By Nick Heath, 4 January 2008 15:34
NEWS
The IT industry is divided over whether new laws are needed to make the reckless loss of personal information by public and private sector organisations a criminal offence.
The proposals suggesting recklessly or repeatedly mishandling personal information should become a criminal offence were put forward in a report by the parliamentary justice select committee.
But the report is splitting opinion among senior figures in the IT industry, with disagreement over whether the government should resort to legislation in an attempt to prevent future incidents similar to the HM Revenue & Customs data breach.
Joseph Hoban, VP at data protection software company GuardianEdge, said: "With more public sector data breaches on the horizon, the government must act now to avoid a certain repeat of the HMRC debacle.
"American organisations understand that prevention is cheaper than cure - and implementing encryption technology is cheaper than the cost of a data breach. The UK government needs to follow suit and introduce financial penalties."
Chris Mayers, chief security architect, at Citrix told silicon.com: "The government needs to bring in tougher laws to make companies realise the responsible handling of our data isn't an option, it's a necessity.
"To give these laws teeth, more resources are also needed for investigations and for enforcing the existing legislation. Similar measures have proven successful in the US since they were introduced in California in 2003."
But Jamie Cowper, director of marketing EMEA at encryption security company PGP, had reservations about the report.
He said: "Making data loss a criminal offence is maybe a step too far. For a start, who's going to be liable here? How do you define the role of data controller? And what does this mean for much-heralded government database projects such as ID Cards and the NHS spine?
"Before we go for the nuclear option, perhaps we should first look at how current security regimes can be tightened up with, for instance, stricter enterprise data policies. We should also test the power of simply naming and shaming organisations."Alan Bentley, regional VP of Lumension Security, also questioned how the law would work, saying: "There is a very fine line that needs to be balanced, which ensures that all our personal data is secured but does not hamper the efficiency of a business.
"For government and industry organisations to take control of their data they need to monitor all the information transferred to and from removable media. Capturing a full copy of the data and providing a comprehensive audit trail will ensure organisations can see where data has been moved to."
The justice select committee's report supports silicon.com's Full Disclosure campaign for legislation that would require organisations suffering security breaches to alert their customers if there is a chance the breach has put individual's sensitive personal data at risk.
Comments
There are 3 comments. Join the discussion
1. Karen Challinor
money can be tracked, we have chartered accountants and book keepers to track money, banks are liable if they lose money, money is important
where are the personal data equivalents of chartered accountants and book keepers ? who is liable if your personal data is lost ? why isn't our personal data as important as money ?
yes we need laws to protect our personal information, however I do not trust HMG to formulate them as HMG are one of the groups we need our personal information protecting from
2. Simon
Oh FFS ! Yet again, a proposal for yet more laws to deal with problems ALREADY COVERED BY LAWS !
We do NOT need any new laws, all we need is for the existing laws to be made worthwhile. Specifically, as long as the Information Commissioner is as toothless as he is then we'll see no improvement.
Simply give the ICO the powers to go and and CHECK (like the H&SE has), plus the powers to properly prosecute where the law is being broken, AND the budget to be able to do it. At the moment, the ICO lacks some key powers, but most importantly is lacking the budget (just like the H&SE) to do it's job properly.
Oh yes, and if we are ever to have any faith in the current law, the exemptions currently abused by the government need scrapping.
3. David Rogers
Should negligent loss of data be a criminal offence? Of course it damn well should. Maybe if the halfwit who sent unencrypted personal details worth half a billion dollars through unregistered internal mail had thought he moight go to jail: or if his BOSS had thought that he or she would go to jail: it would not have happened.