I totally agree with the Conservative policy mooted in this Register article.

Being a member of an IT security team you realise that user-education and actions are what invariably lead to data loss… and a problem with users is their apathy and reluctance to change.

If you tell a user to do data transfer in this “secure” manner - you’re safe, If you use your old process you risk going to jail. I think this one change would focus their minds quite well..

Users in large companies sometimes do try and hide behind the “process” shield, instead of challenging a potentially risky insecure data request from a client/partner in many cases…

For example I still see users internally who are unaware that email is by nature an insecure medium - of course unless a secure pgp or s/mime link is setup in advance of the email being sent…

Thankfully we now have technology in place to spot and stop many such instances from occurring now (in email at least), with the email’s in question being redirected to compliance instead of the end-recipient so they can be educated as to proper data transfer methods. Of course the technology isn’t perfect, user education is the main thing here, and legislation and personal responsibilty for loss is the good thing.

So, hats off to the conservatives - a step in the right direction.