Should companies own up to losing your data?
The arguments for - and against
Published: 13 February 2009 11:00 GMT by Nick Heath
Show related articlesSince the government's loss of 25 million child-benefit recipients' details in 2007, the UK has held its hands up to millions more sets of personal data going astray.
And with the government, high street retailers and banks leaking personal data, there has been speculation that stronger legislation could be around the corner.
Yet despite a strengthening of the powers of the UK privacy watchdog - the Information Commissioner's Office (ICO) - new laws forcing companies to confess when they have lost the sensitive data of their customers look to be as far away as ever.
Support for US-style laws demanding companies and government departments confess data breaches to customers - in force in more than 40 states - is ebbing away in the UK.
Last December the UK government issued a statement that it "is not intending to implement similar legislation to that in operation in the US" - citing a report that found the approach "contributed little towards security" - and information commissioner Richard Thomas recently warned that notifying customers about every bit of lost data could lead to data breach fatigue.
A spokesman for the Information Commissioner's Office said: "We do not see the need for a data breach notification law.
"Some breaches are more significant than others and it does not make sense to treat all of them the same, if you notify people all the time then they can become blasé and stop paying attention to notices altogether."
Jonathan Armstrong, data security expert and technology lawyer at Eversheds, said that notification laws were falling out of favour worldwide, adding that some US states, such as Massachusetts, were now placing more emphasis on enforcing good data security procedures.
"The problem with the US notification legislation is that it is just about cure and not prevention.
"A lot of this reactive legislation just adds to the burden of people who are broadly honest, has little effect on the people who disobey the law and can unduly worry the public."
It is already mandatory for public bodies to notify the ICO about any significant losses of data but there is no requirement for private companies to do so. The only incentive for companies to come clean on data losses could be the threat of facing tougher enforcement action if the ICO later finds out a company hid a serious data breach.
Banks and financial institutions face slightly stricter rules and can be fined for failing to notify the regulator, the Financial Services Authority, about any breaches affecting a significant number of people or involving sensitive data such as account details.
But the Earl of Erroll, Merlin Hay, member of the Parliamentary Information Technology Committee, said a breach notification law is needed for the UK to appreciate the number of losses taking place.
He added that organisations should not have to come clean about every single breach, saying the ICO should decide when an organisation needs to inform the public.
"A breach notification law would help get a feel for the scale of the problem and what resources need to be put into tackling it," he said. "But I do not think it is a means to an end in itself, it needs to be packaged alongside incentives for companies to do the right thing, such as encrypting sensitive data."
From this year the information commissioner is also expected to get about £18m funding each year, gain powers to fine companies that recklessly lose data and get the ability to conduct unannounced audits of central government and public authorities to check they comply with the Data Protection Act - as part of a package of measures in the Criminal Justice and Immigration Act 2008 and the Coroners and Justice Bill.
But Eversheds' Armstrong said the risk of stiffer penalties if businesses do own up to serious data breaches was making some companies increasingly wary about notifying the ICO about losses.
Europe appears to be the most likely source of any future UK data breach law - specifically proposed amendments to the ePrivacy Directive that will see all telcos and ISPs forced to tell customers and authorities if they lose data.
European data commissioner Peter Hustinx is in favour of extending the law to force all companies to come clean over data loss but is pessimistic about whether there is sufficient will in Europe to make this happen.
Writing for silicon.com's sister site ZDNet.co.uk he said: "Common sense and the overall benefit to European citizens clearly call for the widest possible application of laws requiring organisations that suffer a data breach to alert affected individuals.
"Unfortunately, if the council and commission approach prevails, European citizens will be disappointed to learn that the only organisations obliged to disclose breaches would be providers of publicly available electronic communications services."
Reader Comments (0)