Yet another chapter in the ongoing debate over data breaches, government woes and the balance of responsibilities between organisations and individuals, came last week with the official follow up document to the House of Lords Science and Technology Committee's report on personal internet security. To cut a long story short, it renews the Lords' original calls for a data breach notification law, for fraud reporting laws to be changed so that the police and not the banks are the first port of call for a victim, and for liability for internet security to be placed firmly on the banks.
All of these recommendations are sensible, as they were last August when the original report was launched. The problem is that the government's stance, while softening, is still pretty non-committal. Lord Broers, a member of the committee, seemed cautiously optimistic when I spoke to him about it; after all, the original government response was nothing short of disgraceful - dismissive, arrogant and ill-considered.
The prospect of a data breach notification law is one of the more widely talked-about issues raised by the Lords. Already implemented in many states of the US, the arguments for are well rehearsed - compel an organisation to disclose when a breach has occurred and it is more likely to get its shop in order and protect sensitive customer data. A neat knock-on effect would also be to give us all a better idea of how widespread data breach incidents are, accidental or not.
The arguments against are less convincing in my book; for example that the public will lose interest in data breach stories after a while and therefore having to disclose such incidents will lose its effect. Well, to be honest, as long as a reasonable lower limit is set and due attention is paid not only to volume but how much an individual incident could affect the victims, a law should still work. We sorely need a legal imperitive here because otherwise, quite frankly, certain organisations would rather not come clean if they've lost sensitive data, and who can blame them? The cost of a sensitive data breach is increasing by 20 per cent a year, according to analyst Gartner - the cost to brand is pretty much incalculable but the risk is real enough to force organisations to re-examine their data security policies.
Europe is already leading the way by planning the introduction of such laws for ISPs and telcos, although they will be a long time coming to the UK. However, full, industry-wide legislation will happen eventually so it's better to be prepared and start thinking about best practices in data security - the Information Commissioner produces handy advice here. Thus, by the time it is the law, your people, policies and processes should all be geared-up to minimise the risk of data loss
No comments:
Post a Comment