December 8th, 2007
Data loss CEOs should go to jail
Richard Thomas, head of the Information Commissioner’s Office (ICO) in the UK, told Parliament that CEOs should be responsible for the protection of confidential data in their firm’s possession, and should face criminal charges in the event of data loss.
This recommendation comes in the wake of recent high-profile data breaches, in particular the loss of unencrypted information on 25 million UK citizens by UK Revenue & Customs (HMRC).
As described on their website, “the ICO is an independent public body and the Ministry of Justice is the ICO’s sponsoring department within Government.”
According to a presentation by Information Commissioner Richard Thomas to the House of Commons’ Justice Committee, chief executives would have to certify that companies had safeguards in place to protect personal data.
Failure to take care of people’s personal information could be a punishable by law in future as Thomas argued that “knowingly or recklessly” putting someone at risk due to inadequate data protection should be made a criminal offence.
Data breaches in which personal information is lost have become commonplace, as shown by the news listed in the Forum of Incident Response and Security Teams.
Although government oversight would make those responsible for losses accountable, such measures are not a panacea. For example, stricter penalties may push data centers offshore, to countries with weaker laws. While no perfect solution exists, stricter regulations will send a clear signal to government and private sector employees: if you lose someone else’s information due to negligence, you will pay the price.
Michael Krigsman is CEO of Asuret, Inc., a software and consulting company dedicated to reducing software implementation failures. Click here to discuss this post with him on Twitter. See his full profile and disclosure of his industry affiliations.
Subscribe to IT Project Failures via Email alerts or RSS.
