The International Chamber of Commerce (ICC) says changes in the number, nature and content of ICT-related legal requirements since the mid-1990s have left many businesses wallowing in a complex "compliance matrix". And it is urging governments to adopt a set of principles to help avoid laws regulating business information systems from becoming too cumbersome and potentially counter-productive.
The ICC says terrorist attacks, accelerating globalization, a wave of corporate scandals, and the dramatic growth in business-to-business Internet transactions have caused a steep rise in the number of laws requiring businesses to beef up controls in their IT systems and automated processes.
The problems for business are compounded because the numerous "information compliance" rules on everything from tax, labour, environment, corporate governance, money laundering, data privacy, consumer protection, supply chain traceability to e-contracting require different safeguards using different terminology. Dissimilar approaches in regional, national, provincial and state laws compound the difficulties.
"Most companies do not have the resources to monitor, analyze and maintain compliance with all these different requirements. Better consultation between governments and the business community could turn today's burdensome situation into something which could promote greater compliance and business efficiency," says Christian van der Valk, compliance vice president of TrustWeaver, and co-chair of ICC's Task Force on Security and Authentication.
In a statement, the ICC noted one single set of business information might be subject to tax, environmental, privacy and anti-money laundering rules - yet there is a limit to the number of different safeguards a company can apply to the same bits and bytes. In some extreme cases, legal requirements conflict, leaving businesses with the impossible choice to decide which law to violate.
For instance the US Sarbanes-Oxley law requires companies to establish anonymous whistleblower hotlines for employees to make complaints about corporate malfeasance, yet in 2005 the French data protection authority found that these systems violate French data protection law. Guidance from the Commission Nationale de l'Informatique et des Libertes (CNIL) has since made it easier for companies to comply with both SOX and French data protection law, but the fundamental conflict between them remains.
Similarly, pharmaceutical companies may be required to consolidate records of adverse event reports in a database in a particular country, while data protection laws restrict the transfer of personal data to that country.
Moreover the US Customs-Trade Partnership Against Terrorism (C-TPAT) includes information compliance requirements for various parties which are stated so broadly as to be meaningless from an IT systems implementation viewpoint. Businesses don't know what measures are sufficient, nor how the requirements interact with other IT compliance requirements originating in the US (e.g. FDA rules concerning electronic records) or other countries and regions (eg. the work on supply chain security within APEC).
"Depending on the way governments impose information compliance requirements, they can either assist businesses in developing better practices or cause severe costs and problems," the statement says.
"The ramp-up in the number and complexity of information compliance rules is making it increasingly difficult and expensive for business to operate - especially for businesses operating globally - and it is creating headaches for IT and legal departments," said Chris Kuner, chair of ICC's Task Force on Privacy and Protection of Personal Data.
To help address these problems, ICC has identified 14 important principles governments should adopt before passing any future laws, including: avoid conflicts and be flexible when conflicts occur; consider the economic impact before enacting new laws; ensure requirements do not create barriers to international trade; avoid creating competitive disadvantages within and across borders; do not stifle technological innovation; set compliance objectives rather than prescribe specific standards; use internationally accepted IT terms; and avoid supplying information compliance solutions.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.