Should data breach confessions be mandatory for the private sector?

Owning up to mistakes is a moral challenge at the best of times, but gets even harder if a share price is at stake. That is the dilemma facing companies...

Owning up to mistakes is a moral challenge at the best of times, but gets even harder if a share price is at stake. That is the dilemma facing companies losing millions of customer records every year. And without a clear directive from government telling them they must come clean, why would any business admit to losing a laptop with people's most sensitive details on it?

But some experts now believe mandatory data breach confession for the private sector in the UK is inevitable. The incentive is already there for the public sector, but only after HMRC lost 25 million records on two CDs. In response, Cabinet Secretary Gus O'Donnell has instructed all government departments to notify the Information Commissioner's Office after a data compromise. About 1,500 incidents in the public sector have been reported to the office in recent months. And government departments must also detail all breaches that have occurred in their annual reports and list steps to mitigate lack of security.

But the Information Commissioner has fallen short of forcing companies to follow suit. In a report to the Prime Minister in July, he said organisations should consider informing his office as a matter of good practice, but they are under no legal duty to do so. Handling the breach effectively is seen as priority and if customers' data is perceived to be in danger, then they must be notified immediately. It is presumed companies will take that step even though they have no legal obligation to do so.

Computer Weekly has revealed 16.5 million records were lost or stolen from financial firms last year. The figures obtained under the Freedom of Information Act showed firms reported 56 incidents to the Financial Services Authority, 19 of which involved lost or stolen laptops. Investigations by the Financial Services Authority (FSA) revealed 16.57 million customer records had been lost during 39 of the incidents. But the FSA refused to reveal the identity of the companies involved. The firms are not named and shamed in the majority of cases, only when the FSA has to take action.

The lack of publicity must be a relief to many companies. But Professor Fred Piper, at Royal Holloway college, believes obligatory disclosure could provide all sorts of benefits to companies.

"Disclosure could be nothing but good," he says. "It would make companies realise they have to look after data because of potential embarrassment. It would also enable information security managers to increase security culture within companies. Companies would also be able to convince their employees to take information security seriously. Some information security managers may even welcome disclosure if they have trouble selling IT security within their companies."

Professor Piper says the Information Commissioner's Office (ICO) is making progress towards greater transparency and the UK should look west for inspiration in dealing with compromises in the private sector.

"The ICO is slowly getting some teeth - it is slow but considerable progress is being made," says Professor Piper. "They are all steps in the right direction. I think disclosure has to come and will come. It seems to be working well in California."

In 2002, California introduced a law forcing all companies and public bodies to tell customers if their records had been leaked and at risk. About 40 other states have followed its lead.

Ireland is also contemplating similar measures. The country's Justice Minister is considering introducing compulsory reporting by companies and state agencies to the Data Protection Commissioner. The public would be told of major cases. The move follows revelations that 35 devices containing data have been lost or stolen from the Irish government this year.

Similar rumblings are taking place in the UK and calls for compulsory disclosure have been echoing for months. The National Consumer Council has been calling for the European Union to draft directives forcing firms to inform consumers when their personal data disappears. The House of Lords Science & Technology Committee wants the government to introduce a law to enforce consumer notification. The committee released a report in August 2007, but since they claim their sweeping suggestions to improve Internet security were largely ignored, they opted to reopen their inquiry in August. The committee is calling for a consultation on reporting security breaches.

Reaction among information security managers to greater openness is mixed. "There is a cross section of people who feel we should notify," says Information Systems Audit and Control Association (ISACA) London Chapter president, Sarb Sembhi. "If we are forced to notify this would mean we would be in a position to argue our cause for the budget needed to secure systems. That is the positive and some people are saying 'yes, this should happen.'

"The other side of the argument is that notification doesn't actually lead to a positive outcome, as the data is already gone. It only leads people to worry and causes panic. So different organisations are taking different views, depending on their approach to the actual risks involved. The normal practice is if there is no risk to the customer whose data has been affected, then there is no need to report."

Sembhi said contractors losing client data is likely to be a growing issue with wider use of outsourcing. "We have seen an increase in data being lost by contractors in recent months," he warns. "It can be difficult when a contractor is in a different country and culture. Outsourcers need to make sure their data is sensitively handled."

He pointed out how the HMRC missing CDs has prompted a new dawn of transparency. "Since the HMRC data went missing so many other organisations have admitted losing data, " he says. " It has opened the floodgates for honesty. It is also bringing an awareness to senior managers. If an MD loses a laptop, it is embarrassing and could affect the brand. And it also hits the share price."

Sometimes the stakes are so high, the only logical way out is to tell everyone, meaning share price concerns take a back seat, as firms deal with crisis management. Take TJX - which suffered the largest known data breach ever, with 45 million credit card details stolen. The company went into communication overdrive during the following months after it discovering the hack in late 2006, even issuing press releases as the world watched. As well as suffering a dip in its share price, it had to shell out $24 million to Mastercard to compensate affected card issuers. It also had to spend millions on improved security and undergo an independent audit every two years. Most firms will never suffer such a catastrophic data compromise, so will not face the scrutiny endured by TJX or the HMRC. But as more breaches are revealed, calls may grow for a standardised reporting procedure across the board in the private sector, similar to what now occurs in Westminster's government departments.

David King, who chairs the newly formed Information Security Awareness Forum, urged a cautious approach to calls for mandatory reporting. The Information Security Awareness Forum (ISAF) was formed to promote IT security awareness in the wake of recent major breaches and has about two dozen members.

Speaking on behalf of ISAF, he says there have been a large number of reports of data leakages from the government in the last 12 months. "I understand there are also leakages in business but of course my understanding is there is no obligation for them to report leakages unless the ICO advises it. I think there needs to be a public debate on notification. But there is inevitability about it. I don't think the debate so far has been handled properly. We need to find out what works well and move to a position where there is a solution that works for us, taking into account lessons learned in the US. It needs to go on the agenda, but as it is an important issue there are complexities, which need to be understood before rushing into legislation. The obvious benefits to customers are knowing when information about them has been leaked. But we need to see the lay of the land."

Indeed the security landscape has already changed forever since the government lost millions of child benefit records. Now data compromises are treated with the reverence they deserve in the public sector. But whether private companies will ever be pushed into a similar position remains to be seen. The FSA says it expects financial firms to tell it about significant data loss and would take a dim view if it found out later that a company did not do so. That applies to banks and financial firms but who regulates other companies?

Within the shady enigma of data compromise, it looks like many businesses can get away with regulating themselves. How thorough they are is a further mystery. They alone decide, initially, if risk is high enough for customers to have the right to know what has happened to their personal records. At a basic level, we are relying on the morals of corporations. In essence, we are pinning our hopes on good will and how plentiful is that outside Christmas?

Recent breaches 
 A laptop containing details of 100,000 pension scheme members has been stolen from Deloitte & Touche.
 The Ministry of Defence has lost a hard drive, which could contain the details of 1.7 million people.
 Information stored in military hard drives has been stolen from an RAF base in Gloucester.
 T-Mobile has admitted losing 17 million German customer records.

Read more on IT governance