BreachExchange mailing list archives
UK headed for data breach disclosure law within four years
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Fri, 16 Jul 2010 23:37:18 -0400
http://www.silicon.com/management/public-sector/2010/07/16/uk-headed-for-data-breach-disclosure-law-within-four-years-39746105/ Europe working on legislation to notify victims of information breaches A law forcing all organisations to publically declare data breaches is expected to be in place in the UK within four years. According to lawyers at law firm Field Fisher Waterhouse (FFW), legislation requiring organisations to notify the relevant authorities as well as individuals affected in the event of a serious security breach involving personal data will be introduced across Europe. Eduardo Ustaran, head of the privacy and information law group at FFW, said the law will be introduced under an amendment to the 1995 EU Data Protection Directive, which is currently being reviewed by the EU Commission. The amendment will be made by European data protection regulators who are helping to draw up proposed changes to the directive, Ustaran told silicon.com at a data protection event in London yesterday. "All of the European data protection regulators have made very strong calls for this mandatory breach notification," Ustaran said. The proposed changes to the EU directive will be published by the EU Commission in November this year, and if approved, will have to be reflected in UK law by the end of 2014. Telcos and ISPs in Europe will have to publically declare serious security breaches including personal data even earlier under a separate EU directive, which will come into force in the UK in May next year. Stewart Room, partner in the privacy and information law group at FFW, said a mandatory law is needed as companies are currently covering up data breaches. "Most organisations in the private sector are not reporting breaches. If notification is discretionary, then a lot of people are going to be burying the bad news," he told the event organised by security company Sophos. "We feel that breach notification should happen and should be mandatory because then we can start learning about the problems that are out there." Room said the Information Commissioner's Office (ICO) powers to fine companies up to £500,000 for serious breaches of the Data Protection Act, which the ICO gained in April this year, are also discouraging companies from owning up to data breaches. "We are dealing with many cases that the ICO does not know about because the companies see the disincentive of punishment. "Voluntary notification falls down substantially if the company feels that they will put their head in the noose through this behaviour." Room however supported the idea of an uncapped fine once a mandatory data breach notification law is in place. The roundtable event coincided with the release of the ICO's annual report yesterday, which found there has been a 30 per cent increase in data protection complaints and requests for information over the past year. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- UK headed for data breach disclosure law within four years Jake Kouns (Jul 16)