By Nick Heath, 28 October 2008 12:26
NEWS
Banks, other businesses and authorities could soon be forced to confess to data breaches according to the EU privacy tsar.
European data protection supervisor Peter Hustinx said there is growing pressure within the European Parliament to create a data breach notification law as part of a shake-up of privacy law.
Amendments to the EU ePrivacy Directive are currently being debated by the EU Parliament and are expected to be passed in six months' time.
These amendments would force ISPs and telecoms companies to notify customers and authorities when they lose their customers' personal data.
And speaking at the RSA Conference in London, Hustinx said there are increasing demands from the European Parliament for the amendments to require all companies and public sector organisations with an online presence to also come under the law.
Hustinx said: "I would be very much in favour of making data security breach an element of general data protection arrangements.
"It doesn't make sense to exclude an internet banking site, a hospital with a web site or other businesses collecting sensitive data online, and just to impose it only on the telcos and the ISP."
Hustinx went on to say that the powers of the UK Information Commissioner's Office (ICO) were lagging behind equivalents in the rest of Europe and welcomed consultations to give the ICO more powers.
He said: "Inspection and sanction powers are rather weak in the UK compared to other countries in the EU.
"But [information commissioner] Richard Thomas being given more powers is looking more probable."
But Hustinx added "there is no reason to presume that the UK is worse than other countries".
Comments
There is 1 comment. Join the discussion
1. John Franks
In the realm of risk, unmanaged possibilities become probabilities: These data breaches and thefts are due to a lagging business culture. As CIO, I'm always looking for ways to help my team, business teams, and ad hoc measures of various vendors, contractors and internal team members. A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium."
We keep a few copies kicking around - it would be a bit much to expect outside agencies to purchase it on our say-so. But, particularly when entertaining bids for projects and in the face of challenging change, we ask potential solutions partners to review relevant parts of the book, and it ensures that these agencies understand our values and practices.
The book came to us as a tip from one of our interns who attended a course at University of Wisconsin, where the book is in use. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. The real crux of the matter is education and training to the organization as a whole – and a recurring schedule of training – in building a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
I like to pass along things that work, in the hope that good ideas continue to make their way to me.