Another day, another data breach

Businesses and society as a whole need data-breach notification legislation as soon as possible
Written by Tom Espiner, Contributor

The list of data losses has a new addition.

Over the weekend, news broke of a data breach affecting up to 5,000 prison staff, whose details were on a hard disk lost by contractor EDS two months ago. The data compromise was only disclosed over the weekend. Prison staff are so unhappy about the loss of their sensitive data that they are now threatening strike action, and they seem particularly peeved that no-one let them know earlier that their details might have fallen into the wrong hands.

The blunder adds to a rapidly growing list of government gaffes that make Laurel, Hardy and Mr Bean look competent. The crowning glory was HM Revenue & Customs losing 25 million child-benefit claimants' details last November, but the slip-ups have since occurred with alarming consistency.

The private sector has also been up to its neck in data losses, with millions of customer payment details being sniffed from poorly encrypted wireless networks (à la TJX), and thousands of customer details going walkabout on unencrypted laptops (thank you, Nationwide). And these are just the breaches that we've been told about.

The fallout for the organisations involved is significant: loss of customer confidence, damage to reputation and regulatory scrutiny. In a recent Experian poll, 32 percent of citizens said they placed "no trust at all" in the government being able to safeguard their data. Nationwide's laptop loss resulted in a lengthy investigation and a fine.

Voluntary data-breach disclosure in the UK simply has not worked, as seen by the clockwork regularity of data-loss fiascos. Increased regulation is on the horizon — the European Commission is circling the telecoms industry at the moment with proposed revisions to the E-Privacy Directive, which could make data-breach disclosure mandatory. The UK's information commissioner is pushing for more powers, as well as data-breach notification laws. However, recrimination followed by reform is often the worst option.

Data breaches usually indicate a failure of process. Either the information systems haven't been secure, or the business processes have been chaotic or simply not put in place. Legislation can help by forcing company directors to take security seriously, but a data-breach notification law by itself will not solve the problem. In the UK, we have a massive amount of world-class IT security knowledge; businesses need to recognise this, and work to build networks to share that knowledge.

Businesses should bite the bullet and reveal data loss as a matter of course. If it takes a data-breach notification law to give organisations the impetus to improve security, then we need that law. Ultimately, business would benefit from increased customer confidence, while strengthened data watchdogs would benefit not just business but society as a whole.

Editorial standards