New UK data breach notification laws could build on the US example to help address identity theft problem, according to a group of security experts.
Speaking at a panel discussion at the RSA Conference Europe 2007, deputy information commissioner David Smith urged firms to act now to protect their systems rather than wait until Europe passes laws around data breach notification.
The media’s power to uncover and expose data breaches, along with current data protection laws in the UK, should mean that organisation already have processes in place to manage data breach incidents, said UK privacy watchdog the Information Commissioner's Office (ICO).
"There are ongoing obligations already to keep information secure,” he said. “It’s important to bear in mind the media’s influence. Businesses can’t get away [from the media] and hush up [a data breach]. It’s better to manage the process now and not wait for a law. And shouldn’t you already have a process, because when or if there is a breach how do you deal with that situation? The starting point isn’t notification. The starting point is to stop the breach, and then assess the risk, identify who to notify and how to notify, and finally take steps to to stop it happening again.”
Smith also urged legislators to make a law that is “simple and easy to understand” and does not enforce "notification for the sake of it" – this, he said, whould put a disproportionate burden on UK businesses. However, Smith also warned firms: “don’t ask us to do your job for you”.
Christopher Kuner, partner and head of the international privacy and information management practice at US-based law firm Hunton & Williams, said notification laws were a “useful first step” that worked as a “blunt instrument” to increase awareness in the US. “But we need to go further than this and if the ICO thinks that this is enough it is wrong."
Kuner described the state of current US data breach notification laws, which are in more than 30 US states, as a “hodgepodge”.
Kuner also warned that European citizens could become desensitised about the risks if notified of every breach, just as has happened to an extent in the US.
“It shouldn’t be notification for the sake of it, or it will become worthless," he said. "It’s got to be meaningful, and this applies to the public sector as well as private. The risks are developing more in public than private, due to this surveillance society that we are developing, where governments share information, but it’s not controlled at the same level.”
Kunar added that individual data protection agencies like the ICO could play an important role in being a first port of call for an organisation after a breach and advising them on the right course of action to take.
Elsewhere, Dennis Hoffman, chief strategy officer at RSA, said that information needs to be better classified, particularly for public sector organisations.
“Information technology is better described as data technology. Because you see ones and zeroes, you don’t see one collection of data as an important merger document and another as just a logo. So we need to distinguish what data we should be gathering and what types of information need to be shared.”
The UK does not currently have legislation in place to enforce data breach notifications. The European Commission is considering proposals to introduce rules around when companies have to reveal security leaks.