After all the recent news about the new powers to be granted to the Information Commissioner, Richard Thomas, another piece of information pushed out by the Ministry of Justice appears to have gone rather unnoticed.
It was a definitive statement saying that the government would accept Thomas's request that there should be no US-style data breach notification laws for private sector organisations in this country. Of course, public sector organisations are already forced to report any significant "actual or potential" data losses to the ICO - so why not private sector firms?
Well, Thomas has argued that the US experience has not been a particular good one. It's certainly true that mandatory notification laws have the potential to desensitise the public to data losses. If breaches are in the news all the time then the public is less likely to pay any attention - although you could argue that this is pretty much already the case. Then there are problems such as how high should you set the notification threshold, and who should firms be obliged to notify - just their customers or the relevant authorities too? And on top of this there is the potential problem of phishing attacks. Criminals could well decide to send out mass emails after a large data breach, hoping to hit gold by appealing to an organisation's customers that there has been a data breach and that they should reconfirm their details.
But is the alternative to breach notifaction laws really the best option? ICO Thomas, and now the government, seem to warnt a situation where private sector firms have to report breaches only as a matter of good practice, but although fines will be levied according to the seriousness of the breach, a system of voluntary disclosure hardly seems like the best solution
The negative impact of a data breach can be so great that it may well tempt some firms to keep quiet in the hope it could be covered up. No breach notifaction law also means that the government and law enforcers can't get any idea of the true scale of the problem, which is woefully underreported at present, according to most experts.
This could all be a moot point of course, if the EU has its way. Data protection supervisor Peter Hustinx told me recently that European breach notifaction laws could be put in force for telcos and ISPs as soon as 2011. He also argued that it would be "fair and in line with reality" for them to be extended to all firms. Were this to happen we could be in that rare situation where European laws actually have a positive outcome.
No comments:
Post a Comment