- Email: [email protected]
IT security directors under jail threat
news
In Brief
IT security directors under jail threat Brian McKenna
New recruits to Liberty The Liberty Alliance, the Web services identity standards consortium, has welcomed seven new members on board, including Adobe and Telewest Broadband. The Alliance now has more than 150 companies, non-profit and government organizations from around the globe, developing a standard for non-device specific federated network identity. Internet fraud 0 – Brazilian Police – 50 In a country famous for football, samba and now Internet fraud, the Brazilian police scored a major victory last week. More than 50 people were arrested for planting a virus on their compatriots PCs that enabled them to store details of bank accounts, eventually stealing more than $30 m. EBay virus prowls with new packer A virus, claiming to be sent from the auction giant, EBay has stored itself using a packer that anti-virus firms may not be prepared for. Unseen in previous viruses, the W32/myfip virus could get through existing antivirus programs. So far there have not been an excessive amount of infections.
Information security directors need to pay close attention to emerging US and EU corporate governance and privacy legislation in order to stay out of prison, security experts warned at the end of last month. Speakers at the SecurIT summit in Montreaux, Switzerland told delegates to look beyond network security and cotton on to a perilous new legal environment. In an entertaining tour de force, Michael Colao, Director of Information Management at investment bank Dresdner Kleinwort Wasserstein, said: "Two years ago CIOs and CSOs did not need to worry about the law; now there are regulations being imposed on them that hold them personally liable". UK data protection legislation set the European scene by stipulating that companies take 'appropriate technical and organizational measures' to safeguard information. This lead has been extended across Europe in ways that will challenge security heads for years to come. Italy's data protection act entails a training element, and runs to a book length of "excruciating detail", Colao complained. And the tendency of local law, like the Italian regime and
ISSN: 1361-3723/04 © 2004 Elsevier Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@ elsevier.com. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 207 436 5931; fax: (+44) 207 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
California's SB 1386, to turn global, forcing global companies to declare data privacy leaks, ups the stakes significantly, he added. For instance, the Disciplinario Tecnico in the Italian legislation requires all companies whose business bears an effect on the country to clear out dormant accounts every six months. The penalty? Three years in jail.
MS had to change its internal security policy because of Italian DPA Microsoft has had to change its internal global security policy because of the Italian DPA, he said. Colao also slammed recent anti-spam legislation that defines the phenomenon as 'unsolicited commercial detail'. Legitimate email has to require 'prior consent' from
the recipient. "This is bad law", he said "Proving prior consent is very difficult. We just don't know what the enforcement posture of this legislation will be, but one thing is for sure: it won't deter spammers". The Belgian penalty for spamming is set at a hefty 250,000 Euros. Meanwhile, Agne Lindberg, a partner at the Delphi law firm in Sweden advised SecurIT delegates that the EU Decision on cybercrime of 20 June 2003, currently stuck in the European Parliament, will raise the bar on company liability. Sanctions against companies whose networks get used for cybercriminal activity will be significant: "you will need very tight controls; policies won't be enough", he said. He also cautioned delegates to pay close attention to the legal implications of offshoring. "India, as an example, has peculiar legislation that has a wide fair use licence". Software developed under contract belongs to the on-shore company for five years only, for instance. Colao echoed Lindberg. "You can outsource IT, but you can't outsource legal liability," he said.
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by Mayfield Press (Oxford) Ltd
In Brief
IT security directors under jail threat Brian McKenna
New recruits to Liberty The Liberty Alliance, the Web services identity standards consortium, has welcomed seven new members on board, including Adobe and Telewest Broadband. The Alliance now has more than 150 companies, non-profit and government organizations from around the globe, developing a standard for non-device specific federated network identity. Internet fraud 0 – Brazilian Police – 50 In a country famous for football, samba and now Internet fraud, the Brazilian police scored a major victory last week. More than 50 people were arrested for planting a virus on their compatriots PCs that enabled them to store details of bank accounts, eventually stealing more than $30 m. EBay virus prowls with new packer A virus, claiming to be sent from the auction giant, EBay has stored itself using a packer that anti-virus firms may not be prepared for. Unseen in previous viruses, the W32/myfip virus could get through existing antivirus programs. So far there have not been an excessive amount of infections.
Information security directors need to pay close attention to emerging US and EU corporate governance and privacy legislation in order to stay out of prison, security experts warned at the end of last month. Speakers at the SecurIT summit in Montreaux, Switzerland told delegates to look beyond network security and cotton on to a perilous new legal environment. In an entertaining tour de force, Michael Colao, Director of Information Management at investment bank Dresdner Kleinwort Wasserstein, said: "Two years ago CIOs and CSOs did not need to worry about the law; now there are regulations being imposed on them that hold them personally liable". UK data protection legislation set the European scene by stipulating that companies take 'appropriate technical and organizational measures' to safeguard information. This lead has been extended across Europe in ways that will challenge security heads for years to come. Italy's data protection act entails a training element, and runs to a book length of "excruciating detail", Colao complained. And the tendency of local law, like the Italian regime and
ISSN: 1361-3723/04 © 2004 Elsevier Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@ elsevier.com. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 207 436 5931; fax: (+44) 207 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
California's SB 1386, to turn global, forcing global companies to declare data privacy leaks, ups the stakes significantly, he added. For instance, the Disciplinario Tecnico in the Italian legislation requires all companies whose business bears an effect on the country to clear out dormant accounts every six months. The penalty? Three years in jail.
MS had to change its internal security policy because of Italian DPA Microsoft has had to change its internal global security policy because of the Italian DPA, he said. Colao also slammed recent anti-spam legislation that defines the phenomenon as 'unsolicited commercial detail'. Legitimate email has to require 'prior consent' from
the recipient. "This is bad law", he said "Proving prior consent is very difficult. We just don't know what the enforcement posture of this legislation will be, but one thing is for sure: it won't deter spammers". The Belgian penalty for spamming is set at a hefty 250,000 Euros. Meanwhile, Agne Lindberg, a partner at the Delphi law firm in Sweden advised SecurIT delegates that the EU Decision on cybercrime of 20 June 2003, currently stuck in the European Parliament, will raise the bar on company liability. Sanctions against companies whose networks get used for cybercriminal activity will be significant: "you will need very tight controls; policies won't be enough", he said. He also cautioned delegates to pay close attention to the legal implications of offshoring. "India, as an example, has peculiar legislation that has a wide fair use licence". Software developed under contract belongs to the on-shore company for five years only, for instance. Colao echoed Lindberg. "You can outsource IT, but you can't outsource legal liability," he said.
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by Mayfield Press (Oxford) Ltd