Legislation surrounding information and data leaks is seriously inadequate, writes Karlin Lillington.
LOST LAPTOPS, hacked files, missing key drives and PDAs, and private records exposed; a string of security breaches in the past year has revealed that Irish and international organisations are leaking the personal records of clients and customers.
Aren't companies and agencies supposed to be protecting this information or is it just hard luck for the hapless individuals whose personal details might end up in the wrong hands?
At the moment, say security and legal experts, a blurred legal situation means it's a bit of both. There's no legislation with the muscle to require companies to take particular care of information or even to notify individuals that their personal information has been lost or stolen. There is little redress for individuals who find their information compromised.
The only mandated protections demanded of organisations for the reams of personal data held in print and electronic form come from section 2(1) (d) of the Data Protection Act (1998).
It says that "appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing."
The Data Protection Commissioner, Billy Hawkes, has been clear that the onus is on organisations to protect data and understand which data they are entitled to have in the first place, and when they must be destroyed.
Organisations must have security measures in place to protect data, and staff are required to know those security measures. They also have a greater duty of care in the processing of sensitive personal information.
However, there are few specifics and even these are poorly understood, says Colm McDonnell, enterprise risk services partner at Deloitte. "Businesses are struggling to understand this and I don't think this message has fully gotten out. It's a very grey area and not fully regulated."
Many organisations don't fully understand what part of the organisation should be managing different types of data, and expect the information technology department to do it. The IT people are those with custody, but not ownership or management duty for personal data, McDonnell says.
Uncertainty over who actually manages data involved in a security breach may contribute to the confusion that seems to beset many companies when a breach is disclosed. Often, no one seems to be able to say what records were involved, and long investigations ensue.
"Best practice is to know at all times where is the information, who has access to it, where's the risk and how to manage it," he says. "You've got to develop the policies. There's really no quick fix."
In particular, McDonnell adds, encryption, the encoding of data, is simply a tool, not a silver bullet. Having a "phantom belief" that encrypting files solves all security problems is when organisations are most at risk.
UCD law lecturer TJ McIntyre, who is chairman of interest group Digital Rights Ireland, says better legislation and strict enforcement are needed to get organisations to take data breaches seriously.
"Data protection commissioners haven't had the powers of enforcement of financial service regulators," McIntyre notes. "Also, fines in Ireland tend to be on the low side. Maybe civil sanctions aren't good enough."
Ireland and Europe generally do not have any laws requiring disclosure of data leaks to those affected by them. In comparison, more than 40 US states now have such laws, based on pioneering legislation in California (see panel).
Several major national data breach cases came to light in the US after companies were forced to notify the Californians whose personal data was lost or stolen and such disclosures pushed other states to create similar legislation.
Would such a name-and-shame law be useful here?
"Absolutely," says McIntyre. "The California law has teeth. Here, there's too much focus on companies being required to disclose data leaks being a punishment or a burden.
"But what about the customers? Disclosure gives the chance to fix someone else's mistake but also allows the market to vote with its feet and move business elsewhere."
McDonnell agrees that a California style law would go a long way towards addressing the situation and getting companies to realise the serious impact a data leak can have on reputation and brand.
He also thinks the Government needs to think about the reputation of Ireland Inc. "We're talking about ourselves being a knowledge economy and head of the pack, but if we're leaking information, it doesn't instil confidence.
"We're 24 to 36 months behind our international colleagues in dealing with a situation that elsewhere is very much led by legislation."
