Should data loss be made a criminal offence?

The IT industry is divided over whether new laws are needed to make the reckless loss of personal information by public and private sector organisations a criminal offence.

The proposals suggesting recklessly or repeatedly mishandling personal information should become a criminal offence were put forward in a report by the parliamentary justice select committee.

But the report is splitting opinion among senior figures in the IT industry, with disagreement over whether the government should resort to legislation in an attempt to prevent future incidents similar to the HM Revenue & Customs data breach.

Joseph Hoban, VP at data protection software company GuardianEdge, said: "With more public sector data breaches on the horizon, the government must act now to avoid a certain repeat of the HMRC debacle.

"American organisations understand that prevention is cheaper than cure - and implementing encryption technology is cheaper than the cost of a data breach. The UK government needs to follow suit and introduce financial penalties."

Chris Mayers, chief security architect, at Citrix told silicon.com: "The government needs to bring in tougher laws to make companies realise the responsible handling of our data isn't an option, it's a necessity.

"To give these laws teeth, more resources are also needed for investigations and for enforcing the existing legislation. Similar measures have proven successful in the US since they were introduced in California in 2003."

But Jamie Cowper, director of marketing EMEA at encryption security company PGP, had reservations about the report.

He said: "Making data loss a criminal offence is maybe a step too far. For a start, who's going to be liable here? How do you define the role of data controller? And what does this mean for much-heralded government database projects such as ID Cards and the NHS spine?

"Before we go for the nuclear option, perhaps we should first look at how current security regimes can be tightened up with, for instance, stricter enterprise data policies. We should also test the power of simply naming and shaming organisations."

Alan Bentley, regional VP of Lumension Security, also questioned how the law would work, saying: "There is a very fine line that needs to be balanced, which ensures that all our personal data is secured but does not hamper the efficiency of a business.

"For government and industry organisations to take control of their data they need to monitor all the information transferred to and from removable media. Capturing a full copy of the data and providing a comprehensive audit trail will ensure organisations can see where data has been moved to."

The justice select committee's report supports silicon.com's Full Disclosure campaign for legislation that would require organisations suffering security breaches to alert their customers if there is a chance the breach has put individual's sensitive personal data at risk.