Proposals for criminal sanctions against those responsible for personal data security leaks have received a mixed response in the security community.
Information commissioner Richard Thomas has also urged the Ministry of Justice to bring in laws creating criminal penalties for both individuals and organisations that are “grossly negligent” with personal data.
But Gary Clark, EMEA vice-president at security firm SafeNet, said the proposed penalties might be too little, too late. “Organisations that deal recklessly with personal data should suffer the consequences – but the Justice committee’s recommendations still do not go far enough,” he said.
“Instead of punishing those responsible for data breaches after the event, why aren’t steps being taken to prevent them in the first place? Organisations should be penalised not only for losing data, but for failing to have necessary safeguards in place. These include identifying process weaknesses, adopting robust security standards and encrypting all sensitive data.”
The proposals were “a classic case of shutting the stable door after the horse has bolted”, he argued.
Jamie Cowper, EMEA marketing director at data protection firm PGP Corporation, said current data protection laws were “simply not fit for purpose”, adding: “A laissez-faire approach to data security seems to be endemic throughout the UK public and private sectors, so maybe tough action is what’s needed to rectify this dangerous attitude.”
But Cowper did not endorse the plan for criminal penalties to tackle security breaches. “While it’s clear that the government is moving closer and closer to implementing US-style data breach notification laws in the UK, making data loss a criminal offence is maybe a step too far,” he said.
There were questions over who specifically would be held liable in the case of a data breach and how the role of the “data controller” for an organisation was defined, he argued.
“Before we go for the nuclear option, perhaps we should first look at how current security regimes can be tightened up with, for instance, stricter enterprise data policies. We should also test the power of simply naming and shaming organisations as a deterrent to lax attitudes to data protection, as it’s certainly worked in the US.”
Privacy campaigners have also criticised the proposal for criminal penalties. The NO2ID group, which campaigns against the government’s ID cards and data sharing plans, said the proposals “missed the point”, warning instead that the real threat to people’s personal data came from the proliferation of huge databases and the sharp increase in data sharing.