US-style laws requiring UK companies to report data
breaches will be less effective at improving security than
providing them with guidance, a panel of experts has
warned.
Speaking at an Intellect roundtable, Lord Harris of Harringey,
who co-authored the
Government's recent report on IT security, said that UK
business desperately needed guidance as to what best practice was
when it came to securing data.
"A holistic approach to addressing the problem of data breaches
is needed. Making it law for companies to report breaches is one
part, but the government needs to provide more guidance to
companies to prevent these in the first place," he said.
He said that the Information Commissioner's Office (ICO) should
also be given more powers to conduct random audits of companies to
ensure compliance.
David Smith, Deputy Information Commissioner and leader of the
Information Commission's
current consultation on data breach, said that any guidance
government provided would need to be updated regularly.
"There is a danger that companies might view the advice as a
panacea and not take a wider view on security," he said.
Smith said that the ICO could audit a company and be happy with
its IT security. But if an employee takes a laptop off-premises and
it is lost, it is important to determine whether the company was
asking wider questions about whether the data on that laptop should
have been taken outside in the first place.
"For too long information has been treated as having a different
security requirement to other assets in the business.
Responsibility has to be factored in, too," said Smith.
Hazel Grant, a lawyer specialising in the area of data breach
notification and a partner at Bird and Bird, said that it would not
be right to place criminal liability on IT directors and data
protection officers.
"In the cases we have seen, IT managers are responsible for
high-tech security, while the reasons for most data breaches are
low-tech - for example, leaving a laptop on a bus by accident," she
said.
Because of this, Charlie McMurdie, detective chief inspector of
the Metropolitan Police's E-crime unit, said that there needed to
be a combined approach from companies.
"
Physical and IT security need to be combined to ensure that
there is resilience to handle things like human error," she
said.