The European Commission has published proposals for a change in law that would force telecoms firms to notify regulators and customers of all breaches of data security including, for example, lost laptops and stolen backup tapes.
A similar but more far reaching law in California has resulted in a deluge of notifications of data breaches by companies such as Time Warner and Bank of America. It may not be long before Europe follows suit, with regulatory and business drivers impacting more and more companies.
As the proposal stands, it forces companies to disclose when information or personal identities are at risk, allowing individuals to be informed and to take action. Unfortunately, this permits businesses to continue to put the onus on the individual to rectify problems caused by them, the owners of the exposed data source.
For far too long, large companies have been able to shrug their shoulders and say sorry, leaving the little guy to reclaim his identity or credit rating, which can take years and be a very painful process, through no fault of his own. There has to be some element of accountability for exposure of data. We need to encourage an ethos of ethical corporate responsibility.
Identity theft is not just a problem on the Internet; it can happen in much less visible ways. Thefts and losses of backup tapes mean that large volumes of personal information such as, mother’s maiden name, date of birth or national insurance number are exposed to potential misuse at any time in the future.
Companies need to do more to protect themselves and their customers against losses of personal data to avoid damage to corporate reputations by being exposed under this proposed legislation. According to Rich Mogull, Research Vice President for Gartner, key ways for companies to safeguard personal data are:
1. deploy content monitoring and filtering (CMF)
2. encrypt backup tapes and (possibly) mass storage
3. secure workstations, restrict home computers and lock portable storage
4. encrypt laptops
5. deploy database activity monitoring