On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Saturday, 2 October 2010

ACS:Law - the case for a UK breach notification law

This is not part two of my series, but the full unabridged version of a piece I was privileged to be asked to write for Comment is Free.

It's probably the largest and most significant personal data leak in UK history, yet it took mainstream media nearly 3 days to report on it and details are still emerging.

Late on Friday evening an archive containing thousands of emails from solicitors ACS:Law appeared on the internet.

Alerted by Twitter I watched the horrific significance of the leak unfold as an army of bloggers and forum users dissected the email archive, highlighting the highly-sensitive nature of the data within.

A handful of credit card details and passwords for some of ACS:Law's own accounts were interesting, but the shock discovery was documents containing names and addresses of ISP account holders alongside titles of pornographic films alleged to have been downloaded - the explicit titles of many belying sexual preferences.

With details still emerging a week later, I fear it may be some time before we understand the full human cost of the leak.

Alexander Hanff of campaign group Privacy International spoke to me earlier this week: 
“This data loss is significant because of the human angle. Besides being the first time I can remember where leaked personal data from the UK has been made so readily available on the internet we must also consider the nature of the data leaked."

"Credit card details are one thing - and there are procedures for limiting financial loss - but some of the strongest human emotions are driven by sexuality and attitudes to porn."

"Marriages can be wrecked through – sometimes wrongful – suggestions that a partner may have viewed pornography.  Beyond the potential for criminals to blackmail workers in sensitive posts is also the human anxiety over being accepted for their sexual orientation in what is still a very judgemental society”
Talking about the significance of this leak and its potential for becoming a watershed event a friend was sceptical:
"If the scandal of 25 million records leaking from HMRC failed to change people's attitudes to private information and data protection I doubt this will."
Yet whilst other leaks potentially affected far more - on paper at least - few (if any) resulted in widespread publication. Andrew Sharpe, a solicitor highly-experienced in data protection issues at law firm Charles Russell told me:
Whilst we've advised clients in the past on dealing with the aftermath of a data loss I can't recall any loss which has actually resulted in personally identifiable information being published online or used in any way. Most loss events I'm aware of are in relation to improper disposal, disappearance or theft of laptops or similar and the data never actually surfaces”
Beyond the nuts and bolts of data protection for firms handling sensitive data are important moral and political questions about the role of private firms in electronic surveillance and the suitability of data protection legislation.

The opportunity for firms to act as a private police force regulating net content is likely to increase, not decrease, when the Digital Economy Act comes into force, yet I don't believe the current data protection laws or penalties are sufficient to act as a deterrent for businesses dealing with sensitive personal information.

The mob actions of cyber-vigilantes in the aftermath of this latest leak, making the sensitive lists readily available and searchable on shady websites hosted overseas must be condemned as strongly as ACS:Law should for their data protection lapse.

Yet there is an interesting moral conundrum in that without the questionable actions of some, lax data protection practices may never have come to light, leaving the data vulnerable.  A worst-case scenario would be criminals quietly capturing the data for a blackmail campaign.  At least the publicity surrounding this leak may deter many from paying.

This year the Information Commissioner's Office (ICO) was granted powers to levy fines of up to £500,000 for serious breaches of data protection "principles".  Yet this is a fraction of the entertainment budget for many larger corporations and contrasts with the Financial Services Authority, who this summer levied a £2.27m fine on insurance firm Zurich for its failure to adequately protect customer data.

Consideration should be given to increasing further the ICO's powers to fine companies, or even introducing criminal penalties.  But in light of this leak we must also consider introducing a data breach notification law to protect individuals whose personal details could have fallen into the hands of criminal gangs.

California was the first US state to get such a law, forcing companies who lose personal data to notify everyone potentially affected.  LA-based lawyer Tanya Forsheit of the Info Law Group told me that the law passed in 2002 has forced companies to pay much more attention to data protection issues.

"There's no question - it's totally changed how organisations feel about security"

"Breach notification shines a light on the problem and it forces organisations to take steps to try and avoid those situations."

45 other US states have followed California's lead by enacting their own breach notification laws.


No comments:

Post a Comment

Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.