Philip Virgo writes:
I have just had interesting feed back from a number of CISOs on my posting on the EU data Protection Directive. Some are still stuck in the past, adding yet more electronic nappies to cope with severe cases of data diarrhoea. Others are seeking to make the transition to a future where attack is the best form of defence: not only do you get damages from those who aided and abetted the attack (perhaps even from those who contracted it and trousered the cash) but next time the predators will attack some-one else, thus giving you competitive advantage.
A core question is whether it is the data breach that should attract any regulatory penalty (if and when you identify the breach to notify) or the failure to take action to help prevent data on your customers being used to for fraud as soon as you discover that it is happening, even if you have not identified how the criminals obtained it? Should that liablity also apply to government departments and agencies, including regulators who demand that data be retained even though there is no business reason?
Read more on When IT Meets Politics on ComputerWeekly.
Update: broken link replaced on 8-18-2015.