Miss and tell

30 May 2008

As more data security breaches come to light, calls are growing for new laws making it compulsory for companies to declare when they lose confidential information. But will legislation really solve the problem.

Should Irish organisations be compelled to make a public announcement when they have suffered a data security breach? The question has been given fresh impetus by recent events, principally the theft of four laptops at Bank of Ireland, with details of about 31,500 customer accounts on the affected machines.

The Data Protection Commissioner (DPC) began an investigation after it emerged that a breakdown in procedure led to serious delays in notifying senior management at the bank. The laptops were stolen on separate occasions last summer but the thefts only came to light last month.

The Irish Blood Transfusion Service (IBTS) was more forthcoming earlier this year over the loss of a laptop in New York. The machine contained a CD with details on over 171,000 Irish blood donors but the data was, fortunately, encrypted.

Even so, the IBTS set up an information helpline and committed to notifying each of the donors in person. In a similar vein, the recruitment website Jobs.ie took immediate steps to notify customers after a reportedly small number of CVs on its database had been accessed following a website hack. The nature of the breach, added to the personal information contained in the CVs, prompted fears that the victims could suffer identity theft.

Incidents like these are said to be a fraction of the real number of breaches that occur. Last year’s Irish cybercrime survey found that 46pc of organisations suffered some form of information leak, but in the absence of widespread reporting it’s difficult to know the scale of the problem. To address this, many industry commentators have called for legislation obliging organisations to come clean whenever customer data goes astray.

The IT security consultant Brian Honan, a longtime advocate of data breach laws, points out that the DPC’s Annual Report showed just 11 organisations notified the DPC of a security breach during 2007. “That is less than one breach a month, which in my opinion is well below the number of actual breaches that are occurring and once again re-inforces the need for mandatory breach disclosure laws in Ireland,” Honan writes in his blog.

The DPC Billy Hawkes is also on record as favouring legislation. Speaking at the launch of his office’s annual report this month, he said: “What we’d like to see is a requirement that, first of all, above a minimum threshold there should be an obligation to report to us, as the data protection authority, so that we can work with the organisation and advise them on how to deal with the breach; and a separate obligation on the organisation to inform customers whenever they would be likely to be seriously impacted by such a data leak.”

The most commonly cited precedent is California’s data disclosure law, which compels any public or private agency holding financial records of a state resident to inform them directly in the event of a breach. This was enacted in 2003 and similar versions of the law have since been introduced in 40 US states. The original California law’s remit has since been widened to cover medical and insurance records.

Hawkes said there are signs that mandatory breach disclosure rules could be introduced at EU level. “In the meantime, I think we need to be looking at it domestically to see whether we should anticipate legislation,” he said. Not everyone agrees. Owen O’Connor, vice-president of the Information Systems Security Association, says the case for introducing data breach laws has not been proven.

“In many cases, there is no more justification than ‘we should have more data’. I couldn’t disagree that we need more data on breaches but government-mandated breach disclosure is a very large hammer to crack that nut. I’m as curious as anybody in this area but that’s not a reason to add a burden to Irish businesses.” An alternative would be to have the Central Statistics Office gather data anonymously, so the scale of the problem can be assessed, O’Connor suggests.

He is also concerned that the precedent is not as clear-cut as it seems. “We would be the first European country to do this. The US is still at the stage of working out the details; there’s no national legislation, just 40 different state versions,” he points out.

Hawkes acknowledged any law would have to be carefully drafted. “We would need to get the balance right on that. We don’t want to impose an unnecessary burden on organisations and we have heard reports from the US that some of the laws as they were drafted there resulted in people being bombarded with minor instances of data leaks, which had no impact on them. We want to get it right in terms of the regulatory burden, but I think the time is being reached where we have to look at this.”

O’Connor argues that if Irish consumers were notified about a breach, their options are limited for preventing possible identity theft. “It’s not clear what someone in Ireland could do to protect themselves. For example, in the US you might request a credit freeze with the major credit bureaus, which would help block new credit applications, and you might also start to watch your credit report online or sign up with a credit monitoring service to do it for you. Over here, credit reports are not available online.”

Regulatory compliance carries a substantial administrative overhead for businesses and O’Connor warns that the current economic climate makes this a bad time to suggest such a move. “This affects Ireland’s competitiveness. Would companies move away from here because they might some day have a breach?”

Paul C Dwyer, chief executive of information security consultancy TeamInfoSec, points out that Section 45 of the Irish Companies Act was put on hold for this very reason: it would have imposed onerous controls similar to the US Sarbanes-Oxley Act on companies trading here. He said there is no need to introduce new laws when the Data Protection Acts have sufficient weight.

“Personally, I think the way the law is policed should be improved, rather than adding new legislation,” he said. According to Dwyer, many Irish public and private sector organisations don’t understand their obligations under data protection law. He said public and private organisations holding personal information should adopt the international security framework ISO 27001, which would help them to become compliant with the law.

Dwyer calls for the DPC to use his powers to fine companies when a breach occurs. In the UK, the punishment is more severe: last year Nationwide Building Society was fined £980,000 sterling after a company laptop was stolen from an employee’s home. The legislation in Ireland allows for financial penalties of up to €100,000 but Dwyer claims offending companies receive little more than a slap on the wrist.

“The regulator is more concerned about someone getting a text message they didn’t subscribe to, than organisations leaving personal details on a laptop in a restaurant,” Dwyer says.

As Digital Ireland went to press, the DPC should have been close to completing a report into the Bank of Ireland laptop thefts. The outcome of that investigation – and the extent of any possible punishment for the bank – is likely to influence the next stage of the disclosure debate.

By Gordon Smith