Chapter 10: Leveraging Regulatory Compliance – Selling Information Security to the Board


A well-prepared, well-organised, trusted adviser is likely to gain an audience from senior managers to talk through proposals for enabling the organisation to outperform its competitors, while removing non-compliance risk to the bottom line.

Identify a relevant law or regulation that has IT- related compliance requirements: the UK’s Data Protection Act (‘DPA’), HIPAA and GLBA in the United States, PIPEDA in Canada, and so on. Identify the gaps between your current actual practice and what the law requires you to do, focusing on the bigger issues, the areas of non- compliance which are likely to trigger the bigger problems. Under the UK’s DPA, for instance, the absence of a Fair Processing Notice on all websites is likely to be less of a risk than the absence of FIPS 140-2 encryption on all mobile devices that carry personal data. Identify what you would have to do in order to reduce the risk of a breach to an acceptable level (and, remember, an acceptable level is unlikely to be one of zero risk) and work out the cost, in both capital and revenue terms. Identify and approximately cost any disruptions there might be to the organisation while the solution is rolled out. Rework your proposed solution until its costs are below the likely level of a penalty, plus damages, plus brand value diminution.

Now you can create a proposal for positioning your organisation ahead of its competitors, in terms of it being a safer supplier to its customers as a result of meeting the core requirements of a key law, as well as reducing potential damage to the bottom line, at a cost significantly lower than the damage your solution helps avoid.

Such a proposal, in the UK, would benefit from making your board allies aware of the problem some time ahead of providing them with a solution. This means collecting data. Here is some relevant information about UK data breaches:

  • 391 incidents reported to the Information Commissioner’s Office (‘ICO’) in the first quarter of 2015.
  • 119 of these incidents were the result of theft of unencrypted laptops, computer discs, memory sticks or paperwork.
  • 144 of these incidents were the result of ‘mistakes’.
  • 90 incidents were enigmatically described as ‘Other principle 7 failure’, which includes failure to password-protect emails containing personal information, processing personal data on non-business computers, and so on.

You might also want to make your board aware of the ICO’s official powers. The ICO can:

  • conduct assessments to check organisations are complying with the Act.6
  • serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period.
  • serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law.
  • prosecute those who commit criminal offences under the Act.
  • conduct audits to assess whether the organisation’s processing of personal data follows good practice.
  • levy fines in respect of breaches.

Of course, you would want to make clear that the ICO, at the moment, does not have sufficient resources to fully take advantage of its powers and that it is therefore much more selective in how it goes about its job. More importantly, though, you would want to draw your board’s attention to the last item in the list above: the power to levy fines. With effect from 6 April 2010, the ICO has had the power to impose substantial fines, up to a maximum of £500,000, on organisations that ‘deliberately’ or ‘recklessly’ commit serious breaches of the DPA. It would probably also be worth pointing out that something characterised as a ‘deliberate or reckless breach’ of the DPA is likely also to impact on executive careers, as well as the corporate bottom line.

This power will be expanded under the EU General Data Protection Act (GDPR), which will enable the ICO, as the supervisory authority, to levy fines of up to €100 million or 5% of turnover, whichever is greater. While it’s hard to say that the ICO is toothless, the GDPR will certainly provide it with the power to impose much more notable penalties.

Under the current law, the ICO has provided explicit guidance on how it uses its power to levy fines. It will impose a monetary penalty if:

  • a data controller has seriously contravened the data protection principles.
  • the contravention was of a kind likely to cause substantial damage or substantial distress.
  • contravention must either have been deliberate, or the data controller must have known, or ought to have known, that there was a risk that a contravention would occur.
  • the data controller failed to take reasonable steps to prevent it.

The ICO has also said that:

Its power will be used as both a sanction and a deterrent against non-compliance with the statutory requirements.

The words that should worry any senior executive are: ‘or ought to have known’ and ‘failed to take reasonable steps’. From the point at which you draw the Board’s attention to weaknesses in your DPA compliance regime, weaknesses that indicate a serious contravention of the principles and which could cause substantial damage or distress, the Board is ‘on notice’ that it has a problem that must be addressed. Failure to address it could lead to a significant corporate fine, negative bottom-line impact, bonus reductions and, possibly, career damage for individual executives.

You have a proposal to put forward, which (fully costed) will cost the organisation less than it might otherwise lose in fines and other damages, and which would enable the organisation to present itself in a positive light to its customers, employees and suppliers.

6 Data security incident trends,