Complicated Compliance
Compliance is increasingly cited as a major driver for information technology investments. However, the focus is on a few high-profile examples, while requirements from various countries and more industry-specific requirements receive little attention, despite their similar impact on IT. IT organizations (ITOs) must understand the similarities and differences among various legal requirements and start identifying common patterns, which they can subsequently address with a comprehensive compliance strategy.
META Trend: The strategic approach to information security will continue to transform from a set of ad hoc activities to a coordinated approach of principles, behaviors, and adaptive solutions that map to business requirements (2004-06). This will result in the establishment of strategic programs with dedicated budgets (60% of Global 2000 organizations by 2004/05, 80% by 2006/07). Organizations that address regulatory compliance with a comprehensive program (aligned with the security strategy) will increase to 40% by 2005.
“Compliance” in the true sense of the word cannot stand on its own. It requires a legal requirement or a standard for context. An organization cannot attain compliance unless it specifies what it wants to comply with and to what extent. US legislation has focused on specific topics (e.g., SOX, HIPAA, GLBA), and consulting and vendor offerings are being developed to help companies “comply” with these laws. Yet given the vagueness of many of these offerings, the solutions do not guarantee exemption from prosecution. Furthermore, looking beyond these well-known legal requirements, the picture is rather diffuse, with a multitude of laws, regulations, and standards in different regions (e.g., EU Directives) and industries (e.g., Basel II) that require so-called “compliance.”
Identifying the impact on IT is a challenge. Legal texts are often vague, sometimes contradictory (e.g., fighting terrorism by screening airline passenger data and protecting passenger privacy by not transferring it to a third party) and for new legal requirements, case law that could help understand the implications has not yet been established. Throughout 2004, the focus will be on implementing specific regulations reactively as some compliance deadlines approach. Generic vendor offerings that may help organizations comply with a broader set of laws will emerge, but will not mature until 2006. By 2007, ITOs will need to identify recurring patterns in compliance requirements, develop a framework strategy, and align compliance efforts with enterprisewide risk and security programs.
Legal Requirements: Various Forms
Roughly speaking, legal requirements include laws, regulations, and case law, with major international differences as to who defines these “legal” requirements. In general, laws are more generic and issued by legislature (e.g., parliament), regulations are more specific and issued by the executive branch (e.g., government agencies, ministries), and case law, established by the judiciary (e.g., courts), interprets laws/regulations and adds nuances.
For the European Union, a Regulation (e.g., the Block Exemption Regulation 1400/2002) is a legal act that is immediately binding to all member states and cannot be overruled by national law, while an EU Directive (e.g., the Data Protection Directive 1995/46) is meant not to unify but to harmonize legislation. An EU Directive must be transposed into national law by member states. This process takes time (typically two to five years) and the resulting laws in member countries can vary. In most cases, international law is not immediately binding. International law (e.g., the European Convention on Human Rights, whose Article 8 is sometimes referred to by privacy groups) usually requires ratification by participating countries (e.g., the often-quoted European Convention on Cybercrime has been ratified by only a few smaller countries and is not yet in force).
In addition to legal acts that are binding once they have passed their respective legislative procedures, there are industry-specific or region-specific reference models, including standards (e.g., ISO 17799), regulations from collectives/organizations (e.g., IATA for travel, SWIFT for banking), guidelines (e.g., COBIT Audit Guidelines), and codes of conduct (e.g., corporate governance codes of conduct).
Although these models are not legally binding, demand from partners and customers or lobbying efforts from industry associations can put significant compliance pressure on organizations. Enterprises can be excluded from certain markets (e.g., government procurement) or lose benefits if they do not abide by these standards. Therefore, these “soft laws” can have as much impact as directly binding legal requirements. Some legislators link voluntary rules or codes of conduct with a legal basis by requiring organizations to explain their decisions not to abide by these voluntary rules (i.e., “comply or explain”).
Corporate Governance on the Rise
Currently, the most visible compliance area is corporate governance. So far, the action has been more in the US than in Europe. Although difficult requirements of the Sarbanes-Oxley Act are being discussed in ITOs throughout the US, regulations in European nations are rather soft (mostly voluntary) and hardly ever impact the IT organization directly. Corporate governance in Europe is characterized by a traditionally strong relationship between owners and managers (“insider systems”). Yet as enterprises grow and relationships expand, the need for a more transparent and independently controlled relationship becomes apparent.
The situation has been changing in recent years, shifting toward the more fluid and arms-length approach that has been taken in the Anglo-Saxon countries (i.e., the UK, Ireland, and the US ["outsider systems"]). Although these changes in corporate governance have been significant in some European countries (e.g., The Netherlands, Finland, France), transformations in other countries have been less visible (e.g., Germany, Italy) and in a few countries they are hardly detectable (e.g., Luxembourg). Overall, divergence in Europe is increasing, making it difficult for the EU to establish European corporate governance legislation. However, after a major pushback by the European Parliament in 2001, the consultation phase on a new Action Plan for Company Law has been concluded and new legislative initiatives at the EU level can be expected by 2H04. Similarly, the OECD Principles of Corporate Governance are currently under review, and an update can be expected by mid-2004.
Privacy and Its Competitors
Companies are increasingly willing to comply with privacy regulations, but the way many privacy laws are currently set up makes that difficult. Dealing with privacy is an additional dimension in current business environments (e.g., a separate type of data in business applications, a separate classification regarding confidentiality). Privacy is also competing with other compliance requirements such as demands for secured Internet access (e.g., content security/employee monitoring), data retention (e.g., keeping records for the purpose of transparent and pursuable company management), the fight against terrorism, and most recently, the increasing demand to control spam.
On the one hand, privacy data is very specific (e.g., “birth date” clearly is personal data, while specifics of financial data typically are open to interpretation and need further judgment). Yet privacy laws do not take into consideration how the ITO processes the data. Most importantly, the question of where data is stored and where it is processed is a source of confusion (e.g., which law applies, how to resolve conflicts between laws of different countries in cross-border data transfer conflicts). As a result, there is a gap between what privacy laws require and what ITOs are able to provide.
Keeping an Eye on the Rest
There are additional legal requirements to comply with, with each receiving varying public attention: 1) encryption laws; 2) laws for protection of critical (information) infrastructure; 3) signature laws; and 4) international prosecution of cybercrimes. Enterprises must broaden their scope when designing strategies for complying with laws, regulations, and guidelines, taking into account various national and international laws and regulations and identifying common requirements.
Bottom Line: When addressing compliance issues, organizations must look beyond the hype of current laws and regulations to address topics such as corporate governance, privacy, encryption laws, signature laws, and critical infrastructure requirements simultaneously. International organizations must understand the legal requirements of various jurisdictions, including the similarities and conflicts among them.
Business Impact: Failure to take a step back and understand legal requirements in a broader context will result in multiple isolated compliance solutions, which will be questioned when conflicts among them become apparent. Lack of understanding regarding the differences in various jurisdictions will result in compliance failures or in overcompliance (i.e., investing more than necessary).
originally published this article on