Peter McLaughlin, the former global privacy leader at Cardinal Health, recently hosted a panel discussion in Washington, D.C. that examined how multinational firms grapple with differing security regulations across the globe.
Two of the panel participants – General Motors' Bob Rothman and Accenture's Benjamin Hayes, both heads of privacy – offered up fundamentally different ways to address data assessment, a critical step toward complying with the varying laws across the globe.
Hayes suggested getting an in-the-weeds look at the data one collects and full awareness of where it travels, McLaughlin recalls. Rothman took a divergent path. He said GM retains too much information to reach any level of precision. It is most logical to focus on reliable data flows rather than worrying about unstructured, constantly changing data flows, such as email, over which one has little control.
McLaughlin says neither man is wrong in their approach. What would be wrong, he says, is if the men had no approach at all.
The advantages of globalization have been well documented over the past two decades. But perhaps being overlooked by some is an understanding of the rules of the land in which one operates.
“A lot depends on the recognition that we're a company doing business internationally,” says McLaughlin, now senior counsel responsible for information security and privacy at Foley & Lardner. “And even though it may be difficult, we need to make a definite effort at understanding what information we have, what rules apply and how we can conform our behavior appropriately.”
As if the laundry list of information security-related regulations greeting businesses in the United States is not enough, many countries – whether located in North and South America, Europe, the Middle East or Asia – have and continue to draft their own legislation.
Failing to prepare to meet these new compliance demands – as well as addressing any international cyberincidents that may arise – could open the door for increased costs, enforcement penalties and, perhaps worst of all, data exposure, experts say.
“As organizations move overseas, the regulatory environment and the implications become exponentially more complicated,” says Dave Howell, senior manager for compliance solutions at Bedford, Mass.-based RSA. “The key risk is understanding that when you build new facilities and data infrastructures in other regions, where does the data go?”
Conflicting laws
At Miami-based Interval International, a timeshare exchange network that has offices in 26 countries and more than 2,000 resorts in more than 150 countries, compliance can get tricky, says Chief Security Officer Sasan Hamidi.
For instance, Interval must respond to European Union (EU) laws that prohibit companies from storing data on residents for more than seven years. But here in the United States, Interval stores some data indefinitely out of convenience for customers who, for example, dispute a transaction, Hamidi says.
The EU also bans the storage of information on residents outside a member state's borders.
“You have to realize that as a corporation this means I can't have a centralized database,” says Tracy Hulver, vice president of product management at Edison, N.J.-based netForensics. “I can't have a distributed database and back it up centrally. You have to really map it out and understand what the mandates are saying.”
The EU also prohibits the transfer of certain data – such as ethnicity, health and arrest reports – outside its boundaries, McLaughlin says. While regulators are largely after a few bad seeds, large and reputable organizations are also targets.
Last spring, France's data protection agency fined a subsidiary of Tyco Healthcare €30,000 ($47,000) for illegally transferring employee data to the company's headquarters in the U.S. Experts considered this a warning shot that may foreshadow increased enforcement by overseas regulators.
“While a lot of this stuff flies under the radar, the wiser course of action is to at least know what the rules are and then determine how you're going to comply with them,” McLaughlin says. “If not, then you have a good story as to why you weren't compliant with those laws.”
Hamidi says global privacy regulations may not only rattle the company's pocketbook because of compliance costs or potential fines, it could impact sales as well. In the United States, Interval relies on software cookies to offer deals that many website visitors may want, such as a rental car. But in Europe, such a marketing tactic is illegal.
“We have to distinguish by the originating IP address so that we can give Europeans the option of opting out of the cookie,” he says. “That's keeping members from actually booking those things. So that's lost revenue.”
Plan of attack
When it comes to tackling international regulations, experts suggest assessing risk to prioritize where to expend efforts. That means taking into account the amount and type of data residing in a particular location, in addition to determining how robust the company's security posture is in that nation or region.
“You absolutely have to take a top-down approach,” says Gordon Burnes, vice president of marketing of OpenPages, a Waltham, Mass.-based provider of enterprise risk management. “Where are the regulations most stringent and where are the penalties the strongest for dealing with exposure of sensitive data?”
After the risk assessment, organizations should inventory and classify their data, specifically the information that is regulated, experts say. After all, that is what the criminals are after.
“If you start to build facilities in other geographies, you need to understand where in those geographies the data is going and what is the risk,” Howell says. “That's a really tough problem to solve.”
But when it comes to building a program, organizations should consider following a best practices framework, such as ISO (International Organization for Standardization) 27002. The standard speaks to 12 key areas of information security, including risk assessment, policy, physical safeguards, access control and incident response.
“By starting with a framework, such as ISO, you're able to put a program in place that will get you on the way to complying with all the regulations,” Howell says. “It's certainly not a cure-all, but it's a good place to start.”
In this vein, businesses should learn whether a common control can satisfy multiple requirements. The more variety an organization has in place, the more expensive meeting compliance will become.
“By treating compliance holistically as a program, rather than as individual projects, an organization can reap savings from more efficient governance and processes, decreased testing and documentation costs, and reduced capital allocations through rationalization of infrastructure that supports regulated activities,” Gartner analyst French Caldwell writes in a February research report.
To assist U.S.-based companies, the Department of Commerce oversees a safe harbor arrangement that allows organizations to comply with the EU directive. The EU approved the framework in 2000.
Companies must re-certify each year and pledge that they are meeting seven principles outlined in the directive, which includes only collecting information that is reasonably necessary. Opting into the program helps firms “avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities,” according to www.export.gov, a U.S. government services website.
Interval International, which also must be compliant to the Payment Card Industry standard as a Tier Two merchant that processes between one and six million annual credit card transactions, operates in more than two dozen countries, some outside of the EU.
But, Hamidi says, “We find that once we comply with the EU member states' legislation, that they are so tight that we automatically cover other legislations as well. Between the EU, the U.K. and California [SB-1386], we feel that when we deal with those three major legislations that we should be OK.”
Hamidi says American businesses should also have dedicated personnel sitting in their international offices who are aware of the local law and culture. As CSO, he tries to keep up with the latest international legislation, but will inevitably contact an attorney in Interval's London office to break down the law.
“We look at this legislation and try to take apart some of the provisions that could impact us,” he says.
Responding to incidents
Similar to Hamidi having a team of attorneys to help interpret guidelines, businesses are advised to make sure they have a group ready to respond in the event that a security breach affects one of its global properties. These individuals should be knowledgeable of the region's culture Siand help firms avoid any potential miscommunications due to language barriers.
“Companies need to make sure they have response plans in place so they're not drawing one up while they're getting attacked,” says Chris Painter, senior counsel to the assistant attorney of the criminal division at the U.S. Department of Justice. “The sooner you can come to law enforcement, we can take action.”
That means that prior to an incident, companies are encouraged to form relationships with local law enforcement, Painter says. In addition, businesses can turn to cross-border agencies, such as Interpol and the FBI, for assistance.
A number of other initiatives are in place to assist companies overseas on the investigation and enforcement end. Painter chairs the high-tech crimes subgroup of the G8, a group of nations making up the eight largest economies. The committee has established a 24-hour network of law enforcement contacts, comprising 50 countries, for use in cybercrime cases involving electronic evidence.
The participants can assist one another with data preservation and analysis, especially if a particular attack extends across borders. But companies also must keep in mind that, during investigations, laws may prevent them from transferring data. But companies also must keep legislation in mind when they try to make sense of what happened.
“One of the standard things you want when investigating a breach is to get the maximum amount of information so you can understand the complexity of that problem,” says Jim Hansen, executive vice president and COO of Mandiant, a security intelligence firm. “If you've got some you can't bring home with you because of privacy laws, it makes your work a little bit tougher.”
On the enforcement side, Painter's subcommittee is working diligently to ensure that countries have adequate laws for dealing with digital offenses – laws that will punish violators and also encourage cooperation.
One measure that is rooted in collaboration is the Council of Europe Convention on Cybercrime, which the United States entered in 2006. The convention is a legally binding treaty in which participants commit to standardizing laws and tools to defend against cybercrime, as well as cooperating to investigate incidents. Forty-three nations have signed the treaty.
This type of initiative is proof that the mindset is changing as corporations and governments attempt to ward off a sophisticated, evolving enemy. Such a change cannot happen if one does not adjust to the global landscape, which, like it or not, comes with rules and penalties.
“We don't have a U.S.-centric mind,” Hamidi says.
[Sidebar 1]
Help is here: Rules of the road
Many U.S.-based firms are understandably overwhelmed at the prospect of meeting compliance demands overseas, especially when it is still a struggle for some to respond to American legislation, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act.
The good news is that many international mandates are based on U.S. laws. Still, the devil is in the details, and rules may differ from country to country or region to region.
Within Europe, where most U.S. subsidiaries are based and where the most stringent privacy laws are enforced, the European Commission has issued the Data Protection Directive, and each of the 27 member states are responsible for implementing these guidelines. Each nation, though, does it differently, says Peter McLaughlin, the former global privacy leader at Cardinal Health.
“If you're a decent size [U.S.] company doing business internationally, you most likely have a substantial data footprint in Europe,” he says.
Italy and Spain have delineated how companies must deploy access controls and encryption, whereas the U.K. has not, for example, McLaughlin says. Most European countries lack a data breach notification law, but even so, in the event of a breach, a firm likely violated a privacy regulation that will force the incident to become public. – Dan Kaplan
[Sidebar 2]
The Group of Eight: Global summit
The Group of Eight (G8) is an international forum made up of the governments of Canada, France, Germany, Italy, Japan, Russia, the United Kingdom and the United States. The group describes itself as “a club of leading industrialized countries, regularly meeting and consulting to enhance their friendship and synchronize their points of view as regards the major international economic and political issues.”
While these countries constitute around 14 percent of the world population, they represent about 65 percent of the world economy, not to mention three-quarters of the planet's military might.
The G8 summits normally deal with macroeconomic management, international trade and relations with developing countries. Topics discussed have also ranged from health, law enforcement and economic and social issues to terrorism and trade.
The next G8 summit will be taking place in Japan, July 7-9.
[Sidebar 3]
Trying to comply: Resources
Gartner's French Caldwell, in a Feb. 4 report titled “Which Regulations Apply to Me?,” says businesses can get a handle on IT security-related legislation through a number of free or pay services.
The best places to look are the regulatory databases:
Additionally, certain industry associations or government affairs offices may be valuable sources of information. – DK
Two of the panel participants – General Motors' Bob Rothman and Accenture's Benjamin Hayes, both heads of privacy – offered up fundamentally different ways to address data assessment, a critical step toward complying with the varying laws across the globe.
Hayes suggested getting an in-the-weeds look at the data one collects and full awareness of where it travels, McLaughlin recalls. Rothman took a divergent path. He said GM retains too much information to reach any level of precision. It is most logical to focus on reliable data flows rather than worrying about unstructured, constantly changing data flows, such as email, over which one has little control.
McLaughlin says neither man is wrong in their approach. What would be wrong, he says, is if the men had no approach at all.
The advantages of globalization have been well documented over the past two decades. But perhaps being overlooked by some is an understanding of the rules of the land in which one operates.
“A lot depends on the recognition that we're a company doing business internationally,” says McLaughlin, now senior counsel responsible for information security and privacy at Foley & Lardner. “And even though it may be difficult, we need to make a definite effort at understanding what information we have, what rules apply and how we can conform our behavior appropriately.”
As if the laundry list of information security-related regulations greeting businesses in the United States is not enough, many countries – whether located in North and South America, Europe, the Middle East or Asia – have and continue to draft their own legislation.
Failing to prepare to meet these new compliance demands – as well as addressing any international cyberincidents that may arise – could open the door for increased costs, enforcement penalties and, perhaps worst of all, data exposure, experts say.
“As organizations move overseas, the regulatory environment and the implications become exponentially more complicated,” says Dave Howell, senior manager for compliance solutions at Bedford, Mass.-based RSA. “The key risk is understanding that when you build new facilities and data infrastructures in other regions, where does the data go?”
Conflicting laws
At Miami-based Interval International, a timeshare exchange network that has offices in 26 countries and more than 2,000 resorts in more than 150 countries, compliance can get tricky, says Chief Security Officer Sasan Hamidi.
For instance, Interval must respond to European Union (EU) laws that prohibit companies from storing data on residents for more than seven years. But here in the United States, Interval stores some data indefinitely out of convenience for customers who, for example, dispute a transaction, Hamidi says.
The EU also bans the storage of information on residents outside a member state's borders.
“You have to realize that as a corporation this means I can't have a centralized database,” says Tracy Hulver, vice president of product management at Edison, N.J.-based netForensics. “I can't have a distributed database and back it up centrally. You have to really map it out and understand what the mandates are saying.”
The EU also prohibits the transfer of certain data – such as ethnicity, health and arrest reports – outside its boundaries, McLaughlin says. While regulators are largely after a few bad seeds, large and reputable organizations are also targets.
Last spring, France's data protection agency fined a subsidiary of Tyco Healthcare €30,000 ($47,000) for illegally transferring employee data to the company's headquarters in the U.S. Experts considered this a warning shot that may foreshadow increased enforcement by overseas regulators.
“While a lot of this stuff flies under the radar, the wiser course of action is to at least know what the rules are and then determine how you're going to comply with them,” McLaughlin says. “If not, then you have a good story as to why you weren't compliant with those laws.”
Hamidi says global privacy regulations may not only rattle the company's pocketbook because of compliance costs or potential fines, it could impact sales as well. In the United States, Interval relies on software cookies to offer deals that many website visitors may want, such as a rental car. But in Europe, such a marketing tactic is illegal.
“We have to distinguish by the originating IP address so that we can give Europeans the option of opting out of the cookie,” he says. “That's keeping members from actually booking those things. So that's lost revenue.”
Plan of attack
When it comes to tackling international regulations, experts suggest assessing risk to prioritize where to expend efforts. That means taking into account the amount and type of data residing in a particular location, in addition to determining how robust the company's security posture is in that nation or region.
“You absolutely have to take a top-down approach,” says Gordon Burnes, vice president of marketing of OpenPages, a Waltham, Mass.-based provider of enterprise risk management. “Where are the regulations most stringent and where are the penalties the strongest for dealing with exposure of sensitive data?”
After the risk assessment, organizations should inventory and classify their data, specifically the information that is regulated, experts say. After all, that is what the criminals are after.
“If you start to build facilities in other geographies, you need to understand where in those geographies the data is going and what is the risk,” Howell says. “That's a really tough problem to solve.”
But when it comes to building a program, organizations should consider following a best practices framework, such as ISO (International Organization for Standardization) 27002. The standard speaks to 12 key areas of information security, including risk assessment, policy, physical safeguards, access control and incident response.
“By starting with a framework, such as ISO, you're able to put a program in place that will get you on the way to complying with all the regulations,” Howell says. “It's certainly not a cure-all, but it's a good place to start.”
In this vein, businesses should learn whether a common control can satisfy multiple requirements. The more variety an organization has in place, the more expensive meeting compliance will become.
“By treating compliance holistically as a program, rather than as individual projects, an organization can reap savings from more efficient governance and processes, decreased testing and documentation costs, and reduced capital allocations through rationalization of infrastructure that supports regulated activities,” Gartner analyst French Caldwell writes in a February research report.
To assist U.S.-based companies, the Department of Commerce oversees a safe harbor arrangement that allows organizations to comply with the EU directive. The EU approved the framework in 2000.
Companies must re-certify each year and pledge that they are meeting seven principles outlined in the directive, which includes only collecting information that is reasonably necessary. Opting into the program helps firms “avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities,” according to www.export.gov, a U.S. government services website.
Interval International, which also must be compliant to the Payment Card Industry standard as a Tier Two merchant that processes between one and six million annual credit card transactions, operates in more than two dozen countries, some outside of the EU.
But, Hamidi says, “We find that once we comply with the EU member states' legislation, that they are so tight that we automatically cover other legislations as well. Between the EU, the U.K. and California [SB-1386], we feel that when we deal with those three major legislations that we should be OK.”
Hamidi says American businesses should also have dedicated personnel sitting in their international offices who are aware of the local law and culture. As CSO, he tries to keep up with the latest international legislation, but will inevitably contact an attorney in Interval's London office to break down the law.
“We look at this legislation and try to take apart some of the provisions that could impact us,” he says.
Responding to incidents
Similar to Hamidi having a team of attorneys to help interpret guidelines, businesses are advised to make sure they have a group ready to respond in the event that a security breach affects one of its global properties. These individuals should be knowledgeable of the region's culture Siand help firms avoid any potential miscommunications due to language barriers.
“Companies need to make sure they have response plans in place so they're not drawing one up while they're getting attacked,” says Chris Painter, senior counsel to the assistant attorney of the criminal division at the U.S. Department of Justice. “The sooner you can come to law enforcement, we can take action.”
That means that prior to an incident, companies are encouraged to form relationships with local law enforcement, Painter says. In addition, businesses can turn to cross-border agencies, such as Interpol and the FBI, for assistance.
A number of other initiatives are in place to assist companies overseas on the investigation and enforcement end. Painter chairs the high-tech crimes subgroup of the G8, a group of nations making up the eight largest economies. The committee has established a 24-hour network of law enforcement contacts, comprising 50 countries, for use in cybercrime cases involving electronic evidence.
The participants can assist one another with data preservation and analysis, especially if a particular attack extends across borders. But companies also must keep in mind that, during investigations, laws may prevent them from transferring data. But companies also must keep legislation in mind when they try to make sense of what happened.
“One of the standard things you want when investigating a breach is to get the maximum amount of information so you can understand the complexity of that problem,” says Jim Hansen, executive vice president and COO of Mandiant, a security intelligence firm. “If you've got some you can't bring home with you because of privacy laws, it makes your work a little bit tougher.”
On the enforcement side, Painter's subcommittee is working diligently to ensure that countries have adequate laws for dealing with digital offenses – laws that will punish violators and also encourage cooperation.
One measure that is rooted in collaboration is the Council of Europe Convention on Cybercrime, which the United States entered in 2006. The convention is a legally binding treaty in which participants commit to standardizing laws and tools to defend against cybercrime, as well as cooperating to investigate incidents. Forty-three nations have signed the treaty.
This type of initiative is proof that the mindset is changing as corporations and governments attempt to ward off a sophisticated, evolving enemy. Such a change cannot happen if one does not adjust to the global landscape, which, like it or not, comes with rules and penalties.
“We don't have a U.S.-centric mind,” Hamidi says.
[Sidebar 1]
Help is here: Rules of the road
Many U.S.-based firms are understandably overwhelmed at the prospect of meeting compliance demands overseas, especially when it is still a struggle for some to respond to American legislation, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act.
The good news is that many international mandates are based on U.S. laws. Still, the devil is in the details, and rules may differ from country to country or region to region.
Within Europe, where most U.S. subsidiaries are based and where the most stringent privacy laws are enforced, the European Commission has issued the Data Protection Directive, and each of the 27 member states are responsible for implementing these guidelines. Each nation, though, does it differently, says Peter McLaughlin, the former global privacy leader at Cardinal Health.
“If you're a decent size [U.S.] company doing business internationally, you most likely have a substantial data footprint in Europe,” he says.
Italy and Spain have delineated how companies must deploy access controls and encryption, whereas the U.K. has not, for example, McLaughlin says. Most European countries lack a data breach notification law, but even so, in the event of a breach, a firm likely violated a privacy regulation that will force the incident to become public. – Dan Kaplan
[Sidebar 2]
The Group of Eight: Global summit
The Group of Eight (G8) is an international forum made up of the governments of Canada, France, Germany, Italy, Japan, Russia, the United Kingdom and the United States. The group describes itself as “a club of leading industrialized countries, regularly meeting and consulting to enhance their friendship and synchronize their points of view as regards the major international economic and political issues.”
While these countries constitute around 14 percent of the world population, they represent about 65 percent of the world economy, not to mention three-quarters of the planet's military might.
The G8 summits normally deal with macroeconomic management, international trade and relations with developing countries. Topics discussed have also ranged from health, law enforcement and economic and social issues to terrorism and trade.
The next G8 summit will be taking place in Japan, July 7-9.
[Sidebar 3]
Trying to comply: Resources
Gartner's French Caldwell, in a Feb. 4 report titled “Which Regulations Apply to Me?,” says businesses can get a handle on IT security-related legislation through a number of free or pay services.
The best places to look are the regulatory databases:
- Unified Compliance Framework
- The Governance, Risk Management and Compliance Roundtable
- Privacy International
Additionally, certain industry associations or government affairs offices may be valuable sources of information. – DK
