'

Legal conundrums give IT staff the blues

RSA Conference: Companies are said to be struggling to get risk management under control as they wrestle with laws such as the Data Protection Act and the Freedom of Information Act

Corporate legislation is damaging risk management procedures and putting IT heads under pressure, a leading investment bank warned on Wednesday.

Michael Colao, director of information management for Dresdner Kleinwort Wasserstein, said that recent legislation was having a negative impact on risk management.

"CIOs (chief information officers) are now relying on convoluted processes rather than using sound business judgement based on years of experience," said Colao. "A process is easier to defend in court than personal judgement. This means that in many cases unnecessarily cautious decisions are being taken because the CIO is focusing on their personal liability, rather than what is best for the business."

Colao highlighted the European Data Protection Directive as an example of legislation that is posing particular challenges for businesses.

"This was brought in as part of the EU Common Market and was supposed to provide clarity and harmony across Europe. Because each country implements it in different way, the result is a fragmented and disjointed approach which causes all sorts of problems, particularly for global organisations,"

Analyst company Quocirca's service director Clive Longbottom agreed that legislation was set to make managing IT a tougher job. He said that the Data Protection and Freedom of Information Acts were causing a conflict of interest in firms.

"We have to able to prove security in one area and openness in others," said Longbottom, who warned that some consultants are recommending solutions that actually break the law. "Putting Sarbanes-Oxley solutions in means that companies probably aren't compliant with the Freedom of Information Bill [US]."

"Each piece of information needs its own ID," he added. "Compliance is incredibly complex. It's about getting it right and being able to demonstrate that you understand the assets."

Colao and Longbottom were speaking at the RSA Conference in Barcelona.