Advertisement
Promo

Security threats Toolkit

Fresh calls for data-breach law

Tom Espiner ZDNet.co.uk

Published: 14 Sep 2007 10:08 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A member of a prominent House of Lords committee has repeated calls for a data-breach notification law.

Speaking at an event organised by Intellect on Thursday, Lord Harris of Haringey said: "I support the recommendation the [Lords Science and Technology] Committee made that there should be a data-breach notification law. Manufacturers of equipment, producers of software, holders of data, and internet service providers should all be much more security conscious than is currently the case. In some cases [of data breaches] the financial penalties are not strong enough."

A data-breach notification law would "concentrate the minds" of companies holding data, because loss of data would have an impact on that organisation's reputation, said Harris. He added that all board-level executives should be legally liable for data loss.

In August the Lords Committee brought out a report detailing the results of their inquiry into personal internet security. One of the recommendations of the report was that the government should pass a law requiring organisations to notify all affected parties in the event of a loss of confidential data.

Representatives of the Metropolitan Police cautiously supported the notion of a data-breach notification law, but said they had concerns about who would police the law.

"Companies would learn to take preventative action," said detective inspector Charlie McMurdie of the Met's Specialist Crime Unit. "My concerns with both best-practice guidance and legislation is, who is going to take on the policing response?"

McMurdie said that although the Met has been successful in tackling e-crime, a centralised e-crime unit was desirable to have policing "resilience", because most crime now involves elements of electronic crime. "For e-crime we have to have resilience — e-crime is now core policing. Law enforcement needs to get with 2007," said McMurdie. She added that currently there was no policing structure in place to deal with data-breach notification.

Sentry Posts Blog

Sentry Posts Blog
Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

Read more +

Howard Shaw, detective sergeant with the Met's Specialist Crime Unit, said: "It's a question of how to dovetail the law and enforcement. For acts of criminal activity there has to be a reactive response, but if the law is not carefully considered it will let loose an animal it doesn't need to. Data breaches run from the corner-shop owner who loses customer notes, right through to corporations losing data. We'd need to be careful [to have a proportionate response]."

The Information Commissioner's Office, which in part enforces the Data Protection Act, also cautiously welcomed the idea of a data-breach notification law. "It depends what the law would be," said David Evans, senior guidance manager at the ICO. "We can see the benefits, but a great deal of thought needs to be given as to what form the law would take."

Evans said that the Data Protection Act currently does not require companies to notify either the ICO or those affected by the loss of data, but that voluntary disclosure of data breaches was not adequate. "If we're allowing businesses to have self-control, we should expect openness and transparency. If their security measures aren't adequate, they should be expected to cough that up. However, if the reputational risk [of disclosure] is bigger than the risk of not disclosing data loss, then companies may decide not to notify," said Evans.

However, Evans said that if a data-breach law was introduced poorly it would serve no-one's interests. He said the ICO wished to avoid situations where people are unneccessarily notified of a privacy breach. "It comes down to what form the law takes. Does it prescribe exactly how a data breach should be disclosed? The notification should tell the individual what has happened and inform them of practical steps they can take," said Evans.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
11 out of 11 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:





Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

INIFiles: Getting those legacy files i...

Handling INI files can be a little tricky these days when you have to consider new security restrictions, virtualized environment restrictions (App-V and Citrix) and legacy applications... More

Post a comment

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters