Current regulations are creating uncertainty for executives, claims lawyer James Mullock, who is calling on business leaders to address the issue

Current rules about when companies have to report customer data leaks are creating uncertainty for executives, and business leaders must join the debate on whether a change of law is needed, according to a top lawyer.

Earlier this month ZDNet.co.uk's sister site silicon.com launched its Full Disclosure campaign, calling for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

According to James Mullock, data-protection partner at law firm Osborne Clarke, at the moment the rules around when — and who — to notify after a data breach vary from industry to industry.

For example, a financial services company that suffers a leak of customer information is pretty much obliged to notify the Financial Services Authority, while a retailer that loses credit card details is likely to have to proactively notify its credit card company. Some companies follow the information commissioner's best practice tip to contractually oblige outsourcers to immediately notify the information commissioner of a security breach, while others do not.

Mullock told silicon.com: "We've got a situation where different obligations are put on some companies but not on others depending on the sector they are in, and that creates a lot of uncertainty."

He said there needs to be a wide-ranging debate and the business community needs to get involved.

Mullock said: "At the moment there is a multi-tier set of requirements and your average company director will find it extremely complex. They have so many influencing factors to think about, not least the fact that they potentially face personal liability under the Data Protection Act and the Fraud Act for the failures of their company. If we have a well-managed debate and change in the law it should actually help companies decide what to do in the event of a security breach."

For there to be a change in the law, the industry needs to think about when any such obligations to notify would apply, and how any change to the law would be drafted so it wouldn't become a bureaucratic nightmare, he added.

Copyright © 1995-2010 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.