Cyber Security Industry Alliance Newsletter • Volume 2, Number 1 • September 2005

CSIA Expands Its Focus to Europe

Existing and proposed legislation in both the U.S. and Europe addresses cyber security in ways that are having a profound impact on how corporations are doing business. Legislation affecting corporations includes the EU’s e-Privacy Directive, Basel II, Sarbanes-Oxley and Gramm-Leach-Bliley. In addition, many other laws related to data retention and securing sensitive information are in the pipeline.

What is often lost in the debate around regulations is the international perspective that is so crucial in our global economy. For multi-national corporations, reconciling the requirements of regulations in the countries in which they do business presents a daunting challenge. For instance, a company based in Europe contracting with a company based in North America for services in a third country could find it impossible to comply with one set of laws without breaking others. This scenario will play out with increasing regularity and complexity until a certain amount of harmony is introduced to IT regulation. By expanding our focus to the EU, CSIA hopes to be able to promote a global dialogue on the convergence of cyber security legislation to encourage policy-makers across the Atlantic to interact and thereby help multi-national corporations navigate the often challenging international compliance environment.

CSIA is currently meeting with corporate, political and technology leaders in Europe to further define our EU agenda and focus on the issues important to the European business community. At present, we are looking closely at the role of cyber security in achieving the correct balance between data retention requirements and the protection of personal privacy – which can often conflict, because each area is driven by different business requirements. Interestingly, the U.S. is currently in the midst of a similar debate around data preservation and how to protect personal data while finding the appropriate method and timing for notifying individuals whose personal data is at risk for being misused. It is important to understand the different contexts of the discussions on data retention and preservation, and it will be interesting to see the international repercussions of how these questions are answered on both sides of the Atlantic.

There are certainly differences in the way cyber security is treated on either side of the Atlantic, and that partly has to do with the different approaches that the EU and US have traditionally taken to legislation. From a regulatory perspective, Europe has essentially taken a top-down approach to privacy and data protection, with the EU’s Data Protection Directives, which span all sectors of the economy. These directives tend to be more comprehensive and specific than what we are seeing in the U.S. The U.S. has taken a more bottom-up approach to data protection and privacy, and tends to be more reactive to emerging threats on a sector-specific basis. Since both systems have positives and negatives associated with them, CSIA wants to learn more about the European system and take what works from both systems to make global cyber security more effective overall and ensure that conflicts between the two systems do not hold back the global economy.

With that, CSIA introduces our Global Perspectives section of the newsletter, where we will feature news items from Freshfields Bruckhaus Deringer. Our American readers may want to refer to the EU glossary of terms at http://europa.eu.int/scadplus/glossary/index_en.htm.