Blogs

Redmonk

Why HIPAA and the UK Data Protection Act are bloody useless

If there is no enforcement legislation provides no protection for consumers or citizens. Heathcare Insurance Portability and Accountability Act (HIPAA) just acts as a fig-leaf, a compliance tick-list item, but what is really needed is a culture of security, a culture of really caring for your customers’ information. (hat tip Anton)

In the UK the data protection act is just as much of a lame duck. Codes of practice and enforcement notices achieve nothing.

More California-style notification legislation please. Bring on that sunlight! Bring on that disinfectant. Bring on some jail sentences for negligence.

I have talked to many people in the security field that claim their clients are deeply worried about reputational damage concerning breaches. They always seem shocked when I tell them its nonsense. The share price hits, where there are any, don’t last more than a few days…Reputational problems mean nothing when all the companies in a sector don’t get it.

If organisations were serious about data governance, new breaches wouldn’t bubble up every week.

Customers and citizens are being screwed. I am with Greg when it comes to the problem description, but I disagree about the solution. I actually think stronger legislation around notification is called for. The market is failing to come up with a solution and complaining isn’t getting us anywhere. We need lawyers and police involved. Sad but true. Maybe Elliot can step up once he gets this little case he’s working on finished.

Tags: , , ,

Share This

This entry was written by jgovernor and posted on June 9, 2006 at 1:17 pm and filed under . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Trackbacks are closed, but you can post a comment.

4 Comments

  1. Thomas Otter
    Posted June 9, 2006 at 1:41 pm | Permalink

    James,
    Bit odd that Spain’s law is based on the same directive, and they fined the spanish big brother TV company over million euros for a data protection breach. They also fined other companies big fines..

    In the UK the average fine was 250 quid, with only 12 prosecutions…

    more of course at https://theotherthomasotter.wordpress.com/wp-admin/post.php?action=edit&post=73

  2. James Governor
    Posted June 13, 2006 at 10:28 am | Permalink

    yes Spain is a far agressive in driving compliance. telefonica was fined nearly a million euros for cross selling to a customer it shouldnt have. i believe czech republic is quite strong too.

    i would like to see a european watchdog with real teeth, or at least national watchdogs that didn’t sit on their hands

  3. john oneill
    Posted January 16, 2008 at 10:19 am | Permalink

    Agreed on all counts. The issue in Europe is the speed (well lack of) in implementing legislation which has to preceede any level of enforcement. In Ireland, the data protection inspectorate has teeth but only uses them (currently) in the financial services sector. This is set to expand but avoidance of a stuation in which local law impedes or runs against Euro law is a major complication. I think it is fair to say however that it is on the way but in the interim, consumer vigilance and comittment is required while we exist in a caveat emptor data protection environment.

    John
    John O’Neill is PRO with backupanytime
    http://www.backupanytime.com

  4. jgovernor
    Posted January 17, 2008 at 2:59 pm | Permalink

    cheers John. yes the difference between framework and implementation is ridonkulous.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*

Bad Behavior has blocked 0 access attempts in the last 7 days.

Close
E-mail It