Irish Times calls for data breach disclosure law
August 13th, 2008
The editorial in today’s Irish Times has joined the calls (by ourselves and others) for laws which will ensure that Irish citizens are warned when their personal information has been compromised.
IF ANY doubts remained about the urgent need for a national data disclosure law, they will have been banished by the revelation that the Comptroller and Auditor General’s office failed to disclose – for 16 months – the theft of a laptop which included personal details of 380,000 social welfare recipients.
The comptroller’s office also revealed that 106,000 of the records included highly sensitive bank account data. None of the data were encrypted, an appalling disregard for this most basic of digital security provisions. And while it was said there was no indication the information had been used in a compromising way, such assurances will provide little comfort to the 380,000 individuals whose information is exactly the kind of material that quickly makes its way on to criminal websites, where it is sold in cheap bundles to hackers and identity thieves.
Such incidents are becoming more, rather than less, common. In April, Bank of Ireland finally told Data Protection Commissioner Billy Hawkes that three laptops with details of 31,500 customers had gone missing up to 10 months earlier. Those data weren’t encrypted either. A month later the bank said it was investigating another allegation that a laptop had been stolen in 2001.
The Government must recognise that the public is well past the point of believing such occurrences are rare events. Nor will people accept that long-delayed disclosures of such losses by the organisations involved is just a trivial oversight. It is time to force organisations to immediately reveal such losses. The Government should introduce the type of legislation pioneered in California five years ago (and now copied in 40 more states).
California’s laws require organisations to immediately inform affected individuals when personal financial or medical information is lost. Initially seen as an oddity, it forced the disclosure of some of the biggest national data breaches and hacking incidents in the US, because Californian customers had to be told about them if their names were associated with any of the records. Once this happened, organisations quickly found they had to reveal the full extent of data breaches.
Thanks to the law’s name-and-shame effect, it has helped compel organisations to adopt better data protection standards. And such a law allows people to close accounts immediately and otherwise protect themselves from the sloppy stewardship of their private details, rather than wait months, even years, to find their account details might have been sold on. Irish citizens deserve such protection of their personal information.
Entry Filed under: DRI
4 Comments Add your own
1. Jim Kilgour | August 13th, 2008 at 9:14 pm
How big a deal is PCI DSS in Ireland?
2. Administrator | August 14th, 2008 at 2:57 pm
Brian Honan would be better placed to answer that (http://bhconsulting.ie).
3. Brian Honan | August 14th, 2008 at 10:03 pm
@ Jim Kilgour
Jim the PCI DSS Credit Card Payment Standard applies to all companies that process credit cards. This applies to credit cards used in online sales, at point of sales systems in shops or indeed over the phone or via fax machine. So it is important to note that it is not confined to just ecommerce companies.
It is an important standard as it proscribes a minimum set of requirements regarding policies, procedures and technology that must be in place for companies that process credit card details. The standard is an important one as it provides good details on how to secure a network and systems in line with recognised industry best standards. But we should remember that it is the minimum baseline a company should have and by its nature will not gaurantee 100% security of the data.
The standard is audited and managed by the credit card industry. This in my mind is one of the fundamental weaknesses of the standard as the credit card companies may not be keen to fine their own customers.
Another issue is the low rate of takeup against the standard. There are still many companies, both here in Ireland and abroad, that are not yet compliant. Indeed through my work a number of companies I have dealt with who should be compliant with the standard are not even aware of it.
Unfortunately PCI DSS do not have a badge or label that we as a consumer can see whether or not the company we are dealing with complies with the standard. This again is another weakness I see in it.
PCI DSS while a good standard is also similar to our Data Protection Act in a lot of ways. They both dictate that companies should be taken appropriate measures to protect the data they hold on their customers, PCI DSS for credit card data and the Data Protection Act for all personal data. The problem we face in Ireland is that without breach disclosure laws in place there is no obligation on any organisation to notify their clients should the security controls they have put in place fail.
This to my mind is a fundamental weakness. We entrust our personal, financial and medical details to many different organisations. Those organisations need to realise they are guardians of this information and they must ensure they keep the data entrusted to them secure. Focusing on meeting the bare requirements to meet an audit does not necessarily achieve that goal.
Mandatory breach disclosure laws will help close that gap and ensure that if our personal data is accessed by unauthorised persons then at least we have the information to take whatever steps we deem necessary to protect ourselves and our families. It can also help other companies as they can learn from the mistakes of those companies that suffer a breach and ensure that they address whatever flaws or weaknesses that caused the breach in the affected companies.
Remember to look at this earlier post http://www.digitalrights.ie/2008/08/11/even-more-lessons-from-laptop-loss/ to get details on how you can add your voice to the call for the introduction of mandatory breach disclosure laws.
4. Recent Faves Tagged With &hellip | March 12th, 2009 at 10:20 pm
[...] public links >> disclosure Irish Times calls for data breach disclosure law First saved by klaufer | 10 days ago Irish Times Adds Her Voice to Calls for Data Breach [...]
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed