Experts call for data breach legislation

The UK needs data breach legislation, according to a panel of data security experts.

Speaking at the discussion on data breach notification organised by tech supplier body Intellect, Lord Harris of Haringey said: "I did support the recommendation the [Lords Science and Technology] Committee made that there should be a data notification law in the UK."

A House of Lords committee warned last month the government must act or risk losing public confidence in the security of the internet.

Lord Harris said ISPs, holders of data, equipment and software providers all have a responsibility to raise the level of security and there must be "clear incentives" to do so or such bodies will fail to adopt more stringent security stances.

"In some cases the financial penalties [for data breaches] are not strong enough," Lord Harris added.

The panel also agreed there needs to be more discussion surrounding data breach notifications, with the silicon.com Full Disclosure campaign coming in for praise.

Nigel Hopgood, head of security and compliance at Sun Microsystems UK, said: "I think the silicon.com campaign is fantastic and the general awareness of the issues surrounding data breach notifications needs to be raised."

And Barbara Navarro, director of business and marketing at data privacy company Sapior, said the silicon.com campaign "has helped to raise the bar and get people discussing this topic".

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

But with new legislation and tougher penalties for failing to keep data safe, there comes the question of who bears the brunt of the blame, according to the roundtable members.

Lord Harris said: "It's not a question of the IT director being responsible [for data breaches] but all the company directors."

And Hazel Grant, partner at legal firm Bird and Bird, said any criminal liability should not be put on the CIO because companies must deal with the loss of low-tech as well as high-tech data.

But it's not just the corporate world which should be held accountable - consumers need to think before they act, according to the ICO.

David Evans, deputy information commissioner with the ICO, said: "The idea that the IT director is responsible does not reflect the fact that we are happy to hand out or own information."

Evans added consumers are "bargaining with their privacy" by giving companies information about themselves.

Charlie McMurdie, detective chief inspector with the e-crime unit of the Metropolitan Police, added: "I can see the need for data breach notifications to take place [but] part of the solution is to raise awareness to get people thinking about the security of their data."