In these days of Web 2.0 and beyond, companies are less tied to geographical boundaries. And as businesses become more virtual, they may also have to pay attention to laws and regulations far beyond their own borders. Legislation relating to email security sometimes transcends political boundaries, such as in the case of California’s Information Practice Act (SB1386), which requires that any company that maintains any personal information about California residents, notify those residents if data has been breached. The regulation, which applies to businesses of all sizes, is generally interpreted by the industry as being very broad-reaching. For example, a data storage firm that stores information for clients that do business in California, would also have to comply, regardless of their physical location. Similarly, a company in New York that has customers in California would also be required to comply.

In the case of SB1386, compliance doesn’t present a huge burden, it’s not intrusive, and disclosure is something that any company interested in good PR should do in any case. However, security managers and administrators of email systems around the world should be paying attention to a proposed piece of UK legislation called the Interception Modernisation Programme, which would require all ISPs to record all Internet traffic, including emails, for the purpose of creating a single, centralized government database of all communications of its citizens.

Besides the obvious personal privacy issues involved in such an intrusive scheme, the security vulnerability is overwhelming. Such a database—containing all the records of every email sent through a UK-based ISP—would become a target immediately were it to become a reality. Every hacker, spammer, and cybercriminal in the world would be trying to get at it.

While the legislation applies only to UK companies, obviously companies the world over which do business in the UK would have to re-visit their privacy policies and disclosures, and get ready for the inevitable data breach that would most certainly occur.