Leader: Why we need data loss disclosure laws

It goes without saying that most people, in business at least, only admit a mistake for one reason – because they realise they're going to get caught anyway.

Nowhere is this more clear than with the issue of disclosing data loss. In California all companies are required by law to inform their customers when data has been breached or lost.

Now the whole of the US is looking to introduce such a law and we can only hope the UK and the rest of Europe follow in step.

Why? Currently identity fraud is seeing something of a migration from the US to Europe, according to Bryan Sartin, VP investigative response at Cybertrust.

And part of this is to do with the culture of disclosure. Companies who aren't bound by law tend to gamble where data loss is concerned. They weigh up the chance of that lost data coming back to haunt them against the threat posed to their reputation of disclosing.

They will typically wait as long as possible, Sartin told silicon.com, and even then will only disclose if they have good reason to believe data is indeed at risk. It goes without saying the warning signs may include evidence that some level of identity fraud has already occurred.

Inaction at such a critical time is seen as a positive step, at least as far as shareholders' best interests and the company's reputation are concerned. However, it can also provide the final factor fraudsters need to act effectively - time.

And in the US that time is now diminishing. Even those companies not required to disclose by law are starting to do so, because disclosure has unsurprisingly raised the awareness of how common a problem data breaches are. And companies therefore see some dilution of the reputational impact while doubtless resolving to tighten up next time.

In an ideal world data breaches wouldn't occur but we realistically have to plan for the fact they do. And most importantly, as consumers we have a right to know how safe our data is.

Just because you don't know that your bank has suffered serious data breaches, it doesn't mean they haven't happened. And the room for manoeuvre afforded by no requirement to disclose losses hardly encourages a thorough review of data management.

A lack of disclosure therefore breeds insecurity. It creates the window of opportunity for the fraudsters and it muddies the waters for consumers hoping to make informed choices.

We must demand to know the facts.