Leader: It's time for a data breach disclosure law

If there's one lesson to come out of the catastrophic (government's own words) data breach at HM Revenue & Customs (HMRC) this week, it's surely now is the time for a data breach disclosure law.

silicon.com's Full Disclosure campaign has been calling for such a law to follow the example set in the US.

The original California law - known as SB 1386 - obliges Californian state agencies or private sector businesses to disclose data security breaches to residents if their unencrypted personal information may have been compromised. The law has since been adopted by other US states.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

The HMRC data breach - in which the unencrypted details of 25 million people on the child benefit database were downloaded by a junior official onto a CD and sent, unregistered and unrecorded, by post to the National Audit Office - highlights the security dangers posed by the proliferation of government databases housing millions of records containing sensitive personal information.

The proposed national identity register for the ID card scheme will store even more data, including biometric information - what happens if your fingerprint records fall into the hands of identity thieves?

The national electronic medical record system will also need to provide access to around 300,000 NHS staff - but there are surely no security procedures in the world to prevent rogue workers with access doing bad things?

And what about the private sector? The government was forced to come clean on this breach because of the sheer scale and seriousness of it and accountability to Parliament, but there is no such obligation for the thousands of businesses who collect and store vast amounts of our personal information.

The Prime Minister's decision to allow the Information Commissioner to make spot checks on data storage and security at government departments is welcome but it's too little too late.

The HMRC blunder is just the latest of a number of high-profile data breaches which have eroded public faith in the ability of government and businesses to protect their information - and it is vital changes are made to restore that faith. That is why we need full disclosure laws - now.