By Dan Ilett, 2 May 2006 12:35
NEWS
A number of high-profile data security breaches have shocked UK consumers - and yet there is no requirement for companies to warn customers if their personal data has been put at risk.
US financial companies are coming under increasing pressure to inform their customers about data breaches. For example a Californian law - the Security Breach Information Act (SBIA) - requires any company with a presence or customers in the state to notify customers if their personal data could have been compromised.
Plans for a similar law to cover the whole US - the Data Accountability and Trust Act - are being presented to the Federal Trade Commission for approval.
In contrast, UK consumers are being left in the dark about potential security breaches.
A spokeswoman from the Information Commissioner's Office (ICO) told silicon.com: "There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur.
"Basically where our role comes into play is when complaints come into the ICO and are then investigated. Then notifications would be posted and they [companies] would have to comply with them."
And some experts argue that the law is already strong enough to give consumers what they need to know.
Clive Davies, a partner in the law firm Olswang, told silicon.com: "There is no obligation to tell everyone [about breaches] but people could find out about it. I haven't come across any lobbying activity [to change the law] because we already have adequate protection."
But tougher laws would make companies think again about security, argued Richard Starnes, president of the Information Systems Security Association.
He said: "There is nothing I am aware of in the UK that is equivalent to SBIA. Businesses looking to protect their customers' data would have to be a lot more proactive if they had to disclose breaches."
While businesses might not welcome such a law, consumers would, he said.
Starnes added: "Businesses would not be interested in this of course but consumers would. One of the reasons that consumers don't use the internet is because they are scared of ID theft. Companies don't want to tell their customers if there has been a breach because they think it damages their reputation. It's a Catch-22 situation."
Businesses fear damage to a their reputation much more than financial losses when it comes to security breaches, according to research by consulting house Deloitte.
And there is an acceptance that the financial services industry needs to do more to address the issue, said Mike Maddison, leader of security and privacy at Deloitte, in a statement
He said: "Tackling the problem needs involvement from regulators, customers and many parts of a financial institution."
Comments
There are 3 comments. Join the discussion
1. Amy
Surely no one is complacent enough to say that we have adequate protection from the current laws when Identity Theft is considered to be the UKs fastest growing crime.
Without allowing the public to make informed decisions about who they trust with their data, more data breaches will occur and the public will suffer.
2. jim doyle
O.K. then Clive Davies, tell us how to find out about a breach. Adequate protection for the customer should include the facility to easily identify compromised retailers.
3. Angus Doyle
Security Breaches should be audited and publicly available.
The only way to improve security is to make these findings publicly available.
If you want consumers to trust in ecommerce you can not smoke screen it.
The more you hide it the worse it will be when the truth does finally come out, and it will eventually.