The Case for Mandatory Data Breach Disclosure Laws


Published on

My presentation at the NITeS seminar last year on why Ireland should introduce mandatory data breach disclouse laws

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Case for Mandatory Data Breach Disclosure Laws

  1. 1. 1
  2. 2. Recent news headlines have brought to our attention how vulnerable our personal data is when it is in the hands of organisations to who we entrust that data to. This summer alone saw reports of the loss last year of a laptop by the Comptroller Auditor Generals office containing the personal details of over 380,000 iti 380 000 citizens, d i A during August an online retailers security was b t li t il it breached and th h d d the hackers accessed the credit card details of the retailer’s customers and in April Bank of Ireland announced they had lost a number of laptops in 2007 which contained the personal data of over 30,000 customers. 2
  3. 3. These incidents are worrying enough in their own right, what is of grave concern is the lack of notice those impacted by these security incidents received. Each of these issues also only came to light a number of months after the original incidents occurred leaving the sensitive personal and financial details of individuals t i k f being b i di id l at risk of b i abused b criminals. d by i i l 3
  4. 4. The data lost in most of these cases could provide criminals with enough information to attempt a number of crimes ranging from credit card fraud to full blown identity theft. One of the fastest growing crimes 4
  5. 5. While our Data Protection laws require that companies ensure they provide “adequate security” to protect the personal details of staff and customers, there is no obligation on organisations to notify individuals if those “adequate security” measures fail. Without this type of notification individuals may not be aware their personal d t il h l details have b been exposed t criminals until th th d to i i l til they themselves notice l ti unusual transactions on their credit cards, bank accounts or indeed find their credit rating has been ruined as a result of defaulted loans falsely taken out in their names 5
  6. 6. 6
  7. 7. Data Protection Act Requires “adequate Security” 7
  8. 8. Organisations need to realise that the data they hold on staff and customers is not theirs but rather has been entrusted to them by those individuals. In this age of cyber crime and sophisticated online criminal gangs we can no longer hope that the data do not fall into the wrong hands. Individuals need to know the trust they l th placed i an organisation t k d in i ti to keep th i d t safe h b their data f has been b breached i order h d in d for them to take measures to protect themselves 8
  9. 9. In July 2003 the California Bill SB 1386 came into effect requiring companies or organisations to notify any Californian resident if their data has been exposed. Companies are not obliged to notify people affected by the security breach should that data be encrypted, which was not the case in the examples at the beginning f this i b i i of thi piece, or if such notification would j h tifi ti ld jeopardise an ongoing di i criminal investigation. Since 2003 over 35 other US States have implemented their own versions of the law. 9
  10. 10. It is interesting to note that in January 2007 the TJX Corporation, the parent company of TK MAXX stores here in Ireland, announced they had discovered a security breach that exposed over 40 million credit card details belonging to its customers. TJX admitted that the breach could also have impacted Irish customers. However, because th t H b there i no obligation on TJX t notify th affected is bli ti to tif the ff t d Irish individuals, TK MAXX customers in Ireland do not know if their details have been exposed. 1400/sb_1386_bill_20020926_chaptered.html 10
  11. 11. Not only have the data breach disclosure laws in the United Stated helped individuals better protect their personal and financial data but it has also been of benefit to companies. When details are disclosed by the affected company as to how the breach occurred, in the case of TJX it was insecure wireless networks, other companies can l th i learn f from th i id t and ensure their systems and d t the incident d th i t d data are secure. This is no different to hearing your neighbour’s house has been burgled, you will take steps to secure your own home. 11
  12. 12. The European Commission is proposing amendments to the Privacy and Electronic Communications Directive, which will be obliged telecommunications companies to notify individuals should their personal data be exposed as a result of a security breach. However, this proposal only applies t t l l li to telecommunications companies and will most lik l not i ti i d ill t likely t come into being until 2011. In that time it is likely that the proposal will be further watered down by industry lobbyists. Ireland should not wait until this the proposed amendment to the Privacy and Electronic Communications Directive come into place. We cannot wait until 2011 and now is the time that we introduce mandatory data breach disclosure laws here in Ireland so that individuals whose data is exposed as the result of a security breach are notified. This legislation could complement the existing Data Protection Act and ensure businesses that do take proper precautions are not overly burdened by this legislation. For example, as with the California SB 1386 law, companies that encrypt the personal data could be exempt from the notification requirements. 1400/sb_1386_bill_20020926_chaptered.html 12
  13. 13. Some will argue that data breach notification this will place yet another burden on businesses already tied up with bureaucracy and red tape. I think those supporting the argument miss the point that companies taking the required steps to protect their clients’ data will not be overly impacted by this proposal. 13
  14. 14. 14
  15. 15. Ireland has taken bold steps in the past to lead the way with introducing legislation to benefit its citizens, the smoking ban and plastic bin tax, being two that come to mind. She should once more take the lead amongst our European neighbours and introduce legislation that better protects her citizens and provide an effective i f ff ti information security governance framework for businesses to follow. ti it f kf b i t f ll 15
  16. 16. 16