Debate over UK breach notification laws intensifies

HMRC's lost records disaster last year has stoked the debate over creating breach notification laws in the UK.

Since Her Majesty's Revenues & Customs (HMRC) lost 25 million child benefit records at the end of last year, the debate over the creation of UK security breach notification laws similar to those introduced in California in 2003, has intensified.

Rhodri Davies, technical architect at security services firm Vistorm believes that new legislation is inevitable.

"It wouldn't surprise me to see breach notification laws starting to appear over the next few years, possibly from the European Union first, and this could have implications on the amount of data that organisations are allowed to hold," he said.

A report published by the Commons Justice Committee on January 3rd also backed up this view. It called for government departments to be held criminally responsible for data protection breaches for the first time and for the Information Commissioner, Richard Thomas, to be given a substantial increase in powers in order to carry out spot checks.

The report also recommended that there be a legal obligation to report significant data losses to both those affected and to the Information Commissioner.

But not everyone is convinced that legislation is the answer or even that it will occur given the UK's traditional penchant for self-regulation.

Most organisations don't funnel information through their IT department so you have to rely on the individuals that generate data to safeguard it.
Graham Quint
IT manager, Tewkesbury Borough Council
"I don't think there's an easy solution to this," said Graham Quint, IT manager at Tewkesbury Borough Council. "Most organisations don't funnel information through their IT department so you have to rely on the individuals that generate data to safeguard it. This means that the core of it is education to ensure that people understand the value of personal information," he said.

This is increasingly pertinent in a progressively online world where "we often have to deal with people that we can't see and the only way we can identify them is through a series of known facts such as date of birth", he added.

However, many people do not understand the value of the data they are handling and if they do, there tends to be an element of 'we've always done it this way and nothing's happened so what's wrong with it now'. Another factor is that personnel are busy and will undertake any course of action that seems most expedient at the time without necessarily considering the security implications.

Vistorm's Davies agrees, indicating that simply training people to take care of information and setting policies to hold them accountable is the best line of initial defence. "Training people and winning hearts and minds is always hard and relying on them is never foolproof, but showing a bit of care and attention can save a lot of embarrassment and cost later," he explained.

He also pointed out that the apparent recent flood of lost data incidents is nothing new. Instead, he believes that the public's mind is now more focused on information loss and the potential for resultant identity theft as an issue.

This means that such occurrences are more newsworthy than they were previously and that public pressure to do something about them is rising. Another consideration is that it is now considered good practice to disclose such happenings due to the knock-on effect of California's legislation.

"Other than the HMRC situation being so huge, this isn't out of the ordinary. I don't think people are being any more careless than they ever have – it's been going on for a while. But it doesn't help that the sheer quantity of data being collected on people has increased significantly, which means that there's simply more opportunity to lose it," he says.

Nonetheless, technology has its part to play in providing multiple layers of protection. Database intrusion detection software from suppliers such as Imperva and Secerno can be useful in that it alerts administrators to unusual patterns of access behaviour, while 128bit encryption programs will help safeguard data on mobile devices and storage media against unauthorised access should they be mislaid.

The latter technology is particularly useful, indicates Tim Watson, head of the security and computer forensics group at De Montfort University in Leicester, as only 10 per cent of data breaches come about through specifically targeted hacks and the rest through the loss of physical equipment.

"For the individual, the implication of all this is identity theft, although we haven't seen that yet from any big breaches in the UK. For organisations, however, not only can the cost of trying to clean up the mess be high, but the damage to reputation may also be immeasurable," concludes Davies.

Read more on Regulatory compliance and standard requirements