Home > All, Politics, Security Issues > EU compliance – why bother?

EU compliance – why bother?

February 12, 2013 Leave a comment Go to comments

Compliance – at least European regulatory compliance – bothers me. Whenever I speak to a security expert, those concerns are allayed for just so long as we talk; and then they come back again.

The problem is that Europe passes principle-based legislation (the US is more likely to pass rule-based legislation). The former tells you what must be achieved (the principle), while the latter tells you how it must be done (the rules).

The European Data Protection Directive is a perfect example of principle-based legislation. It says that personal information must be held securely; but it doesn’t tell you how it should be done.

Here’s my problem. Data that hasn’t been lost or stolen has, de facto, been held securely and the company is in compliance – even if it spends nothing on compliance. Data that has been lost or stolen has not, de jure, been held securely and the company fails compliance even if it has spent many ££millions on compliance. The existence or lack of infosecurity defences is irrelevant: if you lose that data, then you are in breach of the act; if you do not lose the data then you are not in breach of the act.

I’m not interested in claims that proof you spent money on security will make the ICO (a marketing man, mark you – not a lawyer) go easy on you. That’s just marketing dross to hide the underlying contradiction.

What I want to know is quite simple. How can it possibly be right to frame a law that states someone who tries to comply can fail compliance, while someone who ignores compliance can be compliant? The result is that there is no logical reason to spend money on securing personal data – just hope you don’t get hacked. This is aggravated by the common and growing perception that if you get targeted, you will get breached. So if you get targeted, you will have failed compliance whether you try to comply or not. Why bother?

Categories: All, Politics, Security Issues
  1. Matthieu Wiedenhoff
    February 13, 2013 at 8:10 am

    Hi Kevin,

    I don’t totally agree with you.
    At least in France (and I think in most of roman-law countries), it exists two levels of legal obligation :
    – achieving the result (“obligation de résultat” in french): if you fail to achieve the result , you are liable (e.g. : a train has the obligation to take you from point A to point B without harming you).
    – do your best (“obligation de moyens”) : you have to take all reasonnable steps in order to fullfill your obligation. It concerns the means, not the outcome (a doctor can’t cure everything, but ha has to do his best).

    Everybody agrees that it’s impossible to have a compeltely-secured system. So this obligation falls under the second category. If you have a state-of-the-art infosec system, you can’t be held liable if someone breaches in your data.


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s