May 15, 2012, 1:17 AM PDT

Takeaway: Securing data simply by defending the network perimeter is no longer enough to satisfy the law. IT departments need to consider a different approach.

Attacks have shown that a perimeter-based strategy is not enough to meet the needs of most networks. Photo: Shutterstock

Protecting personal data is an emotive subject thats long been an issue for CIOs. It became an even bigger concern when UK data privacy watchdog the Information Commissioners Office gained the power in 2010 to impose fines of up to 500,000 ($800,000) for breaching the Data Protection Act.

But breaches that affect commercially sensitive and secret information get less attention. Thats surprising because such incidents can result in companies being sued for breach of contract and directors facing action for breaching their fiduciary duties.

UK data protection law is based on eight principles and requires companies to take appropriate technical and organisational measures to protect personal information.

Against that, the law of confidentiality, which applies to commercially sensitive or secret information, is a common law right based on precedent and has not been codified. Consequently, people tend not to understand it so well, although the principles are easily stated.

This approach to protecting confidential and personal information is logical. It allows the law to remain flexible and relevant despite rapid changes in the technology industry.

The result is that regulators and enforcers have to take a purposive approach, which may appear quite subjective, when they decide whether appropriate protection has been provided.

The trouble with this approach is that it is relatively easy to apply in retrospect but not so easy to use when drawing up requirements. Furthermore, rapid tech changes can make solutions that are satisfactory now seem totally inadequate in six months.

See more here:
Personal data: Time to rethink our whole security approach?