Ian Rickwood discusses the conflict between the compliance-driven need for data retention, security, and data protection demands, and advocates a less bureaucratic approach

Organisations around the world are faced with conflicting local requirements to demonstrate that their systems are secure while also retaining records for days, months or years, in case regulators or law enforcement wish access. The result can be costly exercises in audit and compliance that merely create vulnerabilities that did not previously exist. Moreover, recent incidents involving the theft of information, either to support piracy or fraud, indicate widespread problems with corporate information security. Further, consumer research indicates that fears over security are now a serious barrier to confidence in using the internet for high value transactions.

There are two broad strategic responses to these challenges. The first, and by far the most common, is to treat legislative requirements as a constraint and bolt new 'compliance' routines onto existing systems. The second is to recognise that the on-line world has undergone a sea change over the past couple of years as criminals have discovered the opportunities on offer, review how the organisation really wishes to do business in this new climate, including how it decides whom it trusts, and start to re-engineer the business processes, as well as the use of technology.

Calling in consultants and bolting on additional layers of security and compliance may appear cheaper in the short term, but commonly does little to address fundamental weaknesses and may well open up new vulnerabilities.

The largest fraud in recent years was organised by the compliance officer of a merchant bank: he was in a unique position to cross the security boundaries that had previously prevented such a fraud, as well as to ensure that it would not be detected by any current or proposed internal or external reporting or audit routine.

Complexity begets complexity

A prime reason for the cost of compliance is the complexity of the processes to be audited, much of it irrelevant to mainstream business operations.

In addition, the tendency to centralise all the business eggs in one heavily fortified basket may make things easier to audit, but commonly increases overall vulnerability. Once they had broken the enigma codes for the day, the code breakers of Bletchley Park could read all the relevant German communications. By contrast, the Special Operations Executive was riddled with traitors, but its communications remained remarkably secure, because the codes were personal between a controller and a small group of agents.

Recently, the National Hi-Tech Crime unit (NHTCU) e-crime congress used a case study where criminals had gained access to the whole of an organisation's files because a senior finance executive, following all its security procedures, had used a laptop for remote working from an unsecured wireless hotspot.

The consultant running the case study had recently been auditing security in a large multinational. Few of its wireless LANs, even in head office, were secure, and they were not aware of the consequences.

Hence the de-perimeterisation, alias 'defence in depth', approach of the Jericho Group - which comprises approximately 70 heads of security from the world's largest users. This means having internal systems separately secured and all access facilities closed, both internally and externally, unless actively required for business. This is a reversal of the any-to-any technology-driven approach promoted during the dotcom boom, but how many organisations really do want to do unlimited business with someone they have never met?

Many organisations have been too obsessed with the desire to produce systems that were easy to use, with security as a bolt-on extra. Only recently have the questions of compliance officers and auditors made them aware that making corporate information available on-line to salesmen and senior staff who are on the move, and allowing customers to transact on-line, may well make such information equally available to competitors and criminals.

How retention and protection conflict

The questions of those compliance officers and auditors may be useful, but they are triggered by a slew of semi-incompatible demands, mainly from national sector regulators in the name of consumer or investor protection, but also from law enforcement agencies. Typically, these are demands to:

- retain financial data for possible tax investigations (commonly for around seven years)
- retain information to support financial transactions for possible regulatory investigations (requirements vary significantly so it is usually easiest to follow the same practices as for tax purposes)
- retain data on employee/customer communications and transactions for possible law enforcement, regulatory, benefits and other government investigations (often unspecified or 'voluntary', with international standardisation justified by the war against terror)
- give access to stored data (including copies of e-mails and records of phone calls), under a wide variety of law enforcement and regulatory legislation
- protect or delete personal information, unless required for specified purposes, with a wide variety of loopholes for access by government agencies
- ban government agencies from sharing information unless expressly permitted
- require government agencies to share information in the public interest
- require government agencies and their suppliers to provide access (usually under freedom of information legislation) to stored information (unless exempted).

Failure to comply with such demands can result in private sector organisations being put out of business. The challenge is therefore to apply systems thinking to enable cost-effective compliance with whatever is required, while acting in the best interests of the organisation, its employers and its customers.

Demands and needs

Much data is demanded by government agencies 'in case', because they do not know what they may need. Thus some years ago, to avoid a particular tax avoidance risk, the UK Inland Revenue demanded 'Form 42' returns of share issues. Complaints from the financial industry that this would not address the problem were ignored. No routine had been set up to handle the forms, so they were to be returned to a specified room at the Somerset House records office. Some years later this room was full, and no-one had done anything with the forms. Were they finally shredded during the run-up to the freedom of information legislation? Or are they still being collected and archived for posterity?

A more recent example concerns suspected money laundering, reported by fax because e-mail is 'insecure'. The reports are commonly photocopied from spreadsheets onto forms printed from Adobe for faxing. Some organisations report any transaction that could possibly be money laundering (99.9 % of which are not). Others report only those that they believe cannot be anything else. One of the latter organisations reports an average of one multi-million pound incident a month. None of its reports has been acknowledged, let alone investigated. The team handling the reports is swamped and unable to cope.

Debate over the retention of communications data (phone calls, text messages and e-mails) has a similarly surreal quality. The law enforcement agencies lack the resources and skills to handle, let alone analyse, more than a minute fraction of the potential digital evidence they already receive, but are asking for mountains more to be retained. A recent paper by European Information Society Group (EURIM - Education and awareness campaigns could do more harm than good unless accompanied by such routines.'

That conclusion also applies to regulators like the Financial Services Authority, but in addition needs to be conveyed to those planning the internal compliance routines of large organisations.

The way forward

The way forward is deceptively easy to state; it is not so easy to implement.

The task is to make it easy to follow good practice in an environment policed by bureaucrats. That means front line governance procedures that meet the needs of the business and its customers and are simple, transparent and capable of being followed by ordinary human beings - while at the same time securely recording and archiving everything that any regulator might ever want, in such a way that you cannot be accused of non-compliance.

Marketing-led organisations should also use the opportunity to improve customer relations, validate files, share costs and be seen to be actively assisting the process of bringing law and order to the on-line world.

Data protection: a customer service?

Many of the web or e-mail based marketing practices of the dotcom era are now viewed with extreme caution by consumers. Who clicks on links in e-mails other than from those they know well? Even then, how many hesitate?

How many have reduced the amounts in their internet bank accounts for fear of falling victim to phishing? Increasing numbers of high value customers now wish to transact without the use of cookies, let alone more active and complex agent software. Many wish for the ability to look up their account but not to transact, other than by fax, mail, phone or UK-issued credit card (with the risk falling on the merchant or the issuer). Whether or not these are rational responses, businesses need to respond.

Data protection needs to operate across all channels. The training of those manning call centres needs to begin with how to politely check that the caller is entitled to the information - just as those receiving phone calls or visits from what claims to be their bank or a government department need to be able to verify the caller. But the UK government still almost totally neglects this. The idea, first put forward by the Institute for the Management of Information Systems (IMIS) in its response to Michael Howard's consultation on ID cards, that these cards should be piloted by supposed law enforcement or agency staff claiming access to your business or its records, appears to be anathema to many government departments.

Need for practical guidance

No organisational data protection policy has practical meaning unless and until all staff have clear guidance as to whom they can and should pass information to, how to identify them, and who to call when in doubt.

The diagram from the EURIM website, produced with the support of Experian, (which as a credit reference agency has to take such matters very seriously), summarises the processes necessary to back up such guidance. Once the processes are in place, enquiries for access under data protection or other legislation can, and should, be used as a most cost effective part of file cleaning and update.

While data is live (ie of value to the business or its customers and actively managed), law enforcement agencies and regulators should be routed to the organisation's security team, who will help them find what they want. They should not merely be given copies of files which they cannot access or understand without the expert advice they rarely have. In an ideal world that means that the security team are themselves accredited by law enforcement, work to common standards and are capable of full participation in a two-way cooperation. To this end IMIS is an active participant in the EURIM - IPPR (Institute for Public Policy Research) e-crime study.

But until then we have a problem. The main beneficiaries of current government and regulatory approaches, even more than the computer storage and archive suppliers, have been the owners of disused mine shafts and railway tunnels.

With a steel door and guard service, an industrial left-over becomes a revenue earning data storage vault.

- Ian Rickwood is chief executive, Institute for the Management of Information Systems (IMIS), Tel: 0700 00 23456, E-mail : ian.rickwood@imis.orguk


PricewaterhouseCoopers' 2005 global CEO survey looked at how CEOs view governance, risk management and compliance (GRC).

- Very few CEOs (7%) view GRC as related solely to laws and regulations, and a majority (54%) consider GRC to be an integrated set of concepts and practices. Yet, only 25% state that they are managing GRC effectively.
- While a majority of CEOs are very confident that their organisations can respond to GRC matters related to domestic laws and regulations (68%) and to internal policies and procedures in domestic business units (57%), only 26% are very confident that their organisations can respond to similar matters related to foreign laws and regulations and only 24% to matters related to internal policies and procedures in foreign business units.
- The CEOs indicate that, in varying stages of development, eight significant elements of effective GRC are in place at their organisations. However, when asked about full development of these elements, responses ranged from a high of only 53% to a low of 22%.
- In high numbers, the CEOs credit GRC with having a major, positive effect on legal liabilities (64%) and on reputation and brand (56%). However, they perceive other benefits less clearly.
- While many CEOs say that they adequately address stakeholders' concerns that are based on clear-cut legal requirements, fewer feel the same level of comfort with other constituents, whose expectations are more ambiguous.
- Fifty-eight percent of the CEOs indicate that GRC expenditures are primarily an investment; 38% view them as a cost. Only 17% of all CEOs state that they can very accurately measure GRC costs.
- The 25%of CEOs who state that they are managing GRC effectively have an advantage over their peers in perceiving GRC benefits and in responding to stakeholders' GRC concerns. Advantages are also evident when the organisation and collection of GRC information are fully automated.


IMIS has been conducting a survey into the effectiveness of corporate policies and the current cost of compliance in the UK.

Although legislation currently only affects organisations in the UK in a relatively limited way, corporate governance legislation is set to become the norm in Europe within the next few years. The IMIS survey aims to show how organisations view the value of policies, show how they are implemented and managed, and how organisations view the importance of compliance.