Managing the risk associated with new cyber laws will be one of the big challenges for multinational organizations in the next decade. Most countries now understand the need for cyber laws—laws and regulations that govern data privacy, information security, and IT-related internal controls. This should be good news for information security professionals. Unfortunately, every country implements laws slightly differently and with different implementation deadlines—which can make compliance very challenging.

Consider the UK: according to the recent article “Data losses to incur fines of up to £500,000” at BBC News, on Apr 6, a new rule will go into effect that will permit the Information Commissioner’s Office to issue fines of up to £500,000 for serious data security breaches. The current Information Commissioner, Christophe Graham, said in a press release that the new rules “are designed to act as a deterrent and to promote compliance with the Data Protection Act.”

New laws and regulations creates a risk of legal non-compliance. Like the UK, many countries are specifying potentially high fines for non-compliance or for data security breaches caused by non-compliance. This can create “positive” pressure on senior managers to fund and support information security programs that are related to compliance. But this strategy only works if management is kept aware of the new laws. This is challenging for information security professionals as most are not legal professionals.

I encourage most organizations to have a cyber legal review performed once a year, by legal professional(s) with cyber legal expertise in every country where they do business. The results of such a cyber legal review should be shared with senior management, as well as an assessment of the current cyber legal risk.

Additionally, every time I see an article about a new cyber law, I ask senior management—and the internal legal advisor—if they’re aware of the new law. To date, more than 50% of the time, there was a lack of awareness—typically followed by a new appreciation for the information security function.

—Jim Herbeck