US-style laws requiring UK companies to report data breaches will be less effective at improving security than providing them with guidance, a panel of experts has warned.
Speaking at an Intellect roundtable, Lord Harris of Harringey, who co-authored the Government's recent report on IT security, said that UK business desperately needed guidance as to what best practice was when it came to securing data.
"A holistic approach to addressing the problem of data breaches is needed. Making it law for companies to report breaches is one part, but the government needs to provide more guidance to companies to prevent these in the first place," he said.
He said that the Information Commissioner's Office (ICO) should also be given more powers to conduct random audits of companies to ensure compliance.
David Smith, Deputy Information Commissioner and leader of the Information Commission's current consultation on data breach, said that any guidance government provided would need to be updated regularly.
"There is a danger that companies might view the advice as a panacea and not take a wider view on security," he said.
Smith said that the ICO could audit a company and be happy with its IT security. But if an employee takes a laptop off-premises and it is lost, it is important to determine whether the company was asking wider questions about whether the data on that laptop should have been taken outside in the first place.
"For too long information has been treated as having a different security requirement to other assets in the business. Responsibility has to be factored in, too," said Smith.
Hazel Grant, a lawyer specialising in the area of data breach notification and a partner at Bird and Bird, said that it would not be right to place criminal liability on IT directors and data protection officers.
"In the cases we have seen, IT managers are responsible for high-tech security, while the reasons for most data breaches are low-tech - for example, leaving a laptop on a bus by accident," she said.
Because of this, Charlie McMurdie, detective chief inspector of the Metropolitan Police's E-crime unit, said that there needed to be a combined approach from companies.
"Physical and IT security need to be combined to ensure that there is resilience to handle things like human error," she said.