UK Watchdog asks the European Commission to adopt security breach law

By EDRi · September 10, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

UK consumer watchdog, the National Consumer Council (NCC), together with
other consumer groups want the European Commission to force companies to
publicly admit when they lose customer data. A data breach notification law
would make companies keep data more securely.

“What we’re asking for is when the kind of data has been lost that can pose
a serious risk in terms of identity theft or taking over bank accounts or
cleaning out bank accounts and so on, that the consumers are notified so
that they can take appropriate measures” said senior policy advisor Anna
Fielder adding that “It will be an incentive for businesses to put better
security measures in place because obviously that can cause a lot of brand
damage if you notify your customers too often that you’ve been negligent
with their data.”

In November 2007, the European Commission proposed breach notification laws
and in January 2008, the House of Commons Justice Committee adopted the same
path. Robert Hannigan’s review in March 2008 recommended breach notification
laws for public sector bodies, outlining plans for the overhaul of data
security in all major government departments.

Although no legislation is yet in force in UK, in May 2008 the Information
Commissioner (ICO) was given the capacity to fine organisations if their
operational procedures caused a gross breach of data protection principles.
This was introduced into the Criminal Justice and Immigration Bill but the
offence was so widely drafted that it risked criminalising activities such
as the passing of personal details to suppliers for business purposes. ICO
has even said that such a breach notification law could be counterproductive
because frequent news of breaches could desensitise people to the effect of
very serious breaches. He said that in order to be acceptable, any data
breach law would have to establish the level at which breaches are reported
correctly.

Now, NCC believes ICO should have more powers: “The Commissioner should
have increased powers, fining people for data breach negligence. At the
moment the Commissioner has no such powers so there is no incentive very
often for companies to put appropriate security measures in place.”

The NCC and other European consumer watchdogs want the revisions of the
proposed breach notification laws to be extended to all businesses that
collect significant amounts of customers’ personal data, including banks,
credit card companies and traders.

In Fielder’s opinion, the ICO itself could decide at what point a breach
should be made public. “There obviously should be a proper evaluation and
risk assessment of breaches. (…)There is no point panicking consumers
every time, it is important to inform people when there is a risk. This can
be done by notifying the ICO who can evaluate and make a risk assessment”
she said.

The issue of public data loss has been a hot issue lately with the several
incidents of personal data loss in UK& Ireland, such as HM Revenue &
Customs’ loss of 25 million people’s details on two CDs, the loss of data on
84 000 prisoners by a Home Office contractor, the personal data of one
million bank customers that was found on a server sold on eBay or the loss
of the personal data of about 10 000 customers of the Bank of Ireland.

Later this month, The European Parliament will vote on the proposal made by
the European Commission which has published a package of telecoms industry
reform measures containing a proposal that electronic communications
providers should be forced to disclose any data breaches. (subject covered
in the first article of this EDRi-gram)

Consumer group asks EU for security breach law (3.09.2008)
http://www.out-law.com//default.aspx?page=9400

Information Commissioner gets power to fine for privacy breaches
(12.05.2008)
http://www.out-law.com/page-9110

Watchdog demands data breach confessions (1.09.2008)
http://software.silicon.com/security/0,39024655,39282263,00.htm

Watchdog aims to compel data-breach confessions (2.09.2008)
http://news.zdnet.co.uk/security/0,1000000189,39483398,00.htm

ICO: UK may get data-breach notification law (4.07.2008)
http://news.zdnet.co.uk/security/0,1000000189,39442182,00.htm

EDRI-gram: Important personal data lost by the Bank of Ireland (7.05.2008)
http://www.edri.org/edrigram/number6.9/personal-data-bank-ireland