Should the penalty be for the data breach or for aiding and abetting fraud?

I have just had interesting feed back from a number of CISOs on my posting on the EU data Protection Directive. Some are still stuck in the past, adding yet more electronic nappies to cope with severe cases of data diarrhoea. Others are seeking to make the transition to a future where attack is the best form of defence: not only do you get damages from those who aided and abetted the attack (perhaps even from those who contracted it and trousered the cash) but next time the predators will attack some-one else, thus giving you competitive advantage.

A core question is whether it is the data breach that should attract any regulatory penalty (if and when you identify the breach to notify) or the failure to take action to help prevent data on your customers being used to for fraud as soon as you discover that it is happening, even if you have not identified how the criminals obtained it?  Should that liablity also apply to government departments and agencies, including regulators who demand that data be retained even though there is no business reason?

Once fraud has been attempted, the traditional penalties for “aiding and abetting” can be used against those who not only caused the breach but who helped the criminals exploit it. The innocent carrier defence under teh e-Commerce Directive is a double edged sword. The carrier ceases to be innocent if it fails to act on reasonable evidence of activities in breach of its own terms and conditions. Is the solution criminal law (with the burden of proof beyond reasonable doubt and all the overheads of internatioal co-ordination), civil law (using a mix of tort and contract to extract co-operation from all in the ISP supply chain lest they be liable for damages) or a mix of the two?

Hence my previous blog and belief that rabbiting on about data breach notification is just blether, compared to action on Internet addressing, e.g. cleaning up .uk,  because “real” action will not happen until a series of successful US class actions for damages reveals the liabilities incurred by those domain name registrars and ISPs whose services are disproportionately used by criminals because of laxity or their verification processes (if any).

At that point we might well see the addressing vulnerabilities that facilititate criminal (and military and espionage) anonymity start to evaporate: as that which is said to be impossible or impractical suddenly becomes routine practice. That prospect is likely to fill both the cyberwarfare and civil liberties communities with horror. Hence the need for well informed and balanced debate and scrutiny, like that being organised via the Digital Policy Alliance.