HMRC leak raises prospect of new data rules

The HMRC data loss scandal could lead to an overhaul of UK security procedures, leaving IT directors facing the prospect of having to deal with new regulations that aim to guard against future privacy breaches.

The loss of two discs containing the confidential details of over 25 million child benefit recipients, including their bank and social security details, has been widely viewed as the worst breach to have occurred in the UK, and forced the resignation of HMRC chairman Paul Gray. Calls for tighter security controls across the public and private sectors have been heard from all corners in the wake of the incident.

“Searching questions need to be answered about systems, procedures and human error inside both HMRC and the National Audit Office,” said Information Commissioner Richard Thomas. He advised organisations to address security and data protection safeguards “with the utmost vigour” in light of the breach.

Alex Brown, a partner at international law firm Simmons & Simmons, said the incident will “turn the spotlight on the enforcement process” of the Data Protection Act, adding that the current process is too lenient. “The [Information Commissioner] will only hand out criminal sanctions if firms fail to comply with the enforcement notice. [But this is] too little, too late,” he said.

Ant Allan, an analyst at Gartner, agreed that punishment for not following security procedures needs to be made more severe, adding that fines carry less weight than custodial sentences when punishing organisations that fail to live up to industry standards.

Allan pointed out that many US states had introduced breach notification laws in response to these types of incidents. The HMRC data loss could lead to renewed calls for similar rules in the UK because there was a gap of about a month between the discs being lost and the public being informed.

But Allan said that any new legislation should lay out clear principles to guide organisations and be more limited in specific functions.

Efforts to raise awareness of data security risks and best practice could be a more useful response than introducing new legislation, Allan argued. He pointed out that when a full set of data is needed from HMRC, the usual practice is for an auditor to undertake the work – not a junior member of staff. “It shows that there is not enough corresponding awareness of policy in an organisation,” he added.

Jamie Cowper of PGP Corporation attributed the problem to the public sector focusing on securing their networks “to the utmost degree” with firewalls, but not considering the data.