It’s one of those things that European-based information security consultants must ask themselves at times – why isn’t my phone ringing off the hook for DLP solutions if the European Data protection directives are so clear on the requirement to protect privacy?
The central guideline is the EU Data Protection Directive – and reading the law, we begin to get an answer to our dilemma.
First – there are fundamental differences in approach between the US ( an industry-centric regulatory/sectoral approach) and the EU (a personal, privacy-centric approach). The US love technology solutions and the Europeans prefer policy, procedure and discipline.
Second – the current round of DLP technologies (mostly US developed and highly tuned to the US regulatory environment) may not always be a good fit for an EU-based company.
A perusal of the law shows that current DLP technologies have marginal added value to the 6 out of the 7 OECD requirements ( Notice, Purpose, Consent,Disclosure, Access and Accountability).
- Notice—data subjects should be given notice when their data is being collected;
- Purpose—data should only be used for the purpose stated and not for any other purposes;
- Consent—data should not be disclosed without the data subject’s consent;
- Security—collected data should be kept secure from any potential abuses;
- Disclosure—data subjects should be informed as to who is collecting their data;
- Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principle
The security requirement is the sweet spot for DLP, but with the exception of Fidelis XPS and Mcafee Reconnex, most DLP products focus on data leaving the organizational network and not data being abused inside the organizational network. (There are solid technology reasons behind this which are beyond the scope of this post). In addition, note that the Mcafee reseller channel knows how to sell anti-virus products while Fidelis is focussed selling network DLP to the US defense market – suggesting that there may be also be channel constraints to distribution of DLP products in Europe.
However, the key challenges to DLP technology adoption in Europe are at the management level – and they are three-fold:
Lack of a “DLP strategy”. This is out of my personal experience in Central Europe and also based on data from a seminar run by the Forrester group in Amsterdam last year – where 90% of the CTO’s who participated said they had no plans to implement DLP in 2010. With the current economic environment, weakening of the Euro and drop in IT funding – I am not seeing any change of direction. Conversations with security product distributors in France and Germany confirms that the EU market is still focussed on firewall/IPS and anti-virus.
Lack of business justification. If you don’t monitor outbound traffic then you don’t know if you have issues. Since EU Privacy virtually prohibits monitoring outbound traffic of employees then by definition, European companies do not know if they have issues.
The challenge of global implementations. There are few DLP implementations that span multiple, geographically diverse network domains. One case I am familiar with is GSK (Glaxo, Smith Kline). Verdasys and Fidelis cut a deal with the CIO of GSK in Boston for a global DLP deployment of Verdasys agent + Fidelis XLPS gateway solutions and to the best of my knowledge – the European implementation is stalled. There are numerous reasons why a global IT implementation will stall; all of which are exacerbated by data security and compliance issues: Consider the challenges of budget, organizational politics, local regulation, local management culture, local legal opinions, local IT suppliers, local IT outsourcing services: any one issue can be a barrier to a local implementation of head-office sanctioned CIO-office designed project.
In summary – instead of looking for global or Pan-European solutions, perhaps we would be better served by viewing DLP as a Swiss army knife, highly suited for particular applications and local requirements. More about that in an upcoming post.