The legal framework in which businesses operate their IT and data security is “totally outdated” and dates “from the 20th Century, while attempting to tackle problems in the 21st”, according to a panel of experts.
Michael Chertoff, former Secretary at the US Department of Homeland Security, told the CyberSecurity Summit in London that lawmakers were ill-advised to attempt to adapt the existing framework to a fast changing data environment.
“We need to start with a clean sheet of paper and decide what security we want to promote,” he said. “The military, the police, governments, businesses and individuals all have their own ideas of what needs doing and how to do it.”
“We’ve got to separate the IT security problems that pose a risk to the state, those that risk life and limb, and those that endanger personal data,” he said.
It was wrong to “start with the law and try to fit it to the facts”, said Chertoff, now the co-founder of his own security advisory group. Adjusting existing laws would mean “thinking in categories that are not relevant”.
Stephen Deadman, legal head at Vodafone, said the people being monitored by regulators under data security laws did not always count as the “full picture” of those involved. “Often people look at the data controller, but what about all the intermediaries handling and processing data in any organisation? Also, what about the international transitioning of data in businesses? What is there to address this?”
Deadman said there was an increasingly difficult conflict between people voluntarily placing swathes of data on sites such as Facebook and Twitter, and increasingly demanding data security and privacy elsewhere. “The law really needs to address this,” he said.
Stewart Room, a partner at law firm Field Fresher Waterhouse, with expertise in data privacy, said the law “needs to introduce a proper obligation [on businesses] for IT security”, if the current confusion among businesses, on what they need to do, is to be tackled.
“The threats are considerable, and there need to be proper laws,” he said. “It’s just naive to think people will protect assets without a law.”