A busy year ahead on the legal front

It is said that before a tidal wave thunders onto shore, the horizon turns a rather attractive purple hue. This is Nature's way of telling us to grab something and hold on tight.

The warning signs are there for those of us sitting on the information security beach, too. There is a wall of legislation coming, and everyone is going to get wet.

As the national head of legal firm Morgan Cole's technology group, Bruce Potter is well placed to discuss the future of legislation and compliance. It is an area that terrifies the secure IT sector as much as any other, and one that increasingly impinges on the day-to-day business of the IT security professional. From the Freedom of Information Act (FoIA) to Sarbanes-Oxley (SOX) and the UK Companies Bill, new legislation is arriving almost daily. So if anyone was hoping for a relaxed few months, they should probably look away now.

"Next year will be the year of the workaround," says Potter. "And if it all goes well, the year of the workaround will be followed by the decade of integration." Potter's vision is that firms can protect themselves from struggling year on year with compliance by implementing sensible and forward-thinking policies.

Initially, however, he offers an explanation as to why so much legislation is coming our way. And it begins with technology.

"Technology has been implemented for efficiency, rather than having security and social problems in mind," he says. "The internet has brought about a paradigm shift in communication between consumers and business, as well as citizens and Government. Legislation has to come in before technology gets too far ahead."

Potter sees this as a major problem for the IT security industry. The balance between pushing ahead with new developments and getting the tools in place to make those developments safe has long been a challenge. Legislation is catching up, specifically in the area of record keeping, and the whole manner in which industry deals with this matter is about to change.

"The key issues right now are the FoIA and the Data Protection Act (DPA)," says Potter. "The narrow effect of these is compliance. But the wider effect is bringing the whole issue of record-keeping into the mainstream."

The two acts have the potential to place a massive burden on the shoulders of IT professionals. But Potter contends that they are creating an environment in which record keeping is less reactive, and more part of the whole IT process. Once this environment is in place, he believes, compliance with future legislation will be far smoother.

Some would argue that this is going to be terribly expensive, perhaps cripplingly so. One Swiss insurance company, Winterthur, spent £23 million on compliance with SOX last year.

"The technology is there to make record-keeping automatic or semi-automatic," claims Potter. "Beyond set-up costs, you could argue that creation of the record can be relatively cheap. Of course, some will debate that."

The problem is that many companies are still a long way from basic compliance. The understanding of what data needs to be held by organisations is still not as far progressed as it should be. Over the next year, Potter expects regulatory and commercial pressure to enforce a greater cooperation. In particular, he points to the DPA. "Core compliance of this act is embryonic. This will only really grow if the environment changes, which it will have to," he says.

If companies do manage to get in line with current legislation, or even if they don't, they can still expect a plethora of new acts and bills just around the corner. Only last month, Prime Minister Tony Blair gave a speech about the protection of children as part of the new UK gambling legislation.

"Gambling, children and pornography are on the agenda," says Potter. "But you can only really impart online management of these areas with verification of identity, and we are certainly miles away from that."

It appears that the industry has been caught a little on the hop with the scale of this problem. In response, many firms are scrambling to redress the balance. "These are the two main focuses at the moment. As well as record-keeping, you have the protection of exposed and vulnerable groups," says Potter.

These regulatory efforts won't be without their hiccups. Certainly, in the area of pornography, there is a very difficult line to draw.

What is the difference between soft and hardcore? And how do you stop children surfing the web?

More importantly, without advanced verification methods, who should manage content responsibility?

"The dangerously easy answer is ISPs. They are the only ones with the power to apply even standards of taste and conduct," says Potter. "The problem is that neither users nor ISPs want to pay for that. And ethically, no one likes the 'big brother' situation."

The implication is that although new legislation is on its way, its exact format is unclear. Certainly, IT can expect new rules, but it cannot expect the implementation of those rules to be smooth.

Perhaps the best example of this is the FoIA, which is due to come into law next month. It contains various exemptions that might confuse those trying to implement it. "Confidentiality versus security is an issue," says Potter.

"Remember those elderly gas customers who had their supply cut-off [for non-payment]? British Gas said that it was unable to inform Social Services because of data protection issues."

Such problems are not going to stop the legislation coming, despite their scale. But Potter sees a challenge not just for companies aiming for compliance, but for legislators, too.

"The test is to get regulations enforced that are sufficiently adaptable to new technologies, like the use of instant messaging in the financial sector to record transactions," says Potter.

It is because of these new technologies that Potter thinks that 2005 will be crucial for compliance. Without an immediate shift from both business and legislators, the gap between technology and safety will become too large. "It really is the last chance," he explains.

But it is not just legislation that has to play catch-up. The whole legal fraternity is only just beginning to understand technology. In the same way, IT experts are forced to understand new legislation, legal experts have to close the gap in their understanding of IT.

"I don't think that lawyers and those advising on legal ramifications have enough awareness. Partly, this comes down to the sheer novelty of judicial exposure to IT," says Potter.

"There will be those who increasingly specialise – the law has always played catch-up in this way – but I think it's a very awkward area, particularly for juries," he continues.

Of course, some legal teams are well versed in IT. The National Hi-Tech Crime Unit (NHTCU) keeps its finger on the national pulse, but Potter argues this sophistication needs to be more widespread. "The NHTCU is very able, but overwhelmed. Regional specialists would be able to provide a better service," he argues.

Globally, the NHTCU has helped achieve a spate of recent convictions for computer-related crime. It is this worldwide picture, created by the internet, that Potter says will cause the biggest compliance headache.

"Organisations are forced to look in two directions at the same time. Incompatible legislation occurs when it is drawn up under different legislative conditions. Look at SOX and any given EC regulation. How do you make the choice between the two?" he asks.

So it is really not an easy life, sitting on that beach. Over the next year, there is going to be plenty of water headed our way. But Potter's message is that companies can provide themselves with a little protection, if they just get the right processes in place. And although it will not stop that tidal wave coming, it might just keep them dry. As he often says: "The time is now."