Some US states have laws forcing the
disclosure of personal data security breaches, and experts last
week called for a similar law in the UK as building society
Nationwide was hit with a £980,000 fine for a data breach.
"We certainly see a good reason for it," Jones
told OUT-LAW.COM. In order to be effective, though, any law would
have to make sure that only major breaches required
notification.
"In principle it is a good idea, but it may be
a more complex issue," said Jones. "One of the problems is getting
the threshold right. If every time there is a minor threatened risk
of a breach someone has to report it then the danger is that people
get fed up with it and stop paying any attention or doing anything
about it. It's like crying wolf."
"Someone in the industry said to me that one
of the reactions of the industry in the US is that some companies
over-report, and I think you have to question what happens in that
circumstance," said Jones. "Whether you are only reporting when a
significant number of people are at risk or whether the risk they
are at is significant, you have to set out criteria."
Currently the ICO, which is responsible for
monitoring compliance with the Data Protection Act, cannot force an
organisation to disclose a breach unless it can prove that it is
the only way to treat data in a fair manner. Fairness in the
handling of personal data is mandated by the Act.
As OUT-LAW revealed last week, financial
regulator the Financial Services Authority (FSA) believes it has
the right not only to order specific disclosures but to create a
general rule of disclosures for the companies which it
regulates.
Jones said that he believed it would be
possible to set a threshold for disclosure, but that the ICO should
not be tasked with creating and defining it. "I don't think we
would be the right people to work it out; we aren't specialists in
security," he said.
The ICO has two other concerns about a
possible new law. One is that enough information should be gathered
before notice is given so that consumers are told how to deal with
the situation.
"If you do report something, are you really in
a position to give people useful information?" said Jones. "If a
customer finds out what's happened but has no information on how to
mitigate it I'm not clear what has been achieved."
The ICO is also concerned that it be made
clear to whom organisations should report a breach, whether to the
affected customers directly or to a regulator. He said there would
be a worry that if tiny breaches were regularly reported to a
regulator it could create an impossible workload.
Nationwide was fined last week for having
inadequate systems and protections for data that came to light
after an employee had a laptop stolen from his home. Though the
employee told the company about the incident straight away, it is
reported that he did not inform Nationwide that customer data was
on the machine until after a three week holiday.
Nationwide did eventually alert all its
customers by letter that the breach had occurred, it said.
"The interesting element of these views from the ICO is that
they're following Australia and Canada in exploring whether or not
security breach legislation should be enacted," said Dr Chris
Pounder, a privacy expert at Pinsent Masons, the law firm behind
OUT-LAW. "In data protection policy terms the subject is well on
the agenda."
Any law is likely to follow the international lead in only
mandating encryption on data that is unencrypted and therefore at
risk. Encrypted information does not usually trigger a breach
notification.
Pounder has previously said that a security breach notification
law would be a positive step. "In an environment where the
government is warning about ID theft it seems sensible to alert
data subjects to the fact that their identity has been exposed," he
said.
