2015 has seen a significant number of data hacks, with millions of people losing their data and the media has latched on to each new instance with an increasing ferocity. Companies who lost customer data are now pariahs and given the complexities that this can create are rightly criticized and lose business whenever they do.
However, the collection of data is having significant benefits to the wider society and the practice shouldn't stop simply because some companies don't have adequate security.
There has therefore been a debate raging about whether or not governments should pass laws to make data as safe as it possibly can and to limit what companies can collect. So should they get involved? We look at both sides of the argument:
Many of the companies who lose their customer's data are rightly chastised by the media and can sometimes be prosecuted and face compensation payments to the customers who have had their data lost. However, this is generally as far as it goes in terms of punishment, little is actually done legally despite the consequences that these data loses can often have.
Take the Ashley Madison data loss as a game changer in this regard as it was not simply a case of people losing their credit card details and needing to change their bank cards, it irreversibly changed people's lives. The fallout of this seems to have been that the company has lost some credit (as much credit as a company who's primary product is adultery can) and compensation money, but little else. Governments should have a mandate to prosecute the companies to make sure their data is truly safe for situations similar to this.
Equally the only times that the security of companies' data security is put under any scrutiny is when they are caught out and they have data stolen. Apart from internal data security audits and the occasional data security consultant testing it, there is by-and-large no kind of scrutiny or set of standards to which a company needs to adhere.
Governments around the world are the only organizations powerful enough to enforce this kind of regime for change in company security policy. As their primary role is the protect and act in the best interests of the population they represent, working towards a legal precedent of data security is a must at a time when a persons data is almost as important as the amount of money in their bank account.
Governments across the globe, especially in the Western world, have consistently shown a profound misunderstanding of data and how it is handled and used. Take the Edward Snowden leaks as a prime example, not only was there a considerable amount of information released about underhand data usage, but more importantly a contractor had access to it and could spread it around. It does not smack of an understanding of the complexities of data security.
Equally for governments to be able to effectively set laws they have two options, either create a comprehensive framework or a general rule. Neither of these would work regarding the technology surrounding the protection of data.
A comprehensive framework cannot be easily created for an industry that moves so fast regardless of who is making it, meaning that simply starting the process could create an issue. After this, the framework needs to keep up with the demands that the quick moving industry has, what may have been the most secure system 2 months ago, may have been picked apart by hackers by the time its requirement for companies has even been considered.
Going the other way and creating a general rule such as 'you must take every reasonable measure to keep your data secure' is even more pointless as it creates a situation that companies can easily get out of. Interpretations of what is and what isn't reasonable is key as one company's reasonable could be another's unaffordable. It doesn't set any kind of precedent, instead it would simply be a couple of court cases that any competent lawyer could win.
There is also the issue of the importance of the industry to be able to expand and experiment without having shackles placed on it in what is still a very immature landscape. Through putting these kind of constraints on companies, governments are simply chaining their growth.
Most companies have managed to keep their data safe and it ultimately is against their interests to have any of their data stolen, so it is reasonable to assume that they will keep their data as safe as they possibly can. Somebody in the security team at Facebook, Twitter or Google is going to know more about data protection that a man or woman who has simply been elected to a government position based on how they deliver a speech. It means that data protection is safer in their hands and we should be trusting them to do their jobs properly, after all they are certainly being paid enough to do it.