Regulatory, Legal, and Governmental Developments
If you have met an IT vendor in the last 4 years, you will have heard of the Sarbanes-Oxley act or "Sarbox". You will have heard it is a reason to upgrade software and hardware while retaining the services of an army of consultants. IT security vendors have a strong attachment to the word Sarbox, it's easy to see why. On average US public companies spent $4.3m on compliance with section 404 of the act, 62% more than they initially anticipated. Many UK companies with a US stock market listing (e.g. COLT Telecom and Cable & Wireless) even chose to abandon US listing in order to avoid these costs. The deadline for the compliance of foreign companies with US listings is July 2006. Sarbox applied to US companies or non-US companies with a significant number of US shareholders. There are about 110 such UK firms. The legislation was focused on the accuracy of financial reporting data. IT security was involved to the extent that it satisfies reliability and integrity of that reporting. Financial data is stored on computers and IT needs to do its bit to make sure that data is reliable.
UK companies have previously been subject to greater audit requirements than their US peers, however there have been recent changes in UK and European legislation which further tighten data retention and audited records in a similar manner to Sarbox. For those new to the world of compliance, here is an introduction to the most relevant legislation.
UK Companies (Audit, Investigations and Community Enterprise) Act
Revised October 2005, this act imposes measures upon firms to ensure data relating to trades, transactions and accounting practices throughout the organisation is auditable. www.dti.gov.uk
UK Data Protection Act
Last revised July 1998, this act governs the processing and storage of personal data. www.opsi.gov.uk
EU Data Privacy Directive
This requires that personal data must have appropriate security, it poses problems for those wishing to store customer data in the US, as the EU regards the US as having inadequate privacy protection.
EU Directive on Privacy and Electronic Communications