UK Home >  OUT-LAW News >  News Archive >  2007 >  February 2007 >  ICO gives qualified backing to security breach law

ICO gives qualified backing to security breach law

OUT-LAW News, 19/02/2007

Companies may be forced to admit when customer data has been lost by or stolen from them, said the UK Information Commissioner's Office. Deputy Commissioner Phil Jones said there were significant practical concerns but the ICO backed the idea "in theory".

Some US states have laws forcing the disclosure of personal data security breaches, and experts last week called for a similar law in the UK as building society Nationwide was hit with a £980,000 fine for a data breach.

"We certainly see a good reason for it," Jones told OUT-LAW.COM. In order to be effective, though, any law would have to make sure that only major breaches required notification.

"In principle it is a good idea, but it may be a more complex issue," said Jones. "One of the problems is getting the threshold right. If every time there is a minor threatened risk of a breach someone has to report it then the danger is that people get fed up with it and stop paying any attention or doing anything about it. It's like crying wolf."

"Someone in the industry said to me that one of the reactions of the industry in the US is that some companies over-report, and I think you have to question what happens in that circumstance," said Jones. "Whether you are only reporting when a significant number of people are at risk or whether the risk they are at is significant, you have to set out criteria."

Currently the ICO, which is responsible for monitoring compliance with the Data Protection Act, cannot force an organisation to disclose a breach unless it can prove that it is the only way to treat data in a fair manner. Fairness in the handling of personal data is mandated by the Act.

As OUT-LAW revealed last week, financial regulator the Financial Services Authority (FSA) believes it has the right not only to order specific disclosures but to create a general rule of disclosures for the companies which it regulates.

Jones said that he believed it would be possible to set a threshold for disclosure, but that the ICO should not be tasked with creating and defining it. "I don't think we would be the right people to work it out; we aren't specialists in security," he said.

The ICO has two other concerns about a possible new law. One is that enough information should be gathered before notice is given so that consumers are told how to deal with the situation.

"If you do report something, are you really in a position to give people useful information?" said Jones. "If a customer finds out what's happened but has no information on how to mitigate it I'm not clear what has been achieved."

The ICO is also concerned that it be made clear to whom organisations should report a breach, whether to the affected customers directly or to a regulator. He said there would be a worry that if tiny breaches were regularly reported to a regulator it could create an impossible workload.

Nationwide was fined last week for having inadequate systems and protections for data that came to light after an employee had a laptop stolen from his home. Though the employee told the company about the incident straight away, it is reported that he did not inform Nationwide that customer data was on the machine until after a three week holiday.

Nationwide did eventually alert all its customers by letter that the breach had occurred, it said.

"The interesting element of these views from the ICO is that they're following Australia and Canada in exploring whether or not security breach legislation should be enacted," said Dr Chris Pounder, a privacy expert at Pinsent Masons, the law firm behind OUT-LAW. "In data protection policy terms the subject is well on the agenda."

Any law is likely to follow the international lead in only mandating encryption on data that is unencrypted and therefore at risk. Encrypted information does not usually trigger a breach notification.

Pounder has previously said that a security breach notification law would be a positive step. "In an environment where the government is warning about ID theft it seems sensible to alert data subjects to the fact that their identity has been exposed," he said.

Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.

See also: FSA has power to order data breach disclosure, OUT-LAW News. 16/02/2007

Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please contact us. See also: our full disclaimer

 

OUT-LAW Recommends

This week's podcast
Bribery law extended

Advert: Pinsent Masons works with forensic accountants to help you to manage the costs of litigation. Our approach is called Reaching Solutions.
Advanced Search
UK Home | 
OUT-LAW News | 
This month's news | 
News Archive | 
2010 | 
2009 | 
2008 | 
2007
2006 | 
2005 | 
2004 | 
2003 | 
2002 | 
2001 | 
2000 | 
OUT-LAW RSS feeds | 
OUT-LAW Radio | 
Legal Info About... | 
Legal Info For... | 
Our Services | 
Case Studies | 
Events and Training | 
Fun | 
About Us | 
Contacts | 
Legal Notices | 

 

Pinsent Masons named Legal Firm of the Year 2009 at Finance Directors' Excellence Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility Logon
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.