Information Security: A Regulatory Train Wreck
By Paul Kurtz, CSIA Executive Director
"We face a train wreck |
Governments around the world are responding to growing information security and privacy concerns by passing more laws and regulations. Frequently little thought is given to the global nature of the Internet as laws are passed.
Government action is based upon traditional legal institutions, local needs, customs and values. Yet action has a widespread impact transcending traditional political and legal borders. For example, California’s law requiring notification of consumers in case of a breach of their personal data has had an impact across the whole of the United States. Thirty three other states have similar laws in place.
The Sarbanes-Oxley Act affects any company publicly traded in the United States and beyond. The European Union’s data protection and e-privacy directives affect any firm doing business in Europe.
While government passes more laws, business continues to globalise. The planned merger between the New York Stock Exchange and Euronext will blur regulators’ boundaries.
We face a train wreck if there is not greater discourse about regulation in the Information Age. Business will be burdened by conflicting, costly regulation inhibiting innovation and growth. Consumers will be confused by conflicting privacy and security regimes.
Here is a four-step framework for addressing existing and proposed regulations:
"without an ongoing
transatlantic
dialogue…
we will
soon face
a morass of
bureaucracy"
Regulatory Information Portals
The EU and US Government should establish web-based information portals on information security regulations. The portals would include information on existing law, noting the source, purpose and scope of each law. In addition, each entry would also include widely accepted best practices to facilitate compliance. Within the EU, there are a number of bodies that could house such a service and the Department of Commerce could establish a similar service in the United States.Voluntary Risk Management and Certification Framework
The EU and US Government should encourage business to voluntarily adopt Information Security Management System Standard 27001. The recently approved international standard provides a common, risk-based approach to security, privacy and compliance. The standard can be used to help comply with existing laws and is flexible enough to accommodate new laws, should they be necessary.Regulatory Dialogue and Review
The EU and US Government should establish a strong transatlantic dialogue and review on information security law regulations. The review should identify the similarities, differences and conflict of existing and proposed law which directly and indirectly affects information security. When possible and appropriate, government representatives should seek to acknowledge equivalence of law and regulation, e.g. compliance with one country’s law would be deemed acceptable to another. Business leaders on both sides of the Atlantic should be asked for their comments and recommendations.Needs Test
Apply the following three-step needs test when government on either side of the Atlantic considers new law or regulation:
- Whenever possible, apply existing legal and regulatory frameworks when considering passing a new law. For example, the US Congress, when addressing the need for a national data security and breach notification law, should adopt the Safeguards Rule under Gramm-Leach-Bliley Act (1999) rather than direct regulators to create a new set of rules.
- Whenever possible, legislators should offer incentives for the adoption of security practices rather than mandate specific security measures. For example, the US Congress should include a "safe harbour" in a national law which provides that notification is not necessary in the case of a breach when the data is encrypted. A similar provision has been included in the vast majority of data breach laws passed by individual states.
- A cost-benefit analysis should accompany any proposed law. The analysis should also detail why an existing law or legal framework is not sufficient, and the costs of implementing a new law.
None of these measures would be easy to apply. However, without a robust and ongoing transatlantic dialogue on information security law and regulation, we will soon be faced with a morass of bureaucracy which is both impossible to apply, let alone untangle.
This article first appeared in the Spring 2006 issue of ENISA Quarterly, published by the European Network and Information Security Agency.