The protection of the investment and creativity made in producing computer programs and databases by intellectual property rights is still not harmonised internationally. Taking into account that IT is used not only to produce these goods, but also to infringe their intellectual property rights, national laws nowadays also protect the so-called technological protection measures, such as passwords, encryption or copy-protection software, created to protect the intellectual property rights. Besides, IT must fulfill the privacy protection regulations currently in force and the companies using it must carry out the international auditing standards. But intellectual property rights cannot protect simple data and information, apart from the substantial investment made in either obtaining, verification, or presentation of data, by sui generis right over databases (or database right). This chapter examines and compares the current legislations of developed countries in order to find the characteristics -and the criticism- in common.
TopIntroduction: It Security Governance Legal Issues
With the development of new information and communication technologies new challenges but also new problems lie ahead. This chapter addresses the most relevant areas of intellectual property law in relation to IT and describes other legal issues regarding information security and data protection.
Nowadays, as a rule, intellectual property rights and information are the greatest corporate assets. Intellectual property rights cannot protect simple data and information, apart from the substantial investment made in either obtaining, verification or presentation of data, by sui generis right over databases (or database right). However, other specific laws and statutory agreements deal with protection of corporate information.
The term “information security” means protecting information and information systems -particularly, computer programs and databases- from unauthorized access, use or modification, in order to provide integrity, confidentiality and availability for its lawful users.
Why do we need a supra-national protection or, at least, some common worldwide standards in these fields? The answer, nowadays, is self-evident: in the current global marketable place, national borders do not exit any more in a practical way, so maintaining them in a formal, theoretical or legal perspective does not make any sense.
This chapter analyses whether this aim has been fulfilled or not and compares the currents methods available for the protection in order to find an adequate type and level of protection. Society's challenge is to find that adequate protection. The implications of under-protection or over-protection are both ill-fated. Left with insufficient protection, producers do nor invest for fear of free-riding. But too much protection can lead to monopolies abuses. Both scenarios are detrimental to society.
As we have seen in previous chapters, companies today face a global revolution in governance that directly affects their information and intellectual property rights management practices. Organisations are more and more dependent on their information systems and on their intellectual property capital. Regulators and the public are increasingly concerned about proper use of information, particularly personal data, and intellectual property rights. The threats to them from criminals are increasing. A single laptop lost or stolen from a firm compromised identifying information of hundreds or thousands of customers and employees. Given this situation, many companies are identifying information as an area of their operation that needs to be protected through corporate governance plans as part of their system of internal control.
History has demonstrated that improvements in governance and compliance typically come as a result of scandals. Following the high-profile organizational failures of the past decade, legislatures, statutory authorities, private international organizations and regulators have created a complex array of the new laws and binding agreements designed to force improvement in organizational governance, security and transparency. Coupled with previous regulations and pacts in these areas and intellectual property protection and information retention and privacy, these new laws and agreements, together with significant threats of information system disruptions from hackers and virus perpetrators create and unprecedented need for a governance approach to information management.
Nevertheless, most developing nations, where the majority of IT outsourcing occurs, have no national governance or policies related to IT security or privacy.
Finally, we have to take into account that many regulations follow the principle of territoriality -all of them, except the international treaties-, which means that those rules do not have extra-territorial effect abroad the country of its legislature. A similar principle is applied to private agreements -e.g. some of the agreements on the management and supervision of operational risk of the financial sector-, so only signatories or companies which want to profit from them are bound by these pacts (Goldstein, 2001; Gaster, 2006).
While there are global actions such as the Basel banking accords -issued by the Basel Committee On Banking Supervision- and the International Financial Reporting Standards -adopted by the International Accounting Standards Board-, emerging as global generally accepted accounting principles, the vast majority of actions will occur at a local level. However, the cumulative effect of these local actions, even though they seem insignificant, will be to improve GRC on a global level. In short, there is no such thing as an isolated event in improving GRC.