Stewart Room is a partner in the Technology Law Group of Field Fisher Waterhouse, one of Europe's largest IT law firms. Photograph by Jonathan Worth

In retrospect, it was the proverbial straw that broke the camel's back.

In November 2007, the U.K.'s HM Revenue & Customs (HMRC) service lost two unencrypted disks containing backup data. It wasn't just any data: It was benefit data for 25 million children, including their names, birth dates, and bank details. The public response was swift and merciless, sparked by fears that children had been put at risk. Prime Minister Gordon Brown apologized to the British people, and legislators and regulators scrambled to outdo each other in strengthening data protection laws.

Unleashing a torrent of laws and regulations

Stewart Roomone of the U.K.'s top IT lawyerscalls the HMRC incident a watershed moment that has "radicalized" data security laws in the U.K. and led to a regulatory approach that he describes as activist and interventionist. "In the last two years, there has been a torrent of legal changes," says Room, "along with a willingness by regulators to enforce against the biggest, richest, and most powerful organizations in the country."

Taking advantage of the political climate, the Information Commissioner won new powers: to impose jail sentences for certain kinds of data theft and severe fines for security breaches; to carry out spot checks on public sector organizations; and to require disclosure of data breaches.

"Regulators have also developed a legal framework that requires organizations to implement privacy-enhancing technologies (PETs)," says Room. "For example, failure to encrypt portable media will be regarded as a breach of the law. Regulators have already taken enforcement action in this area. The Financial Authority fined the Nationwide Building Society 980,000 pounds ($1.4 million USD) for loss of a laptop that was unencrypted." Another initiative, the Data Handling Review, compels public sector organizations to rebuild their data handling procedures, infrastructure, and technologies.

A change from out of the blue

This transformation has happened "at lightning speed," says Room. "I've practiced law for 17 years. And if you said to me in early 2007 that we would build the legal framework we are seeing today, I'd say, 'That's ridiculous. It will take at least 10 years.'"

A similar acceleration is occurring in the European Union. For example, the proposed amendment to a 2002 privacy directive imposes a breach notification requirement on telecommunications service providers and ISPs and is expected to be in force in 2010.

Putting executives on notice

What does it all mean? "In the future, executives at the board level will have to seriously consider whether the budget they have allocated to security is adequate," says Room. "They may face decisions about whether to spend resources on marketing, new staff, and bonuses versus increasing the security budget to bolster data protection. A board member or CISO may be found to be personally negligentand perhaps criminally negligentfor not taking adequate security precautions."

Companies that do business in Europe are wrestling with how to respond to these changes. One area where they need to take action is in implementing privacy-enhancing technology that protects private information or helps an organization comply with data protection principles. "The dilemma for purchasers is that there is no legally accepted definition," Room explains. "Vendors can say that any product is a PET, but there is no third-party verification regime."

In March, Room and RSA Security President Art Coviello made a presentation to the European Union in Brussels, advocating for the PET agenda to be moved forward so organizations have more clarity in this area. Room notes that RSA, The Security Division of EMC, offers many products that are likely to meet whatever definition of PET is adopted. He cites solutions for encryption, strong user authentication, data discovery, and data loss prevention (DLP), and security information and event management (SIEM).

The evidence is there in the logs

In fact, the emerging legal framework contains many provisions that point to the need for SIEM technology to manage IP event logs. "Every action that takes place in an enterprise network generates event log files, whether it's turning on a PC, sending or receiving an e-mail, or an attempt to penetrate a firewall," Room explains. "A large network can create billions of log files a week. Being able to sift through and analyze all that data can reveal a lot of interesting truths about security and compliance."

He also believes that SIEM technology will play a growing role as evidentiary tools in civil and criminal litigation, helping to identify what happened when, and who was involved.

"There were plenty of court cases over the years where I wished we had some kind of technology that kept logs," says Room. "In many instances, I think prosecuting authorities would have had more success convicting data thieves and other cybercriminals had SIEM technology been installed on the victims' systems."

Making security recession-proof

In today's faltering economy, Room advises client organizations to develop a security strategy that is recession-proof.

Major areas of risk include:

• Laid-off workers who take portable devices containing customer data, intellectual property, and other confidential information.
• Mergers, acquisitions, and restructurings, which create uncertainty and lead to gaps in security technologies, policies, and processes.
• The combination of increased fraud and reduced spending on security, which increases vulnerability to breaches and insider abuse.

Another issue on the horizon is the U.S. Patriot Act, which effectively opens up all data to U.S. government scrutiny. "Government and regulatory bodies here are just starting to focus on it," says Room. "One possible result is that European businesses will become reluctant to work with U.S. companies."

Despite significant discrepancies between the legal and regulatory environments in the U.S., Europe, and other regions, the trend is toward convergence, says Room. "There are already many commonalities in the areas of intellectual property and cyber crime. Global organizations need to take advantage of these commonalities while heeding national nuances and differences."