Demand for tougher data breach legislation
Lost laptops and missing discs could mean legal trouble, as the media spotlight on data breaches gives weight to calls for tougher legislation - but is encouraging best practice a wiser move?
Another day, another miserable data fiasco - it seems there's no end in sight for missing laptops and lost discs.
It's one thing after another: Marks and Spencer told off by the information commissioner's office (ICO), missing discs from the Ministry of Justice and HM Revenue and Customs, and laptops lost by the Ministry of Defence are just the latest in a line of breaches which affect millions in the UK.
It's clear more will happen, but what can the government do to force industry (and itself) to take the right measures to make sure such debacles don't happen again?
There are, of course, technology and policies. Indeed, Whitehall staff were recently banned from removing unencrypted laptops containing data from their offices, but as HMRC's acting chairman Dave Hartnett has already admitted, the failure to protect data is "systemic" - leading some to say tough legislation is the only way to force organisations to keep data secure.
Legislation on the way
And such legislation might be on the way. According to the Ministry of Justice, parliament is currently considering proposals to amend the Data Protection Act.
It said: "Subject to Parliamentary approval, this will provide for terms of imprisonment in addition to existing fines for those found guilty of unlawfully obtaining or disclosing personal data."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
What these new penalties may mean is that those found guilty of security breaches could face imprisonment for up to two years - currently only punishable by a 5,000 fine.
On top of these proposals, Information Commissioner Richard Thomas has also demanded new powers of inspection, allowing them to "spot-check" government departments without permission to ensure the security and protection of data.
Indeed, the Information Commissioner Richard Thomas has himself come down on the side of stronger legislation, saying in the House of Commons Justice Committee report on the Protection of Private Data said there was a "need to ensure that safeguards are achieved in practice".
And, a security review by Cabinet Secretary Gus O'Donnell, the Data Handling Procedures in Government: Interim Progress Report, has stressed the need to extend spots checks to the entire public sector and has made a commitment in principle to the introduction of new sanctions under the DPA for the serious breaches of its principles.
Making laws actually work
Such changes are a step in the right direction to getting organisations to take data security more seriously, but figuring out how such things would work in reality is no easy feat, according to Rosemary Jay, partner and head of information law practice at international law firm Pinsent Masons.
"When you say 'should' create stricter laws, we need to ask would that work and how it would work," said Jay. "I agree that it is right that somehow we need to persuade everyone to be more serious about security, but to say that there is a problem and then to leap to a solution and make a new law to send people to prison - that might not necessarily be the right solution."
She added: "The proposal around now, proposing criminalisation, is draconian and risks leading organisations to becoming very secretive. What you would not want to do is drive people into secrecy about security breaches."
There is certainly an argument to be made about the lack of transparency that could occur were the threat of criminalisation and imprisonment to loom over people responsible for future security breaches - perhaps what is needed is a little more thought to the deterrents that can prevent or limit future security breaches.
"There is actually a proposal that has come forward from the European Commission, only in the telecoms context at the minute, which was considered by a House of Lords Committee and then the government, last autumn," said Jay.
"That proposal was a notification proposal, which means that if you've had a security breach you have an obligation to notify all the people whose security you've breached. It was recommended that the UK should look at something like this."
Jay added: "The government said that it didn't think it was appropriate."
"The notification obligation is an interesting one in terms of transparency. Whether it should be notification to everyone who is affected, I think there's an issue there," she said.
Data breach notification
The proposal brought forward by the European Commission is similar to that already implemented in the State of California, which makes it mandatory for state bodies and business to admit data security breaches to individuals if their unencrypted personal details have been put at risk.
By affording consumers such knowledge, companies feel obliged to improve the security of their systems and take security precautions more seriously for the sake of the longevity of their businesses.
But as Jay said, the question surrounding exactly who would be notified when security breaches are made is a concern.
Rob Bamforth, principal analyst at consultancy Quocirca was also sceptical about notification, as well as possible laws criminalising data breaches.
"There are multiple levels to a notification law like this. Who do you let know? Do you let know the people whose data it involves, or a wider audience? There was the HMRC case where everyone was informed with a letter, sent in the post, with the same private details in the letter. Sometimes informing, depending how you inform, could exacerbate the problem."
Technology the answer?
So if stronger legislation to punish and notify isn't an option, what can be done to prevent further security breaches? According to Bamforth, as IT PRO has previously reported, government and organisations should be looking at existing technologies and good old-fashioned people management to prevent security holes.
"Encrypting and authenticating are two obvious means," said Bamforth. "Why are we even moving data around when accessing it remotely might be more secure? Keep the data where it can be centrally well managed and protected and then use electronic means of access rather than physical means."
"However, while it's possible to say we can throw some technology at it and potentially fix the problem, the reality revolves around how it's used and the people side of it," he said. "Are employees being sufficiently educated in what their responsibilities are or what good practice is? These are the things that have a profound affect. Technology can only support all of those things. But this will of course cost time, resources and money."
Surely it's a cost that's worth the price. Whether the government decides to push forward to criminalise data breaches or instead aims to promote best practice with ICO spot-checks and more efficient use of existing technologies, it's clear that something has to be done before security breaches cease being a potential risk to the state and individuals and become an actuality.