UK consumers left in the dark on data breaches

A number of high-profile data security breaches have shocked UK consumers - and yet there is no requirement for companies to warn customers if their personal data has been put at risk.

US financial companies are coming under increasing pressure to inform their customers about data breaches. For example a Californian law - the Security Breach Information Act (SBIA) - requires any company with a presence or customers in the state to notify customers if their personal data could have been compromised.

Plans for a similar law to cover the whole US - the Data Accountability and Trust Act - are being presented to the Federal Trade Commission for approval.

In contrast, UK consumers are being left in the dark about potential security breaches.

A spokeswoman from the Information Commissioner's Office (ICO) told silicon.com: "There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur.

"Basically where our role comes into play is when complaints come into the ICO and are then investigated. Then notifications would be posted and they [companies] would have to comply with them."

And some experts argue that the law is already strong enough to give consumers what they need to know.

Clive Davies, a partner in the law firm Olswang, told silicon.com: "There is no obligation to tell everyone [about breaches] but people could find out about it. I haven't come across any lobbying activity [to change the law] because we already have adequate protection."

But tougher laws would make companies think again about security, argued Richard Starnes, president of the Information Systems Security Association.

He said: "There is nothing I am aware of in the UK that is equivalent to SBIA. Businesses looking to protect their customers' data would have to be a lot more proactive if they had to disclose breaches."

While businesses might not welcome such a law, consumers would, he said.

Starnes added: "Businesses would not be interested in this of course but consumers would. One of the reasons that consumers don't use the internet is because they are scared of ID theft. Companies don't want to tell their customers if there has been a breach because they think it damages their reputation. It's a Catch-22 situation."

Businesses fear damage to a their reputation much more than financial losses when it comes to security breaches, according to research by consulting house Deloitte.

And there is an acceptance that the financial services industry needs to do more to address the issue, said Mike Maddison, leader of security and privacy at Deloitte, in a statement

He said: "Tackling the problem needs involvement from regulators, customers and many parts of a financial institution."