You are here: silicon.com > Research > Special Reports > Full Disclosure

Leader: Why security threats don't have to be taxing

Some simple ingredients to keep customers happy

By silicon.com

Published: 9 October 2007 17:28 GMT

It's not everyday you applaud the taxman - but HM Revenues and Customs (HMRC) deserves praise for its response to a recent potential data breach which followed the theft of a laptop containing sensitive information.

Laptops full of data get stolen all the time, but HMRC's security precautions before the theft last month and its actions afterwards are something that other organisations should look to emulate.

The first ingredient was encryption and password protection. When the laptop was stolen it was, according to an HMRC spokesman, protected by "both a complex password and powerful encryption software".

And for the second ingredient - honesty. As the taxman's spokesman told silicon.com: "We obviously deeply regret what's happened and we are obviously responsible."

And HMRC also added another – and probably most significant – ingredient: disclosure.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

The HMRC said the data belonged to the customers of financial services institutions and those bodies are "contacting each customer individually to let them know about what has happened".

This disclosure element is an important one – not just because it backs-up everything the silicon.com Full Disclosure campaign stands for. It also raises the bar - compared to California's law, for example, which only obliges agencies or businesses in the Golden State to disclose data security breaches to residents if their unencrypted personal information may have been compromised.

So that the HMRC – even with an encrypted and password protected laptop – still decided to go further is a rarity and an example other companies should adhere to.

Let's just hope other UK companies start cooking up similar data breach response recipes to keep their customers on side if disaster strikes.