Expect Government to be interested in your IT security.

Out-Law Analysis | 01 Feb 2008 | 10:25 am | 2 min. read

OPINION: Disaster has struck and all big organisations should be preparing to pay the price. In the aftermath of the HM Revenue & Customs (HMRC) loss -of personal information and a subsequent flood of data security breaches, large organisations should be ready to prove that they can take care of personal information.

Data Protection Day 2008
This is one of a series of articles appearing on OUT-LAW this week to celebrate Data Protection Day 2008.

Anyone who thought that the HMRC disaster was a one-off could not hold that view for long as a Ministry of Defence laptop, a Marks & Spencer employee database and others have created an ever-growing list of organisations suffering a loss of important or confidential data.

The effect of this accumulation of security errors has created a growing public worry that demands a political response, and the expectation will be that the Government will now seek to involve itself more closely than ever in the business of keeping our data safe. All organisations may soon have to prove that they have maintained the appropriate standards when they use computers.

In one sense this is an extension of a trend in other fields of IT governance where the Government has stepped up regulation.

The millennium bug demonstrated that a functioning modern economy was totally dependent on its computer systems, while the collapse of multinational corporations such as Enron demonstrated that some organisations could hide their financial problems by using reporting systems that were not fit for purpose.

The political response to these problems was to enact legislation that gave powers to ministers or regulators to impose standards with respect to interoperability, governance and resilience. In this way, Government interference in an organisation's processing procedures has been firmly established as a fact of life.

So it has been with data security as every week seems to bring new revelations about poor security practice. The public now knows that the HMRC event is not a one-off and that far too many organisations have a relaxed attitude to basic security management. This conclusion has jolted the political system into a regulatory response, and as the data items of concern are details such as names, addresses and bank account details, the main regulatory vehicle of change will be the Data Protection Act.

Already the Government has conceded that it intends to provide increased power to the Information Commissioner to carry out inspections and audits, and has introduced a two-year custodial offence where malpractice with respect to personal data can be linked to staff malfeasance.

On the horizon is a keen debate on further legislation that could give the Commissioner the ability to name and shame transgressors, to order compliance with best security practice, to punish a breach of security obligations, and a requirement that organisations tell individuals that their personal details have been lost. In this regard, the security standard ISO 27001/27002 will emerge as the benchmark which will be used by regulators to judge these matters.

The onus will be on organisations to be proactive about their information policies. They would be wise to adopt a rigorous approach to IT security and governance that provides evidence that they have met their regulatory obligations.

By Dr Chris Pounder

Global Term