Tougher Data Protection Laws Could Force Businesses To Rethink Compliance

Say goodbye to the compliance-checkbox mentality: Data protection laws are expanding worldwide and cracking down on the way businesses protect electronic information, a new report published this week says.

"A New Era of Compliance: Raising the Bar for Organizations Worldwide," written by RSA and the Security for Business Innovation Council (SBIC), analyzes how new legislation and more legal muscle behind regulations are forcing businesses to change how they approach compliance. The report highlights how tougher enforcement, more data breach notification laws emerging around the globe, more prescriptive regulations, and increasing requirements for making enterprises responsible for the security of their data even when a business partner handles it are requiring businesses to look at compliance as a strategy, not just a necessary evil.

"Regulators are moving away from light-touch to more interventionist regulation," said Stewart Room, partner with the privacy and information law group at Field Fisher Waterhouse LLP and a data protection expert and guest contributor to the report. "That's clear in all senses of society and economy, so it's not surprising regulation is tightening up in the data protection field. As I see it, the trajectory of the law here is one way only, which is toward more frequent regulatory intervention, more disputes, more arguments, and more litigation."

In the report, the SBIC, which is made up of Global 1000 security executives from JP Morgan Chase, T-Mobile USA, eBay, BP, FedEx, Time Warner, EMC, Cigna, and other firms, offered several recommendations for enterprise security teams in what it calls a new era of compliance.

"As more regulations are introduced, the rules are becoming increasingly prescriptive," said Art Coviello, executive vice president at EMC president of RSA, the security division of EMC, in a statement. "Regulators are making it clear that you're on the hook for ensuring the protection of your data at all times, even when it's being processed by a service provider. Going forward, it will be impossible to hide information security failings as legislators force transparency and data breach disclosure becomes a global principle."

Among the recommendations by the SBIC: