How the UK got data breach notification over the line

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itnews.com.au/News/365481,how-the-uk-got-data-breach-notification-over-the-line.aspx

UK organisations took privacy more seriously after the country's
Information Commissioner's Office made data breach notification "best
practice", according to former commissioner Richard Thomas CBE.

Thomas, who was information commissioner between 2002 and 2009, toldiTnews
that the British regulator took the step after several embarrassing, high
profile government and bank breaches in 2007.

Making senior executives of banks personally responsible for enforceable
undertakings after breaches also inspired the UK business community to
change its attitude to data protection, he added.

"I insisted that the undertakings be signed by the chief executives of the
banks personally. I have no doubt that really raised the profile of the
issue inside the banks. From that point on they took it more seriously.
Other financial services and commercial operations took it more seriously
the same way that government was taking it more seriously," he said.

"There are still too many lapses. It's by no means perfect, although it has
got better."

During Thomas's tenure, the UK information commissioner had no powers to
impose fines for breaching privacy laws.

In addition, the ability to use enforcement orders against organisations
was only a theoretical possibility that has never been tested.

However, the commissioner could resort to audits and name-and-shame
measures, he said.

"We made it clear that if we had discovered a breach and that we hadn't
been told about it then we would take it more seriously," Mr Thomas said.

Australian uncertainty

Thomas' comments come amid uncertainty over whether Australia's new federal
government will proceed with the former Labor government's plan to pass
laws forcing organisations to notify regulators and the public of serious
data breaches.

The legislation was among a handful of bills that failed to pass the Senate
before parliament was prorogued in June.

Yesterday, long-time champion of the mandatory notification bill,
Australian federal Privacy Commissioner Timothy Pilgrim, declined to reveal
whether he had discussed the bill with federal Attorney-General George
Brandis.

Arguably, Australia's privacy commissioner is in a good position to adopt
the UK practice of recommending that organisations notify the regulator of
data breaches rather than making it law.

> From March next year the Australian privacy commissioner will have the
power to impose hefty financial penalties on organisations for serious and
repeated breaches. Compliance with the UK commission's best practice
recommendation became riskier for organisations after it was given powers
to impose fines.

"I think you would either be a very brave or foolish organisation to notify
now," Thomas said.

In the last two to three years of Thomas's tenure the UK commission
received 515 voluntary notifications. He estimates that since then it has
received about 1500 voluntary notices.

However, Thomas said he was sceptical of laws requiring notices to
individual consumers. His view, he said, had been coloured by the
experience of North American privacy regulators.

"People just get bored by it, almost. They don't understand its relevance
to them personally and they're not sure what they're supposed to do about
it so I've always thought that the value of notification was to regulators.

"The top priority is to stop the breach. When I was commissioner we put out
a lot of advice on our web site as to what you should be doing".

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.