Analysis: Data losses – New responsibilities for business?

It could very well be that the HMRC data loss incident was the best thing for data security in this country.

It has highlighted to businesses the seriousness of losing customer data, but more importantly has raised public awareness of the rights of the individual when outsiders lose their information.

Cybercrime is largely built on this kind of lost data, and the Science and Technology Committee of the House of Lords has stated that the government was far too slow to deal with the problem.

Its report last year criticised the government's approach. The criticism is justified - in many data loss incidents the victim is unaware that the industry has lost their data, as there is no legal requirement for businesses to own up straight away.

Think back to the recent case where the website of clothing retailer Cotton Traders was hacked it took nearly six months for them to own up and inform customers, many of whom were potential victims.

To deal with this state of affairs, the Science and Technology Committee urged the government to introduce a law making banks legally responsible for any losses a customer incurs due to electronic fraud.

"The biggest problem with the Data Protection Act is that it has no teeth," said the Earl of Erroll Sir Merlin Hay, a peer who has a particular interest in IT and regulatory issues involving personal identity and government data sharing.

"With the recent data losses there is the arrogance of certain large organisations thinking it doesn't matter, or at a high senior level they can't see the impact of what they've lost because it doesn't affect their career."

The Earl of Erroll said that unless you make an incident impact the careers of the senior people ultimately responsible for a data loss, there will be no change in culture.

He added: "A parallel is last year with the Health and Safety Act. Once it became clear that you could take a member of the board and lock them up for not looking at health and safety within the company, they started to take it seriously. Maybe we need a similar act."

The Science and Technology Committee also felt internet fraud should actually be reported to the police, rather than to a bank. There is a big problem with this though the police aren't really equipped to handle such cases.

"Most police stations don't have the resources to deal efficiently with these sorts of crimes, and if the crime doesn't relate to a multi-million pound fraud, victims get advised to contact either PayPal, or agencies such as Antiphishing.org to seek justice," said Simon Heron, internet security analyst for Network Box.

"While such organisations are reputable, being passed to different agencies doesn't instil the public with confidence when it comes to reporting crime."

Heron said that the combined police forces need a central database of reported scams so that trends and patterns could be identified and dealt with on a much larger scale.

"Police need the resources to allow them to deal with these crimes themselves. There is no point in reporting internet crime if they can't follow through and help victims."