NEWS
The UK is in desperate need of revisions to laws that govern the disclosure of information relating to data loss or theft, according to security experts.
Currently UK organisations that lose sensitive customer or employee data, or expose it to others, do not have to disclose details of the breach - even to those affected.
Now, in the wake of recent data losses, security experts have called on UK legislators to bring laws in line with US law SB 1386, which was introduced in California in 2003 and has spread to 34 states, requiring full disclosure.
Martin Carmichael, CSO at McAfee, told silicon.com: "I think companies should be accountable. Accountability is a vital part of security and if a company has a data breach I think they should be prepared to talk about it.
"I am surprised the UK doesn't have anything in place like SB 1386."
And that feeling was echoed by Phil Zimmerman, the founder and writer of PGP encryption, who described SB 1386 as "a fiendishly clever piece of legislation" because it not only makes companies more 'on the ball' for fear of having to admit breaches or losses but also empowers consumers to make more informed choices.
The effect of being 'outed', said Zimmerman, is a very powerful tool. "I think companies respond far more to the outing than they would to a fine," he said.
Zimmerman added: "In the UK you really should push your government to force disclosure."
Here in the UK there is no such requirement for companies to warn customers if their personal data has been put at risk. Last year this led to criticism of the way a potential security breach, which resulted in thousands of credit cards being cancelled, was handled.
As a spokeswoman for the Information Commissioner's Office told silicon.com last year: "There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur."
Comments
There are 2 comments. Join the discussion
1. anonymous
Hmm, somehow cannot see that getting into law quickly in UK.
Don't think the government would like having to admit that their central databases have been compromised and Insurance companies have got their hands on thousands of "confidential" health data records.
2. Richard
No! First let's stop pretending!
This "valuable data" is only valuable to criminals thanks to previous poorly conceived laws & regulations.
Each new law makes the situation worse - as well as greatly increasing industry's costs ...and hence prices.
We'd do far better to introduce a general law which protects people's privacy from all threats - including intrusion by the media.
The problems of "identity fraud" and "identity theft" would be better solved by abolishing the highly insecure customer "identity checks" imposed on (willing) financial institutions by crazy government regulations and returning to a customer relationship where institutions really "know their customers" before offering loans etc.