Lack of data protection could be criminal
In Q&A session, Andy Maurice, Director of Consultancy, Iron Mountain Europe, describes how MPs are now demanding a change in the law to make negligent or repeated breaches of data security a criminal offence
1 - What consequences do firms face now if they lose customer data?
With the recent spate of high level breaches of the Data Protection Act and a series of fines for the loss of personal data, the issue of data loss is now very much in the public domain. The loss of personal data can lead to identity theft and have a severe impact on the individual person rather than the organization losing the data.
Yes, the organisation will most likely receive an ever increasing size of fine, however the loss of reputation and customer/shareholder confidence is more likely to be of greater concern. A recent example of this is the fine of £980,000 to a leading retail financial company for the loss of customer data on a laptop. The company is
owned by its members - the 11m customers - so any penalty, in effect, comes from their money. Many are not happy that they will have to pay the penalty for
their data being compromised. The information commissioner has already made many blue chip private and public sector organisations sign an undertaking to comply with the principles of the Data Protection Act.
2 - What could they face in the near future? (And what are those proposals)
MPs are now demanding a change in the law to make negligent or repeated breaches of data security a criminal offence. This would be applicable to both private and public sector organisations. This could lead to fines as well as custodial sentences.
The Commons justice committee is demanding tougher laws and there is mounting pressure for tighter enforcement of the Data Protection Act. Existing proposals being considered by Parliament through the Criminal Justice and Immigration Bill suggest amending section 60 of the act to include a provision for custodial sentences in addition to any fines levied. In this respect, fines will get larger and custodial sentences for data breaches may finally become a reality.
3 - How will this affect security professionals?
This will have a massive impact on security professionals as they will need to take into consideration how their organisation handles personal information in all stages of its lifecycle as well as the different formats that this information can exist in. The security professional now needs to consider information lifecycle management in its entirety, reviewing all of the internal and external locations that an organisation could potentially be used to leak sensitive information. Until recently, this has been a rather reactive process. It is now mandatory for all EU bodies to have a Data Protection Officer in place, a clear indication that Data Protection is now taking centre stage.
Those organisations that stand out as champions of data protection will be those who have evolved their business processes to be proactive and forward thinking by producing robust policies and procedures up front, as opposed to worrying about it when it's already too late. After all, it is not just the security professional that will be impacted; company directors will be ultimately responsible for the mandating of these policy and procedures documents and ensuring their successful implementation firm-wide.
Data protection is no longer just an operational matter but a board room issue and we predict it can only be truly implemented from the top of the business down.
photograph www.freedigitalphotos.net
