Home > Security

Computerworld - "Truth be told, everything we've done in the area of extrusion prevention is because of industry regulations. The police were useless in our last extrusion event, and we're developing our self-audit and control capability in order to protect our customer records and actuarial data."
-- General counsel of an insurance company with $8 billion in assets
"We don't invest in extrusion-prevention technology because it's a criminal offense when one of our employee extrudes critical filings. We feel the legal deterrent is sufficient."
-- IT manager at the Securities and Exchange Commission in a Middle Eastern country
Extrusion prevention requires both management and technology controls. The trigger to implementation often lies in government regulation. This article examines the relevance of regulation in the U.S. and in Europe.
Extrusion is the unauthorized transfer of a company's essential digital assets -- credit cards, customer records, transactional information, source code and other classified information.
Regulation can't protect us from extrusion. Uncompromising ethics and good management are prerequisites for protecting a company's digital assets and individuals' private information.
Let's look at the relationships between individuals, companies and regulation:
Privacy regulation trends in the U.S. and Europe
Government-regulated privacy protection of information is a natural response rooted in the field of telecommunications, since countries either own telecommunications businesses outright or tightly regulate their industry. This has largely led to a view of electronic privacy as an issue of citizen rights vs. state legislation and monopoly.
In the Information Age, privacy has two dimensions -- intrusion and extrusion:

• Protection against intrusion by unwanted information such as spam and telemarketing or by criminals, similar to the constitutional protection to be secure in one's home.


• Protection against extrusion by controlling information flows about an individual's or a business's activities, such as preventing identify theft or protecting a company's trade secrets.

Regulation has moved in two major directions -- centralized general protection and decentralized ad hoc protection. The European Union has pursued the former and passed comprehensive data-protection laws mandating coordination on information collection and cross-border data flows. The U.S., in contrast, has dealt with issues on a case-by-case basis -- health care, credit cards, corporate governance, for example -- resulting in a variety of ad hoc federal and state legislation.
A synthesis of the European and the U.S. approaches would be to formulate a set of broad rules for vertical industries. This was the direction taken by the New York Public Service Commission regarding telecommunications privacy. Private customer information typically includes details from your monthly bill, including calling patterns, types of lines, and