Data protection laws vital for outsourcing hubs

Countries positioning themselves as outsourcing hubs must show they have stringent security regulations that protect customer data, say Symantec execs.
Written by Lee Min Keong, Contributor

KUALA LUMPUR--Asian countries seeking to become outsourcing hubs will greatly benefit from formulating data protection laws, according to Symantec.

Tan Wei Ming, the security firm's Asia-Pacific senior manager of government relations, noted that because information flows between countries to be processed for outsourcing operations, it is vital countries involved in these activities implement strong data protection laws.

Government security stats
•  Top country of origin for attacks targeting the government sector was China, which accounted for 22 percent of such attacks.

•  Denial-of-service attacks were most common tactic targeting government and organizations with critical infrastructure organizations, accounting for 49 percent of top 10 attacks in 2008.

•  The leading government top-level domain identified to be most used in phishing lures in 2008 was "go.th", indicating sites associated with Thailand's government.

Source: Symantec, April 2009

"I think that is why some countries are talking about having strong data protection laws, because if you are positioning yourself as an outsourcing hub...then you have to demonstrate [you adopt stringent] security standards," Tan told ZDNet Asia.

Singapore-based Tan cited the Data Security Council of India, which was established to protect businesses, raise awareness and spread best practices on data security and data privacy. This has helped India become the world's top IT outsourcing destination, he said.

However, Tan noted, only a handful of countries in the region--Japan, Korea, Hong Kong, Australia and New Zealand--have passed data protection or data privacy legislation. Countries currently in the process of introducing similar legislation are Malaysia and the Philippines, both of which have ambitions to become major outsourcing hubs.

He commended Malaysia's decision to establish the Personal Data Protection Bill, which media reports indicate is due to be tabled in parliament this October. The legislation aims to monitor the processing of private data by users, safeguard individuals' data and rights, and prevent abuse, according to the Information, Communication and Culture Ministry.

Tan noted that companies operating in countries that have not passed data protection laws would instead need to rely on their internal security policies and relevant ISO certifications to reassure potential clients.

Tiffany O. Jones, Symantec's Americas director of government relations, said in an interview: "Having data protection laws in place will create more innovation within the country because if you are adhering to international [security] standards, it is more likely you are going to get more business flowing into your country."

Jones and Tan spoke with ZDNet Asia on the sidelines of a security conference held here this week.

A public-private partnership
US-based Jones noted a trend among governments to formulate more formalized security strategies, policies and legislation to combat cybercrime, and protect their countries' critical infrastructure.

Given that the majority of such infrastructure is owned by the private sector, she said the "big question" many governments wrestle with today is establishing the right partnership with market players to protect the infrastructure.

Symantec currently is in talks with governments around the world and provides input to proposed drafting of security-related legislation. "In the United States, there are now 46 states with data security legislation in place," Jones added. "There are plans to codify a national bill that would cover all states and the federal government."

She outlined three key principles Symantec recommends to governments that are looking to pass data protection legislation.

First, the legislation should have a preventative component. "Don't just be worried about what happens when there's a security breach. Try also to prevent it from happening by making sure there are reasonable security measures in place," said Jones.

Second, ensure there is a standard notification if a breach occurs, and that everyone should comply with, to notify consumers of the breach.

"Third, have a safe harbor provision stating that if you follow reasonable security measures, and also go above and beyond that, for example encrypting data, then you don't have to notify [consumers] if you can render the data unusable," said Jones.

However, the drafting of such legislation on a global scale presents certain problems such as differing definitions on what constitutes private information, as well as inconsistencies in the laws themselves. For example, countries have varying terminology for legislation such as data privacy, data security, data protection or data breach, said Jones.

"We want to make sure that legislation, whenever it is formulated, is consistent so that consumers can expect consistency in how data is protected and that companies can better comply," she said. "It's more difficult for a company like Symantec, which has global operations, to comport with a hundred different country laws...[without] having a kind of a baseline standard."

Lee Min Keong is a freelance IT writer based in Malaysia.

Editorial standards