Why a security crackdown on our personal data is needed

 

NET RESULTS:It is time Ireland legislated for mandatory disclosure of data breaches, writes KARLIN LILLINGTON

THE DATA Protection Commissioner’s 2009 interim annual report, released last week, reveals that personal data security breaches – the loss of sensitive personal information by companies or organisations – were up almost 50 per cent on 2008.

Surely this is overwhelming proof (if any more were needed after the appalling tales of data loss by Government departments, semi-State agencies and a variety of companies) that Ireland needs to legislate for mandatory disclosure of data breaches.

Such laws are increasingly the norm across the world. In the US almost every state has such a law. There is formidable evidence that it was only legislation of this sort, introduced at the start of the decade in California, which led to the realisation that some massive breaches were happening at all.

It was only when Californians had to be notified of such losses that the national scale of some of these breaches was realised: in some cases, tens of millions of records were accidentally lost or stolen in single incidents.

Without such laws, citizens cannot even take the most basic steps to protect themselves from becoming a victim of identity theft or of having their financial accounts compromised.

No wonder, then, that since those initial disclosures, almost every US state gradually followed, and a federal law has been under discussion. Other countries have brought in such laws too, and the topic has been under debate at European level.

But such discussions have come to nought. A Data Protection Review Group set up by the Department of Justice to examine the issue last year reported in October that it seemed unlikely Europe would move forward with the issue for at least two years.

That leaves Ireland in a position of trying to decide whether to wait for a European directive at some distant future point or to grasp the nettle and produce domestic legislation.

Many people reading this must be thinking: “But surely the Data Protection Commissioner’s report is an example of a system that is already working, given that we are hearing about any increase in data breaches.”

Well, it doesn’t quite work like that. While reports of breaches are on the increase – an indication, as Data Protection Commissioner Billy Hawkes points out in his report, that at least there is greater awareness within organisations to recognise such losses – it is up to the organisations whether they inform the commissioner or tell the individuals affected.

As the Data Protection Review Group paper notes: “There is no specific obligation imposed on a data controller to inform either a data subject or the [Data Protection Commissioner] of an incident involving the loss or improper disclosure of personal data.”

The only relevant regulation in Irish law applies to the telecoms industry, which must inform customers following a data breach – but only if there is a “particular risk”, decided at the organisation’s discretion.

The review group’s paper sets out several options for how a mandatory disclosure law might proceed.

Given the reluctance of organisations to use a basic security tool such as encryption to lock down personal data, we need a legal threat to force adoption of this elementary form of best security practice.

We cannot sit about and wait for years for the subject to come back on to Europe’s agenda. No Irish citizen should have to wonder for years whether financial institutions, health organisations, insurance companies, energy suppliers, telecommunications companies, Government departments or small neighbourhood companies are keeping data safe – or dealing with the potentially catastrophic consequences if they are not.

It is notable, however, that the Government has placed a premium on bringing in legislation that allows for huge amounts of sensitive data to be stored for years – our data retention laws.

Little has been done to date to protect such data – as the Data Protection Commissioner’s report makes all too clear.

Public responses to the Data Protection Review Group’s consultation paper were to have been submitted by the end of October last year. Nothing has been said since.

According to a spokeswoman for the Department of Justice: “The Data Protection Review Group recently submitted its report to the Minister. The questions of response and publication are being considered in the context of the transfer of the data protection function to Minister Pat Carey’s department [Community, Equality and Gaeltacht Affairs].”

Meanwhile, the Government has been pushing forward with a new data retention Bill, currently being debated in the houses of the Oireachtas.

The Government’s claim that data retention is needed to safeguard citizens rings hollow. As a consequence of Government inaction, organisations lack any obligation to let us know when the security of the data they store – our data – has been breached.


Data Protection Review Group paper: short.ie/jv3365

Klillington@irishtimes.com

Blog and podcasts: Techno-culture.com

Twitter: Twitter.com/klillington