influence or determine the type of information security controls those organisations need to put in place. For example, businesses need to be familiar with relevant regulations and UK security laws, such as the Data Protection Act, which prescribes how personal or sensitive information has to be processed and protected, to ensure their operations are compliant.
There is an entire section of ISO 27001 Information Security Management dedicated to compliance. The objective of control A.15.1 in ISO 27001 Annex A is to avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. "A.15.1.1 Identification of applicable legislation" states that all relevant statutory, regulatory and contractual requirements should be explicitly defined and documented and kept up to date for each information system and for the organisation as a whole.
With some laws, it is easy to see the impact they have on security posture, policies and procedures. Section 221 of the Companies Act 1985, for example, clearly states that accounting records must be kept. Section 222 of the same act states that private companies must keep these accounting records for three years from the date on which they are made, and public companies must keep them for six years. The requirements of section 222 can be easily included in a document retention policy and data classification policy to ensure the necessary documents and data are kept secure with controlled access for the legally required period of time. These measures will satisfy control A.15.1.3 of ISO 27001, as well, which requires important organisational records be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual and business requirements.
The purpose of the Computer Misuse Act 1990 is common sense; it makes the unauthorised access to computer material an offence. However, an employer is vicariously liable for the wrongful or negligent acts of employees committed within the general scope of their employment. That means the company's acceptable usage policy should cover unauthorised access to computer material in order to strengthen their position, should an employee be charged under the act. Since using an open wireless network without permission has been deemed an offence under the act, this should be covered, too.
Other acts can be more difficult to enforce. The Copyright, Designs and Patents Act 1988 is a good example. It clearly states computer software is protected by copyright and using it without a licence is a copyright infringement. Your intellectual property rights policy, control of software procedure and network user agreement will cover this area in some detail. However, new technologies and services like Twitter are challenging because they blur the line between public domain and copyrighted material, often making it more difficult to recognise whether material is copyrighted. In fact, the laws relating to copyright are being fiercely debated and reviewed, and legal guidance should be sought to ensure your organisation is up to date with how information collected via the Internet can and can’t be used.
There are other acts that, at first glance, may appear to have no relevance to your business at all, but in reality can have a major impact if they’re not fully understood and appreciated.
The Freedom of Information Act 2000 is a good example. This legislation guarantees access to data held by the state by establishing a "right-to-know" legal process by which requests may be made for government-held information. Anyone of any nationality, living anywhere in the world, can make a written request for information, and expect a response within 20 working days. (Someone requesting his or her personal data is handled as a Subject Access Request under the Data Protection Act.)
The Freedom of Information Act 2000 applies to most public authorities, which are obliged to meet requests, subject to a number of specified exemptions and certain practical and financial constraints. It also applies to companies that are wholly owned by public authorities.
However, other companies may also be affected. If your organisation has a contract with a public authority or company directly covered by the act, the reports presented as part of your contract’s deliverables may contain sensitive information you would not want to be made public. But, as this information is now government-held data, it is accessible by anyone requesting it -- a member of the public or a competitor. Even a failed tender bid document, revealing your pricing and propriety processes, may potentially end up being disclosed.
Trying to circumvent this law with a blanket confidentiality clause is unlikely to be accepted by public authorities or by the Information Commissioner. The best approach is to consider whether particularly sensitive data really needs to be included in any documents submitted to government agencies. It is a good idea to segregate confidential and non-confidential material to reduce the risk of inadvertent disclosure and to increase the likelihood that a limited-confidentiality exemption applies.
You should also negotiate a clause in the contract that provides a right to be notified about, and make submissions in relation to an information request that may contain your commercially sensitive information. This must be backed up by a procedure to ensure that, if a request for comments is received from a public authority, you can deal with it promptly and your views are put forward and considered in good time.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.