UK headed for data breach disclosure law within four years

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.silicon.com/management/public-sector/2010/07/16/uk-headed-for-data-breach-disclosure-law-within-four-years-39746105/
Europe working on legislation to notify victims of information breaches

A law forcing all organisations to publically declare data breaches is
expected to be in place in the UK within four years.

According to lawyers at law firm Field Fisher Waterhouse (FFW),
legislation requiring organisations to notify the relevant authorities
as well as individuals affected in the event of a serious security
breach involving personal data will be introduced across Europe.

Eduardo Ustaran, head of the privacy and information law group at FFW,
said the law will be introduced under an amendment to the 1995 EU Data
Protection Directive, which is currently being reviewed by the EU
Commission.

The amendment will be made by European data protection regulators who
are helping to draw up proposed changes to the directive, Ustaran told
silicon.com at a data protection event in London yesterday.

"All of the European data protection regulators have made very strong
calls for this mandatory breach notification," Ustaran said.

The proposed changes to the EU directive will be published by the EU
Commission in November this year, and if approved, will have to be
reflected in UK law by the end of 2014.

Telcos and ISPs in Europe will have to publically declare serious
security breaches including personal data even earlier under a
separate EU directive, which will come into force in the UK in May
next year.

Stewart Room, partner in the privacy and information law group at FFW,
said a mandatory law is needed as companies are currently covering up
data breaches.

"Most organisations in the private sector are not reporting breaches.
If notification is discretionary, then a lot of people are going to be
burying the bad news," he told the event organised by security company
Sophos.

"We feel that breach notification should happen and should be
mandatory because then we can start learning about the problems that
are out there."

Room said the Information Commissioner's Office (ICO) powers to fine
companies up to £500,000 for serious breaches of the Data Protection
Act, which the ICO gained in April this year, are also discouraging
companies from owning up to data breaches.

"We are dealing with many cases that the ICO does not know about
because the companies see the disincentive of punishment.

"Voluntary notification falls down substantially if the company feels
that they will put their head in the noose through this behaviour."

Room however supported the idea of an uncapped fine once a mandatory
data breach notification law is in place.

The roundtable event coincided with the release of the ICO's annual
report yesterday, which found there has been a 30 per cent increase in
data protection complaints and requests for information over the past
year.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php