21 Sep 2007
IT Week: What are your thoughts on the recent Information Commissioner’s annual report on data privacy?
Fudge: That report really brought data security to the forefront of people’s minds. When this happened in the US, it led to California introducing SB1386, a data breach notification law whereby even if you think you might have lost some customer data you must make a public disclosure. This is likely to be the next step over here too because the UK Data Protection Act has no teeth. However, you may see complacency from a customer standpoint if a breach notification law is introduced, until they actually become a victim.
How has the recent PCI data security standard affected the industry?
I see it as having as much or maybe more impact over time as any data
breach notification laws because it could potentially have more teeth and force
firms to protect data in additional ways. There have been some high-profile
incidents in the US, such as the Veterans’ Association data loss, that have
brought the standard to the forefront and made the government at least get very
proactive. Washington is now one of our largest customers.
So how far ahead of the UK are firms in the US in terms of their data
protection and data breach mitigation strategies?
In the US, there is more pressure on companies to put overall data
protection policies in place. In the UK, we have to educate customers as to the
policies and procedures, but in the US they already know them well and are
looking at the technologies that can put them in place. We’ll see that cycle
speed up in the UK soon. The Information Commissioner’s report has added greater
visibility and urgency to these issues.
A recent report by a House of Lords committee recommended technology
vendors be held liable for security flaws in their products. How practical do
you think this is?
If it became law it would definitely force vendors to have better
development practices. We follow the Electronic Mass Casualty Assessment &
Planning Scenarios (Emcaps) requirements, which not only look at the
functionality of products but the entire engineering process how to document
requirements, what kind of quality assurance processes you need and so on.
Were the Lords right to criticise the UK’s fraud reporting system?
The police need more resources to investigate this type of crime
because as technology proliferates and more people do business online it will
continue to get worse. Criminals are now going after the data and governments
around the world have to respond and put organisations in place to respond to
this.
The likelihood of breach reporting obligation being implemented in the UK at this time is quite low because of the preferred approach by the ICO to education rather than enforcement. This was particularly evident with the 12 Undertakings signed by high profile financial services firms earlier this year. However, within the financial services sector, generally the penny hasn't dropped that the ICO can pass cases over to the Financial Services Authority for enforcement action. The FSA is publically stated that they will be reviewing the area of data security as part of their inspection visits on firms. Unlike the ICO, the FSA has unlimited fining powers and this was illustrated with the fine of GBP980k being imposed on Nationwide Building Society. This is a significant difference to the level of fining that can be imposed by the ICO. In effect, there is a new data protection enforcer in the financial services area, and it is the FSA, so affected firms need to watch out, especially as there is an existing obligation to report breaches to the FSA notwithstanding the possibility of any report to the ICO.
With regards to the external reporting, I personally think that the general public would get a very rude awakening if they knew how many firms 'routinely' lost their information either by accident or design. External reporting could, however, lead to a competitive advantage for those more careful firms as a result of those careless firms receiving adverse publicity.
Posted by: Elizabeth Nelson 21 Sep 2007
Have your say on this article
Newsletters
Latest stories from Security Technology
You may also like
Security Technology jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
