It was interesting to read in this morning’s Guardian objections to proposals for the Data Communications’ Bill (http://www.guardian.co.uk/technology/2008/may/21/freedomofinformation.civilliberties) to create a central database of recorded telephone calls, emails and web site visits made in Britain. This comes on the back of proposals late last month making it a criminal offence to carelessly lose or release personal data, an amendment to the criminal justice and immigration bill. There is also a lot of debate over whether legislators here should pick up on what has become known as the “California Law”—actually being enacted in several US states—requiring companies to disclose major breaches involving personal data to the people who have been affected. The fact that legislators are jumping into the fray on the sudden public and business concern over data security shouldn’t come as a surprise. It is natural for government to respond to what its constituents are thinking about. And for each proposal there will be pros and cons. Those of us working in information security can evaluate these as security professionals and as individual citizens.

As a citizen I would want to know if a company had been negligent with my data. I would probably want to see some sort of justice to make sure it doesn’t happen again. As a professional I can appreciate that disclosure can make the victim as well as the company more vulnerable and less secure in the end.

Clearly society needs the ability to properly investigate online criminal activity. A data base could certainly make this easier. But who would have access and what could be the unintended results? The legislators behind Regulation of Investigative Powers Act (RIPA) had not intended to help councils monitor whether parents actually lived in their child’s school catchment area, but this is exactly what Poole Borough Council did.

Legislators will continue to evolve our laws to account for the way in which we now live and work with information. The devil will be in the detail of how laws are written, interpreted and applied, and as experts in the field, information security professionals may well have to play an active role in managing this risk. Rather than objecting it may be better to get involved in shaping the outcome.

John Colley, CISSP
Managing Director, EMEA, (ISC)2 Europe