The UK’s privacy watchdog the Information Commissioner’s Office has welcomed recent calls for US-style data breach notification laws, but urged firms to act now to protect their systems rather than wait until current proposals become law.
Speaking at the opening session of this year’s RSA Conference Europe in London, deputy information commissioner, David Smith, said that a law forcing firms to disclose if customers' personal details have been stolen or exposed “would be welcome", but he cautiously added, "it must be a good one”.
“If we have a law, can we have it simple and easy to understand, not like the laws we have to administer at the moment?” he pleaded. “It mustn’t be notification for the sake of it, or put a disproportionate burden on business.”
Smith also warned firms not to wait for current proposals being discussed by the EU to be implemented. He argued that the investigative power of the media, coupled with current data protection laws in the UK and industry-specific regulations, mean organisations should have processes in place already to manage data breaches, or risk being exposed.
The comments echoed RSA Security president Art Coviello’s opening keynote, where he urged firms to take a holistic, information-centric approach to IT security, concentrating not just on technology but also the processes that underpin it.
“In reality not enough time or money is spent on understanding the risks, setting policies and having an organised, methodical approach,” he added. “Data is dynamic and… protecting information should be about process, not just products.”
Elsewhere, Christopher Kuner, head of the international privacy and information management practice at lawyers Hunton and Williams, argued that data breach notification laws could be slotted into existing EU legislation fairly easily, although he warned that customers may become desensitised if notified of every breach.
“If the Commission thinks that sending notifications alone will solve the problem they’ll probably be wrong,” he said.
He added that individual data protection agencies like the ICO could play an important role in being a first port of call for an organisation after a breach, advising them on the right course of action to take.
However the ICO’s Smith warned firms: “don’t ask us to do your job for you”.
Data breach notification laws were also a major recommendation of the recent House of Lords science and technology committee report on personal internet security.
Lord Erroll, one of the contributors to the report, said they recommended data breach notification laws not with a view to naming and shaming large corporations, but in order to get a clear idea of the scale of the problem.
“If things are encrypted properly then they are unusable [by criminals],” he added. “Technology helps us to do things properly, but when companies say they can’t encrypt their databases because there are too many legacy systems it worries me.”
Phil Dunkelberger, chief executive of encryption specialist PGP Corporation added that firms should be aware the criminal community is now concentrating its efforts onto mining highly valuable corporate data rather than individuals’ personal data.
ICO welcomes data breach notification laws
By Phil Muncaster on Oct 24, 2007 9:53AM