RSA: ‘End Of Business As Usual’ On Compliance

As legislators lead a crack down on data protection violations, regulators are beginning to take a more interventionist approach

Recent developments in data protection legislation and enforcement measures add up to a new and more hostile compliance landscape for companies, which demands a new way of thinking about compliance, according to a study from the RSA-backed Security for Business Innovation Council.

The report’s recommendations to businesses include taking action to influence legislators in order to keep data protection rules from growing too strict.

The tightened enforcement of existing regulations through expanded powers, higher penalties and harsh enforcement actions, as well as tougher legislation coming down the pipeline, mean “the end of business as usual”, according to the study, titled “A New Era of Compliance: Raising the Bar for Organisations Worldwide”.

Compliance nightmares

“Regulators are moving away from light-touch to more interventionist regulation,” said Stewart Room, a partner at the Privacy and Information Law Group of Field Fisher Waterhouse LLP, a data protection expert and guest contributor to the report. “As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation.”

The study highlighted an the upcoming overhaul of the EU Data Protection Directive, which is expected to include not only increased enforcement but also requirements around breach notification. Plans for the overhaul are due to be published by the end of this year, the European Commission has said.

Recommendations for strengthening enforcement include providing data protection authorities with full powers for auditing, halting data processing and engaging in legal proceedings, according to the study.

The study also focused on the increased powers given to the UK’s Information Commissioner’s Office (ICO) in April, including the ability to hand out significant fines, conduct compulsory compliance assessments and the potential to impose civil monetary penalties on data controllers.

Massive data breaches

Legislators are escalating information protection mandates due to a steady stream of massive data breaches and the resulting public outrage, according to the study.

“Going forward, it will be impossible to hide information security failings as legislators force transparency and data breach disclosure becomes a global principle,” stated RSA president Art Coviello.

The study made a series of recommendations, including building a programme that gives everyone involved in the handling of sensitive information the resources needed to make risk decisions; creating a consistent set of controls across the enterprise mapped to regulatory requirements and business needs; and moving away from “boilerplate” security agreements toward more comprehensive third-party strategies.

The study also recommended that organisations make efforts to influence legislators to ensure that regulations avoid overly-prescriptive rules.

The council includes executives from JP Morgan Chase, T-Mobile USA, eBay, ABN Amro, BP, Nokia, FedEx and others.

In April the European Commission warned the UK government that it would take legal action over data protection failures related to the Phorm behavourial ad targeting software used by BT.