Thursday 8 November 2007

Lack of Data Discloure Laws

Well I lodged a complaint about HMRC with the Information Commissioner today, basically the guys who enforce the Data Protection Act, as I am still far from happy about the bad practice which led to my personal details being lost by HMRC, the time it took for disclosure and then being misled about the data encryption of the CD. I'll post up the response when I get it.

Meanwhile I noticed my involvement with this was discussed on Martin McKeay's (and Rich Mogull's) excellent Network Security Podcast, by the way I heartily recommend this podcast for anyone who is interested in learning more about Information Security and the latest topics within the field. One interesting point was made about our lack of disclosure laws we have in the UK compared to the US, which I have to say is true, we don't have any clear laws on breach disclosure within the public and private sectors, we rely and trust companies and organisation ethics. I think it would of been a very dangerous game for HMRC to sweep such a data breach under the carpet, due to the important of transparency placed on government and the UK media reaction etc.

So, we need to have clear breach disclosure laws in the UK, so I checked the Prime Minister's website to see if there was an online partition, and there was one, but it had closed at the end October 2007, so I couldn't sign it.

"We the undersigned petition the Prime Minister to review exisiting data protection legislation and improve the reporting of information security breaches in the public and private sectors".

It was signed by 339 people. So perhaps I'll look into setting up and promoting another petition further down the line, well not unless this one proves successful! Actually perhaps I should try it the old fashioned way and lobby my local MP or the Minister responsible for Information Technology.

http://petitions.pm.gov.uk/fulldisclosure/

1 comment:

Rob said...

Hi Dave,

I agree that the data breach disclosure laws in the UK are poor, but I'm wondering whether something akin to SB1386 is really what's needed.

I've talked about this over in PCI Answers before, and the general consensus there was that breach disclosure is a very temporary solution at best, and at worst, it can act as advertising for a company - Choicepoint was able to capitalise on their breach by playing the 'I'm a bad boy' card and publicly pulling their socks up.

Sadly however, no-one came up with a better answer. Tighter data protection laws need severe penalties, CEOs/CFOs going to prison even, before this is taken seriously. However, security is still sadly lacking in this area. Especially in the UK.