Little Progress Seen Harmonizing National IT Security Rules
VIENNA, Austria -- Harmonization of international regulation on IT security isn’t happening, said Michael Colao, dir.-Information Management at Dresdner Kleinwort & Wasserstein, during a panel discussion at the RSA Security Conference here. “There are many talks about harmonizing, but we just don’t see the fruits from it,” Colao told us. There were, he said, regional attempts at greater harmonization in the Asia-Pacific but even EU-wide harmonization hasn’t worked out, and the U.S. is going its own way.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Companies operating globally must cope with this. They face conflicts among legal regimes. Several U.S. companies, for example, were said to violate basic data protection principles by the French Data Protection Authority (CNIL) by setting up a whistleblower hotline. The hotline was required by the Sarbanes-Oxley Act (SOX). The CNIL, said Colao, had sympathy for the companies but said French law must be upheld.
Colao said there were many similar situations. Italian data protection law, for example, has strict regulation of the length of passwords for the protection of information to be used by data protection officers. Passwords must be more that 7 characters long or data protection officers face up to 3 years in prison. Varying responses to theft of customer data are required by national laws. In Japan, for example, companies must make an apology as well as inform customers and authorities.
Keeping track of changes in the legislation in all countries of operation is essential for companies, and it’s a considerable burden, said Colao -- so it’s incumbent on govts. to achieve at least some harmonization. “But in the end,” he said, “all comes down to a sovereignty issue” -- govts. aren’t prepared to give up jurisdiction.
“Infrastructures cross borders, therefore we need to work together cross borders”, said Geoff Smith from the Information Security Policy Group of the British Dept. of Trade & Industry (DTI). Geoff admitted conflicts between various legal systems: “We at the UK are hosting some of the biggest gambling sites, which would be illegal in the U.S.” He said sovereignty was also at the core of debates at the World Summit of the Information Society (WSIS).
More government regulation through technology mandates, is no solution, warned Robert Holleyman, pres. of Business Software Alliance. Holleyman said govts. should “enforce tough laws that are in the box”, “close the gaps in legislation with narrowly focused laws” and “improve enforcement.” Overreaction by legislators was a major concern.