It has been an interesting week to say the least with regards to information security breaches in Ireland. First we heard of the responses to Ruairi Quinn’s question as to how many portable devices belonging to government departments have gone missing this year. So far over 45 devices have been lost. Damien Mulley has a breakdown as to what was lost. Then on Friday the HSE reports that it lost another laptop which reports claim leaves the personal details of thousands of HSE staff at risk of identity theft.
To cap it all the Irish Times reports that the Minister for Justice Dermot Ahern is now considering introducing mandatory breach disclosure laws. Having been an advocate for the introduction of such laws I welcome these moves. However, as Digital Rights Ireland points out the proposed laws appear to have a number of shortcomings such as being restricted to only portable devices. This means that breaches such as the exposure of people’s CVs on the Jobs.ie website earlier this year would not need to be reported. Also it appears the minister wants to concentrate on major breaches. It will be interesting to see what a major breach is defined as. Will that be dependent on the type of data exposed or the number of records?
I attended the Irish ISACA Chapter’s conference on Friday and a number of people asked me for my reaction to the above. So let me take this post as an opportunity to share my thoughts on breach disclosure;
While our Data Protection laws require that companies ensure they provide “adequate security” to protect the personal details of staff and customers, there is no obligation on organisations to notify individuals if those “adequate security” measures fail. Without this type of notification individuals may not be aware their personal details have been exposed to criminals until they themselves notice unusual transactions on their credit cards, bank accounts or indeed find their credit rating has been ruined as a result of defaulted loans falsely taken out in their names.
Organisations need to realise that the data they hold on staff and customers is not theirs but rather has been entrusted to them by those individuals. In this age of cyber crime and sophisticated online criminal gangs we can no longer hope that the data do not fall into the wrong hands. Individuals need to know when the trust they placed in an organisation to keep their data safe has been breached in order for them to take measures to protect themselves.
In July 2003 the California Bill SB 1386 came into effect requiring companies or organisations to notify any Californian resident if their data has been exposed. Companies are not obliged to notify people affected by the security breach should that data be encrypted, which was not the case in the examples at the beginning of this post, or if such notification would jeopardise an ongoing criminal investigation. Since 2003 over 35 other US States have implemented their own versions of the law.
It is interesting to note that in January 2007 the TJX Corporation, the parent company of TK MAXX stores here in Ireland, announced they had discovered a security breach that exposed over 40 million credit card details belonging to its customers. TJX subsequently admitted that the breach also impacted Irish customers. However, because there is no obligation on TJX to notify the affected Irish individuals, the affected TK MAXX customers in Ireland do not know if their details have been exposed.
Not only have the data breach disclosure laws in the United Stated helped individuals better protect their personal and financial data but it has also been of benefit to companies. When details are disclosed by the affected company as to how the breach occurred, in the case of TJX it was insecure wireless networks, other companies can learn from the incident and ensure their systems and data are secure. This is no different to hearing your neighbour’s house has been burgled, you will take steps to secure your own home. I wonder how many CEO’s in Ireland have recently asked their IT departments to implement encryption on laptops ASAP?
As mentioned earlier the Department of Justice is considering introducing some form of mandatory breach disclosure laws here in Ireland. It should be noted that the European Commission is also proposing amendments to the Privacy and Electronic Communications Directive, which will oblige telecommunications companies to notify individuals should their personal data be exposed as a result of a security breach. However, this proposal only applies to telecommunications companies and will most likely not come into being until 2011. My fear is that in that time it is likely that the proposal will be further watered down by industry lobbyists.
Ireland should not wait until this the proposed amendment to the Privacy and Electronic Communications Directive come into place. We cannot wait until 2011 and now is the time that we introduce mandatory data breach disclosure laws here in Ireland so that individuals whose data is exposed as the result of a security breach are notified. Nor should we introduce laws that restrict notifications to only portable devices.
Whatever legislation is introduced it should complement the existing Data Protection Act and ensure businesses that do take proper security precautions are not overly burdened by this legislation. For example, as with the California SB 1386 law, companies that encrypt the personal data could be exempt from the notification requirements.
Some will argue that data breach notification will place yet another burden on businesses already tied up with bureaucracy and red tape. I think those supporting the argument miss the point that companies taking the required steps to protect their clients’ data should not be overly impacted as they will be exempt from the notification requirements. It will be companies that do not take the correct measures that would be most impacted and deservedly so.
Ireland has taken bold steps in the past to lead the way with introducing legislation to benefit its citizens, the smoking ban and plastic bin tax, being two that come to mind. She should once more take the lead amongst our European neighbours and introduce legislation that better protects her citizens and provide an effective information security governance framework for businesses to follow.