MPs call to criminalise data loss

MPs on the Justice Select Committee have called for new laws to protect the integrity of personal data.

The move was prompted by critical government data losses over the past few months, such as the loss of computer disks at HM Revenue & Customs.

The committee called for a breach law that would make it a legal obligation for companies to notify customers if their data has been accessed and to create a system of fines for repeat offenders.

"The scale of the data loss by government bodies and contractors is truly shocking, but the evidence we have had points to further hidden problems," said committee chairman Alan Beith.

"It is frankly incredible, for example, that the measures put in place at HM Revenue & Customs were not already standard procedure."

The Committee also called for the Information Commissioner to have powers to make spot checks on government departments to ensure that correct practice is being followed.

"These latest proposals to punish reckless data leakage with large fines and/or prison sentences will go some way in encouraging organisations from the top down to be compliant or at least be able to prove they took the necessary steps to protect their data," said Alan Bentley, vice president of Lumension Security.

"The UK is not without laws surrounding this issue as we already have the Computer Misuse Act 1990 and the Data Protection Act. The question is how far this new law is taken.

"There is a very fine line that needs to be balanced which ensures that all our personal data is secure but does not hamper the efficiency of a business."

However, some are questioning the government's approach. "The government is moving closer to implementing US-style data breach notification laws, but making data loss a criminal offence may be a step too far," said Jamie Cowper, marketing director at PGP Europe.

"Before we go for the nuclear option, perhaps we should look at how current security regimes can be tightened up with stricter enterprise data policies, for instance.

"We should also test the power of simply naming and shaming organisations as a deterrent to lax attitudes to data protection, as it has certainly worked in the US."