A leading security consultant is calling on the Government to introduce legislation that would require organisations that have had data security breaches to publicly disclose them, writes John Collins.
It was as a direct result of similar laws in the US that TJX, owners of the TK Maxx chain of stores, was forced to reveal that 46 million credit-card numbers had been stolen from its systems by hackers between July 2005 and the beginning of this year.
Brian Honan, a director of BH Consulting, will make the call at an event next Wednesday to mark Global Security Week, an annual international awareness-raising event on security issues.
Honan points out that, while Irish firms are obliged under the Data Protection Act to have "appropriate security measures" in place for data relating to individuals, there is no onus on organisations to report if they have suffered a theft of data.
He says that he is aware of a number of instances where customer data has been stolen from Irish firms, but the victims have chosen not to go public or to inform their customers.
Details of Irish credit cards have also been offered for sale on online forums. Honan says the going rate for a usable credit card is between $0.50 and $5 (€3.66).
It recently emerged that a Ukrainian man arrested in a Turkish nightclub was carrying details of up to a million credit cards, including a number of those stolen from TJX's systems.
The payment card industry (PCI) data protection standard, jointly created by the major global credit-card companies, requires credit-card processors to inform them of any security breaches, but again there is no requirement to inform customers who have been affected.
The European Commission is proposing a directive on security breaches, but it would only apply to telecommunications companies and internet service providers. Honan also cautions that the directive could be significantly watered down by lobbyists before it is introduced.
He is now calling for the Government to follow the lead of the US and introduce far-reaching disclosure laws. "They should be as far reaching as possible, in the same way that the Data Protection Act applies to anyone holding personal data," he says.
"They shouldn't just cover payment information, but any personal details."
The IT industry has not generally favoured public disclosure laws, preferring to work with clients to minimise the effects of attacks by hackers away from the glare of publicity.
Honan will speak in Dublin next week at a seminar entitled Privacy in the 21st Century, which will also be addressed by assistant data protection commissioner Tony Delaney and Microsoft's chief privacy adviser for Europe, Caspar Bowden.