More controversy regarding UK and US data protection legislation.
The U.S Senate and the UK’s Treasury’s Solicitors Department are both currently reviewing their data protection policies. Government bodies on both sides of the Atlantic are becoming increasingly aware of the importance of data protection and after a series of data protection blunders are taking steps to reinforce policies that are now decades old.
The US government and state legislators are currently reviewing three bills concerning data protection: the Personal Data Privacy and Security Act, the Data Security Act and the Student Data Accessibility, Transparency and Accountability Act. These bills are going to affect the handling of data on both a federal and state level. The first two bills have been introduced as a result of the recent Target and Neiman Marcus breaches.
The no.3 retailer in the U.S, Target, had the personal data of 110 million customers breached by Eastern European hackers. Neiman Marcus a luxury American retailer experienced a breach that involved the credit card details of over a million customers being stolen. Neiman Marcus was subsequently informed by MasterCard, Visa and Discover that about 2,400 cards had since been fraudulently used by the perpetrators.
The malware used in both instances was created to access decrypted card information that is briefly stored on cash registers and is known as RAM scraping malware. The breaches led to renewed calls for enhanced consumer protection and the implementation of EMV technology in the US.
EMV technology provides cards with small chips, these chips make codes for every transaction that a card is involved in and would have prevented the two retailer breaches earlier this year. It is statutory action that the US government has decided to use in retaliation.
To learn more about other approaches the U.S have taken against cyber crime check out our post: U.S cyber Security Summit to Tackle Cyber Crime
Legislation for Data Protection
Senator Patrick Leahy (D-VT) was responsible for introducing the Personal Data Privacy and Security Act in January and cited the above breaches when doing so.
The act aims to modernise the outmoded Computer Fraud and Abuse Act (1986). The updating of the act will allow the US Justice Department to arraign fraudulent persons for computer hacking attempts. The bill would increase penalties for data breaches, require companies to introduce internal data protection policies and create a national standard for alerting consumers when a data breach occurs.
Less than two weeks after Leahy introduced his bill, which he first introduced back in 2005, the Data Security Act was proposed by senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) This bill is set to update the Gramm-Leach-Bliley Act (1999) and would require monetary organisations, retailers, governments and a whole host of other institutions to improve their current data security policies. It does this by thoroughly scrutinising all data breaches and alerting consumers more quickly to possible coercions.
Senator Carper observed when introducing the bill that this type of crime was becoming more frequent in the U.S. Ultimately the bill aims to set a nation standard when it comes to data protection and replace the current 46 state laws. The two competing bills have both been sent for review in different committees.
The road to enactment is likely to be long and enduring for both proposals. The state sponsored Student Data Accessibility, Transparency and Accountability Act focuses on the protection of data in the education sector.
A State Department of Education under this act would be required to implement a data protection plan and a Chief Privacy Officer would be created in each State Department. The act looks to create a consensus between state and federal legislation, the act will encourage more open discourse between legislators and educationalists. The act aptly demonstrates that information protection is a concern for all sectors and institutions.
Treasury Solicitors Department Reviews Data Policy
On this side of the Atlantic, government bodies are too revaluate their data protection policies.
The Treasury’s Solicitors Department (TSD) has decided to review its data protection policy following investigations into its practices by the Information Commissioners Office. The TSD is a non-ministerial body which gives legal aid to other governmental departments and publicly funded institutions, which is why it surprised the ICO to learn that four data breeches had occurred in this department between August 2011 and November 2012.
Three of these instances involved case documents containing un-redacted confidential information being sent to a claimant’s solicitor and then on to the claimant during the period of litigation. In the fourth instance case documents relating to an unfair dismissal claim were sent to a complainant, however these documents contained confidential information about another totally separate case. The TSD has accepted calls for it to review its redacting process after this embarrassing legal blunder.
The ICO has provided the TSD with an undertaking which has mostly focused on the Seventh Data Protection Principle of the Data Protection Act. The undertaking directs the TSD to provide employees with a coherent policy which should be followed when staff are disclosing information. TSD should also provide training for all its employees on the proper disclosure and security of data.
As data breaches become a more common occurrence, governing bodies on both sides of the Atlantic are feeling a new weight of responsibility when it comes to the disclosure of information.
These bodies are taking preventative legal measures and are clearly learning from their mistakes. Hopefully these measures will serve to inform the public of the importance of protecting confidential information.