Security threats Toolkit

IT industry split over data-breach penalties

Tags:
Legislation,
Loss,
Sector,
Encryption

Nick Heath silicon.com

Published: 07 Jan 2008 09:10 GMT

The IT industry is divided over whether new laws are needed to make the reckless loss of personal information by public and private sector organisations a criminal offence.

Proposals, suggesting recklessly or repeatedly mishandling personal information should become a criminal offence, were put forward in a report by the parliamentary justice select committee.

But the report is splitting opinion among senior figures in the IT industry, with disagreement over whether the government should resort to legislation in an attempt to prevent future incidents similar to the HM Revenue & Customs data breach.

Joseph Hoban, vice president at data-protection software company GuardianEdge, said: "With more public-sector data breaches on the horizon, the government must act now to avoid a certain repeat of the HMRC debacle.

"American organisations understand that prevention is cheaper than cure — and implementing encryption technology is cheaper than the cost of a data breach. The UK government needs to follow suit and introduce financial penalties."

Chris Mayers, chief security architect at Citrix, told ZDNet.co.uk's sister site silicon.com: "The government needs to bring in tougher laws to make companies realise the responsible handling of our data isn't an option, it's a necessity.

"To give these laws teeth, more resources are also needed for investigations and for enforcing the existing legislation. Similar measures have proven successful in the US since they were introduced in California in 2003."

Sentry Posts Blog

Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

But Jamie Cowper, director of marketing EMEA at encryption security company PGP, had reservations about the report.

Cowper said: "Making data loss a criminal offence is maybe a step too far. For a start, who's going to be liable here? How do you define the role of data controller? And what does this mean for much-heralded government database projects such as ID cards and the NHS spine?

"Before we go for the nuclear option, perhaps we should first look at how current security regimes can be tightened up with, for instance, stricter enterprise data policies. We should also test the power of simply naming and shaming organisations."

Alan Bentley, regional vice president of Lumension Security, also questioned how the law would work, saying: "There is a very fine line that needs to be balanced, which ensures that all our personal data is secured but does not hamper the efficiency of a business.

"For government and industry organisations to take control of their data they need to monitor all the information transferred to and from removable media. Capturing a full copy of the data and providing a comprehensive audit trail will ensure organisations can see where data has been moved to."