Madeline Bennett

It was difficult to avoid the issue of IT security last month. Two of the industry’s biggest events ­ the RSA security show in San Francisco and Infosecurity Europe 2008 in London ­ took place in April, giving vendors, IT professionals and other interested parties ample opportunity to be wowed by the latest security products, advised on best practice by industry experts and debate the hottest topics.

No surprise that data breaches dominated many of the sessions at the two events. Across the pond, experts mused on the possibility of rolling out federated data breach notification legislation across the US, to replace the current piecemeal, state-by-state arrangement. Meanwhile in London, the UK’s Information Commissioner once again called for stronger powers to crack down on those neglecting their data protection responsibilities.

The latest Information Security Breaches Survey, a biennial government-sponsored study carried out by consultancy firm PricewaterhouseCoopers, was also launched at Infosec. Drilling down into the security habits and concerns of just over 1,000 UK organisations of all sizes, the research gives a pretty comprehensive overview of the current IT security landscape. And generally the picture is fairly positive, with the overall number of attacks decreasing year by year, while firms appear to be taking many aspects of IT security much more seriously.

However, one statistic that struck me was in relation to protecting against data breaches. According to the study, less than three-quarters of respondents have documented procedures in place to ensure compliance with the Data Protection Act (DPA). Granted, this has increased from less than two-thirds in the 2006 study, while the proportion rises to nine out of 10 for large businesses. But it’s still worrying that over a quarter of companies, and 10 per cent of large enterprises, admit to failing to properly manage and audit their DPA compliance measures ­ some 20 years after the legislation was first introduced.

Some people argue that the DPA negates the need for the UK to introduce US-style data breach notification laws. After all, under the DPA organisations are already required to take certain steps to restrict access to personal information, so, the argument goes, this should be sufficient to protect individuals against data losses and therefore there is no need to introduce new rules to deal with the aftermath of breaches. My concern with that theory is the limited powers possessed by the Information Commissioner’s Office (ICO) to crack down on DPA breaches. Recent court cases involving the ICO provide clear evidence of these limitations.

The Information Commissioner has prosecuted various UK companies for failing to register with the ICO as a data controller, meaning organisations that process data. The ICO is keen to point out that notification carries a nominal fee of £35, while the penalty for failing to do so in recent cases has led to the guilty party laying out anything between £700 and £1,200 in costs and fines ­ a hefty markup although still affordable even for the smallest firms.

The revelation that many companies are still failing to properly keep track of their DPA compliance emphasises that the current legislation does not provide a cast-iron guarantee that personal data is always protected from loss or exposure ­ and gives further weight to the arguments for a rethink of UK data protection laws, whether that involves strengthening the ICO’s enforcement powers or introducing US-style legislation.