Fresh calls for data-breach law
A member of a prominent House of Lords committee has repeated calls for a data-breach notification law.
Speaking at an event organised by Intellect on Thursday, Lord Harris of Haringey said: "I support the recommendation the [Lords Science and Technology] Committee made that there should be a data-breach notification law. Manufacturers of equipment, producers of software, holders of data, and internet service providers should all be much more security conscious than is currently the case. In some cases [of data breaches] the financial penalties are not strong enough."
A data-breach notification law would "concentrate the minds" of companies holding data, because loss of data would have an impact on that organisation's reputation, said Harris. He added that all board-level executives should be legally liable for data loss.
In August the Lords Committee brought out a report detailing the results of their inquiry into personal internet security. One of the recommendations of the report was that the government should pass a law requiring organisations to notify all affected parties in the event of a loss of confidential data.
Representatives of the Metropolitan Police cautiously supported the notion of a data-breach notification law, but said they had concerns about who would police the law.
"Companies would learn to take preventative action," said detective inspector Charlie McMurdie of the Met's Specialist Crime Unit. "My concerns with both best-practice guidance and legislation is, who is going to take on the policing response?"
McMurdie said that although the Met has been successful in tackling e-crime, a centralised e-crime unit was desirable to have policing "resilience", because most crime now involves elements of electronic crime. "For e-crime we have to have resilience — e-crime is now core policing. Law enforcement needs to get with 2007," said McMurdie. She added that currently there was no policing structure in place to deal with data-breach notification.
Howard Shaw, detective sergeant with the Met's Specialist Crime Unit, said: "It's a question of how to dovetail the law and enforcement. For acts of criminal activity there has to be a reactive response, but if the law is not carefully considered it will let loose an animal it doesn't need to. Data breaches run from the corner-shop owner who loses customer notes, right through to corporations losing data. We'd need to be careful [to have a proportionate response]."
The Information Commissioner's Office, which in part enforces the Data Protection Act, also cautiously welcomed the idea of a data-breach notification law. "It depends what the law would be," said David Evans, senior guidance manager at the ICO. "We can see the benefits, but a great deal of thought needs to be given as to what form the law would take."
Evans said that the Data Protection Act currently does not require companies to notify either the ICO or those affected by the loss of data, but that voluntary disclosure of data breaches was not adequate. "If we're allowing businesses to have self-control, we should expect openness and transparency. If their security measures aren't adequate, they should be expected to cough that up. However, if the reputational risk [of disclosure] is bigger than the risk of not disclosing data loss, then companies may decide not to notify," said Evans.
However, Evans said that if a data-breach law was introduced poorly it would serve no-one's interests. He said the ICO wished to avoid situations where people are unneccessarily notified of a privacy breach. "It comes down to what form the law takes. Does it prescribe exactly how a data breach should be disclosed? The notification should tell the individual what has happened and inform them of practical steps they can take," said Evans.