Guarded welcome to proposed data leakage laws

By Ron Condon, UK bureau chief 16 Jan 2008 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

The proposals are made in a report entitled Protection of Private Data; published in early January by the House of Commons Justice Committee, and which is now being considered by the Ministry of Justice.

The committee was asked to look at the causes and consequences of the loss of two CDs in late 2007, which contained details of around 25 million UK citizens in receipt of child benefits. The disks, which were posted by an employee at HM Revenue & Customs, were addressed to the National Audit Office, but never arrived. Their whereabouts are still unknown.

The report, which based much of its content on evidence provided by the Information Commissioner Richard Thomas and his deputy David Smith, concluded that much stronger powers were needed to force organisations to take data security more seriously, and that the HMRC case was far from being a one-off.

In one section it remarks: "The Information Commissioner told us that quite a number of organisations, both public and private sector, had approached his office, almost 'on a confessional basis', to bring to his attention problems they had encountered with security inside their own organisations."

As well as recommending mandatory disclosure of breaches along the lines already in place in the US, the Committee has also recommended that organisations which experience "repeated or reckless" security breaches should be prosecuted under criminal law.

Paul Wood, an industry spokesman for the Institute of Information Security Professionals (IISP), gave a guarded welcome to the report: "We see it as a step in the right direction to help improve the security of data both inside and outside government." However, he believes the review was very limited in scope and only received evidence from the Information Commissioner and his deputy. "The review was a direct reaction to the loss in government departments and did not consider fully the implications of data losses and the direct link poor information security controls can have with financial crime."

There are all sorts of ways of removing data that are outside the control of the system admin. Garry Sidaway Chief Technical Consultant, Tricipher

Wood demanded much broader consultation before any new legislation was enacted and warned against what he called "a knee-jerk reaction" to the HMRC data loss.

John Colley, European managing director for (ISC)2, the professional body, described the new proposals as "vague" and dismissed any idea that the stronger measures would lay security professionals open to prosecution. "Organisations with a good security regime which is run or overseen by security professionals with a recognised qualification would have a very good defence that they are doing all that is professionally right. That would provide protection," he said.

Garry Sidaway, chief technical consultant with Tricipher, a company specializing in identity and access management, questioned how the law could be enforced in detail. "There are so many ways of getting data out of an organisation," he said. "I could put it on my iPod or my phone. If the USB port is blocked I can use Bluetooth. There are all sorts of ways of removing data that are outside the control of the system admin." But he still welcomed the proposals, and said that new layers of regulation were forcing organisations to move beyond merely ticking the box for compliance to taking risk management seriously.

As part of its call for stronger measures, the report also recommends an increase in the annual budget for the Information Commissioners Office (ICO), which currently stands at £10 million, and the granting of extra powers to allow it to make unannounced spot-checks on organisations. At the moment, the ICO has to forewarn companies of any visit, although the Government has already promised to allow spot-checks in government departments.

Even as the law stands at the moment, the ICO could enforce data security more vigorously if it had the resources. According to Stewart Room, a lawyer with Field Fisher Price in London, the Data Protection Act allows the ICO to issue an enforcement order against an organisation that suffers a breach, requiring them to fix their security. Any failure to comply with the notice would lay them open to criminal charges. "Under the proposed new regime you could be prosecuted for a security breach, while currently you can [only] be prosecuted for failing to fix security," he said.

It is therefore a subtle change, but one worth making anyway, says Room, because it keeps the issue of data security in the pubic eye. "If we carry on the way we're going, we'll have a serious breach that will cause real damage. The HMRC case is pivotal because of the size of it. We don't yet know if it will result in actual harm. But the next time, it could be a breach in the context of the critical national infrastructure, and that could be very serious indeed."

The Ministry of Justice has up to three months to respond to the report.

Tags: Compliance Regulation and Standard Requirements,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Regulation and Standard Requirements PCI compliance UK: The future of European merchant PCI compliance ISO 27001 SoA: Creating an information security policy document Ministry of Justice asks for input on UK privacy laws Exclusive PCI DSS news: EU regional director rallies UK merchants PCI PTS: Understanding PCI PIN security requirements PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation PCI-compliant POS: Retail chain nears PCI compliance in the UK SSC announces PCI-certified internal auditor course for PCI assessment Varied QSA assessment quality causes PCI compliance issues Data Protection Solutions and Strategy Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser In any given app for smartphone, security risks are being neglected First of data loss prevention vendors touts downloadable DLP software Ministry of Justice asks for input on UK privacy laws PCI PTS: Understanding PCI PIN security requirements IBM to acquire BigFix for configuration, vulnerability management Survey: SMB security increasing for better cybercrime protection PCI call centre: Understanding PCI DSS call recording requirements NuBridges update enables simultaneous data center tokenisation Prevent data leakage with secure media reuse policies

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary