Shostack + Friends Blog Archive


Send data leakers to jail? Heck, no!

In “Data breach officials could be sent to the big house,” we learn:jail.jpg

In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: “There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles.

“These will take account of the need not only to provide high levels of data security but also to ensure that sensible data sharing practices can be conducted with legal certainty. We will consult early in the New Year on how this can best be done.”

The Times reports that ministers have accepted that the penalties for “gross failures” to protect citizens’ details should include criminal penalties. These could be as harsh as a two year prison sentence for the most serious offenses.

I can’t think of a better way to bury errors than to send people to jail for making them. We are able to learn about what goes wrong from these notices. There are likely some breaches which are due to gross negligence, for example, ignoring the clear advice of security experts that a scheme would never work. Do we want to discourage firms from seeking advice from security experts? Given how the UK’s Crown Prosecution Service wrote their hacking tool guidance, I shudder to think what they might come up with for breaches.

The costs too great, the likely benefits too small, and for those cases, I suspect that current rules of negligence would already apply.

Photo: Old historic Mulvane Jail, by swopedesig