Data breach notification laws coming soon -- but not soon enough

Having his own credit card details recently compromised, possibly by the data breach at online clothing store Cotton Traders, bureau chief Ron Condon speculates on Cotton Traders' less-than-forthcoming response to the breach in terms of the state of information security legislation and the future of mandatory disclosure.

Three weeks ago, I was told that my credit card details had been compromised. I didn't lose any money, and the card was replaced, but I had no way of knowing how my information had fallen into the wrong hands.

I learned via the BBC that Cotton Traders, a company that sells clothes online and by catalogue, had a security breach earlier in the year, which resulted in the theft of up to 38,000 card details.

 The rapid changes we have seen in a short space of time look set to create a tighter regulatory regime than we have seen in the past.
Ron Condon
Bureau Chief

I've bought clothes from Cotton Traders, and used my credit card details to pay online. So can I conclude that it was Cotton Traders who lost my details? It's a fair assumption, but not conclusive.

In the meantime, Cotton Traders is remaining tight-lipped in response to the revelation, only conceding that it had "identified a security issue" in January, which "industry security experts" quickly resolved.

The company's brief statement goes on:

"We can confirm that our customer credit card data is encrypted on our website, but if any of our customers have been a victim of fraud, they should contact their card issuer.

"Cotton Traders have recently upgraded all security on their website, which has been validated by leading industry experts."

It goes on to claim that the BBC's 38,000 figure is "widely inaccurate", but does not give a more accurate figure. The statement then concludes by saying: "we would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards."

In other words, "just trust us."

But how can you trust a company that a) only admitted the problem openly when the story got out, b) refuses to give any details, and c) is not prepared to give any proof that it really is secure?

The case raises, once more, the question of mandatory disclosure along the lines that already exist in 40 U.S. states, where any company suffering a loss of personal data is obliged to inform the individual who might possibly be affected. The "naming and shaming" element of the law is credited with driving higher levels of security among companies who naturally want to avoid that kind of publicity.

If we don't have disclosure laws at the moment, it is just a matter of time before we do, according to Stewart Room, who specialises in technology related law at Field Fisher Waterhouse.

For further discussion of data breach notification laws

Debate over UK data breach notification laws intensifies

Guarded welcome to proposed data leakage laws

Data leakage, poor code are concerns at Infosecurity 

The breach of all data breaches?

He makes the point that since the notorious loss of two CDs by HMRC last November, the whole regulatory climate has shifted, with penalties for poor security rising steadily.

Ironically, in October, weeks before the HMRC blunder, the government rejected the case for mandatory disclosure that had been made in a House of Lords report, Personal Internet Security, published in August 2007. At the time, the government took the view that such data breach requirements were unnecessary.

Then HMRC happened.

In November, the European Commission proposed data breach notification laws, and in January, the House of Commons Justice Committee took the same view.

In March 2008, Robert Hannigan's review (set up in the wake of HMRC), recommended data breach notification laws for public sector bodies, and outlined plans for an overhaul of data security in all major government departments.

At the end of March, the Information Commissioner's Office issued guidance to companies on data breach disclosure, and in April, the Financial Services Authority warned the finance sector that it was going to get tough.

Furthermore, the ICO has now won the power to impose fines on those it deems guilty of reckless or deliberate mishandling of personal data. And the law is in place to make data theft punishable by prison sentence.

The level of fines is also bound to rise, Room said. The Nationwide was fined £980,000 by the FSA back in February 2007, and Norwich Union £1.2 million shortly afterwards. In both cases, the organisations paid up. "The ICO and other regulators will push the envelope on fines," he predicts, until they get so high that an organisation manages to mount a successful appeal against a fine.

Furthermore, Room adds that there is "a lot of transatlantic pressure on Europe" to enact similar data breach disclosure laws to those in the U.S., which currently put U.S. corporations at a competitive disadvantage to their European counterparts.

So the rapid changes we have seen in a short space of time look set to create a tighter regulatory regime than we have seen in the past.

But for now, customers of Cotton Traders have to take the company's assurance that all is well -- and I cannot be sure where my card was compromised. For the record, the ICO said: "We understand that the Cotton Traders website was encrypted, but that hackers got around the security measures. So it is a matter for the police. It is not something the ICO would be involved in."

The law is clearly moving in the right direction (and incidentally should help to free up security budgets), but as a concerned consumer, I feel we still need to go further.

Read more on Regulatory compliance and standard requirements