Stiff fines await boards

Company boards face a minefield of legal responsibility under the new data protection laws, especially when outsourcing security, a panel of industry experts warned.

Speaking at a debate on the future of internet security in London, security experts, lawyers and analysts said companies needed coherent and comprehensive security policies which were enforced, or face stiff fines.

"If a policy is going to mean anything at all, someone has to be accountable for it," said Mike Awford, UK channel operations manager for security specialist RSA. "At the end of the day, ownership belongs with the board."

James Davis, a director at analyst group Gartner, agreed. "The chief information security officer is a new role emerging in modern businesses, like that of a risk officer, answerable to the CEO," he said.

"Total security is impossible, but there must be a policy, someone responsible for it, and it must comply with industry standard BS 7799."

According to Mark Smith, a solicitor at law firm Morgan-Cole, the Data Protection Act is set to shape the security market in the coming months.

"IT managers will be required to show that they have taken adequate steps to protect their own and their customers' data," he said.

"Directors need a lot more diligence, particularly when outsourcing. Here they must be more creative over sharing risk with their hosts according to their service level agreement [SLA]. The contact will become more and more key."

Davis said that companies must remember that security is a process, not a product. "It's not about technology, it's about governance," he said.