Data breach notification laws are 'just the start'

Any UK data breach notification laws are just the start of addressing the wider identity theft problem, according to a group of security experts.

Speaking at a keynote panel at the RSA Conference Europe 2007, Christopher Kuner, partner and head of the international privacy and information management practice at US-based law firm Hunton & Williams, said: "Notification is a useful first step and it has increased awareness [in the US but] we need to go further than this and if the ICO (Information Commissioner's Office) thinks that this is enough it is wrong."

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

And the ICO did, in part, agree notifications are not the be all and end all in the war against identity theft.

Also speaking in session, David Smith, deputy information commissioner at the ICO, said the UK needs a "simple, easy to understand law" which does not enforce "notification for the sake of it" but must be proportionate, meaningful and be the same for public and private sectors.

Smith added data breach notification is simply a "sticking plaster" in the fight against identity theft and prevention is the better route to go down. "There is a danger of focusing on it too much - the priority should be to make sure that [data breaches] do not happen at all," he said.

The UK does not currently have legislation in place to enforce data breach notifications - something that the silicon.com Full Disclosure campaign is trying to change.

But there are data breach notification laws in more than 30 US states now and the divergence of these numerate legislations has created a "hodgepodge of laws", according to Kuner.

Kuner added data notification laws are a "blunt instrument" and the subsequent flood of notifications some US citizens have received since legislation has come into place has made them "blasé" about the risks.

The European Commission is considering tightening some of the regulations around when companies have to reveal security leaks.