Data Retention & Compliance to be a Major Issue for ISPs

Business-to-business ISP, Entanet, has highlighted data retention and compliance as key issues for the Internet market for the coming year as new legislation comes in requiring ISPs to retain details of all communications and the impact of Sarbanes Oxley and other compliance directives begins to bite.

On 14th December 2005, the European Parliament approved a draft Directive on data retention that will, when it comes into force, mean that ISPs and telcos will have to retain phone and internet records for up to two years for use in investigation of criminal and terrorist offences. While this is straightforward enough and relatively easy to deal with, there could be some implications for suppliers and their customers.

James Blessing, Operations Director of Entanet, says that it will be vitally important for ISPs to make it clear to their customers that details of all communications will be retained and that, if required to do so, that information will be handed over to the authorities. “Clearly, ISPs will need to let their customers know what they are required to do in order to comply with the data retention directive but while this is relatively straight-forward, the increasing necessity to comply with rules regarding information disclosure are going to complicate the issue for many organisations.”

Companies will also need to comply with America’s Sarbanes-Oxley (SOX) rules on corporate-governance, and the IFRS (International Financial Reporting Standards) accounting regime. UK firms with a stock-market listing in America have to be compliant with SOX for the 2006 financial year and all quoted UK companies are already supposed to be reporting their results in line with IFRS. These regulatory frameworks are designed to prevent account scandals and ensure that information that should be disclosed is disclosed to the right people at the right time.

In addition, companies need to comply with the Data Protection Act and ensure that they are keeping all this information – and especially personal data – safe from prying eyes. There is also the Regulation of Investigatory Powers (RIP) Act, which allows the authorities to monitor emails and other communications under certain circumstances and requires that companies or individuals hand over all their data should the police ask for it.

Both the corporate compliance and the new anti-terrorism and criminal activity laws are prompting companies to start capturing and retaining content of emails – and sometimes voice calls as well – themselves. So, in addition to the ISP or telco recording the date and time and method of the connections made, the sender and recipients will increasingly be doing the same and also copying and possibly monitoring the content as well.

“It is going to become very difficult, complicated and messy for everyone”, says Blessing, “and what makes all of this worse, is that none of it has really been tested in the real world as yet. There have been no really serious cases or challenges to the new directives and rules. ISPs and telcos are having to develop detailed policies – and we believe that many have not even made a start towards doing this, and both private and public sector organisations will have to put appropriate systems and procedures in place as well.”

For ISPs and CPE providers, the implications of not having policies in place could be very serious. Under the Communications Act, Ofcom has the power to fine companies up to 25% of their turnover if they do not have a published and approved Code of Practice or of they don’t currently have an Alternative Dispute Resolution service available. It is the former that the regulator is focusing on at the moment and it’s believed that three ISPs and one CPE provider have already been asked to tighten up their policies. Ever so slowly the screw will be tightened on these new rules.

But these are early days and there could be some further complications, Blessing adds. “There are still a great many grey areas. With regards to VoIP for example, it is not yet clear whether they will be treated. Ofcom sees and treats telcos and ISPs as being no different and calls them both ‘Communications Service Providers’ – we don’t know yet whether a VoIP call will be classified as a voice or a data communication and how and whether they should be recorded.

“Until these issues are tested in a courtroom somewhere, ISPs, telcos and their customers will probably be well-advised not to take any chances. The important thing right now, is to be aware that the data retention directive and other regulatory legislation is coming into force and to start looking at exactly what you need to do in order to comply.”