Guarded welcome to proposed data leakage laws

Proposals to make security breaches a criminal offence have received general approval from industry and legal circles. But experts agree implementation of new laws could be tricky.

Proposals to make security breaches a criminal offence have received general approval from industry and legal circles. But most experts agree that implementation of any new laws could be tricky.

The proposals are made in a report entitled Protection of Private Data; published in early January by the House of Commons Justice Committee, and which is now being considered by the Ministry of Justice.

The committee was asked to look at the causes and consequences of the loss of two CDs in late 2007, which contained details of around 25 million UK citizens in receipt of child benefits. The disks, which were posted by an employee at HM Revenue & Customs, were addressed to the National Audit Office, but never arrived. Their whereabouts are still unknown.

The report, which based much of its content on evidence provided by the Information Commissioner Richard Thomas and his deputy David Smith, concluded that much stronger powers were needed to force organisations to take data security more seriously, and that the HMRC case was far from being a one-off.

In one section it remarks: "The Information Commissioner told us that quite a number of organisations, both public and private sector, had approached his office, almost 'on a confessional basis', to bring to his attention problems they had encountered with security inside their own organisations."

As well as recommending mandatory disclosure of breaches along the lines already in place in the US, the Committee has also recommended that organisations which experience "repeated or reckless" security breaches should be prosecuted under criminal law.

Paul Wood, an industry spokesman for the Institute of Information Security Professionals (IISP), gave a guarded welcome to the report: "We see it as a step in the right direction to help improve the security of data both inside and outside government." However, he believes the review was very limited in scope and only received evidence from the Information Commissioner and his deputy. "The review was a direct reaction to the loss in government departments and did not consider fully the implications of data losses and the direct link poor information security controls can have with financial crime."

There are all sorts of ways of removing data that are outside the control of the system admin.
Garry Sidaway
Chief Technical Consultant, Tricipher
Wood demanded much broader consultation before any new legislation was enacted and warned against what he called "a knee-jerk reaction" to the HMRC data loss.

John Colley, European managing director for (ISC)2, the professional body, described the new proposals as "vague" and dismissed any idea that the stronger measures would lay security professionals open to prosecution. "Organisations with a good security regime which is run or overseen by security professionals with a recognised qualification would have a very good defence that they are doing all that is professionally right. That would provide protection," he said.

Garry Sidaway, chief technical consultant with Tricipher, a company specializing in identity and access management, questioned how the law could be enforced in detail. "There are so many ways of getting data out of an organisation," he said. "I could put it on my iPod or my phone. If the USB port is blocked I can use Bluetooth. There are all sorts of ways of removing data that are outside the control of the system admin." But he still welcomed the proposals, and said that new layers of regulation were forcing organisations to move beyond merely ticking the box for compliance to taking risk management seriously.

As part of its call for stronger measures, the report also recommends an increase in the annual budget for the Information Commissioners Office (ICO), which currently stands at £10 million, and the granting of extra powers to allow it to make unannounced spot-checks on organisations. At the moment, the ICO has to forewarn companies of any visit, although the Government has already promised to allow spot-checks in government departments.

Even as the law stands at the moment, the ICO could enforce data security more vigorously if it had the resources. According to Stewart Room, a lawyer with Field Fisher Price in London, the Data Protection Act allows the ICO to issue an enforcement order against an organisation that suffers a breach, requiring them to fix their security. Any failure to comply with the notice would lay them open to criminal charges. "Under the proposed new regime you could be prosecuted for a security breach, while currently you can [only] be prosecuted for failing to fix security," he said.

It is therefore a subtle change, but one worth making anyway, says Room, because it keeps the issue of data security in the pubic eye. "If we carry on the way we're going, we'll have a serious breach that will cause real damage. The HMRC case is pivotal because of the size of it. We don't yet know if it will result in actual harm. But the next time, it could be a breach in the context of the critical national infrastructure, and that could be very serious indeed."

The Ministry of Justice has up to three months to respond to the report.

Read more on Regulatory compliance and standard requirements