Peers have applied more pressure on the government to introduce a data-breach-notification law.
Lord Broers, chair of the House of Lords Science and Technology Committee, told ZDNet.co.uk on Tuesday that organisations should be required by law to notify parties affected by a data breach.
"It's completely unacceptable that there's no data-breach law," said Lord Broers. "If people have lost data, they are under obligation to let people know. They should be required to tell them. It's unacceptable that organisations not tell people for an extended period of time."
The Science and Technology Committee on Tuesday produced a follow-up report to an initial report into personal internet security that was published in August 2007. One of the main thrusts of the initial report was the need for a data-breach law, a recommendation the government rejected in October.
However, Lord Broers said repeated reports of serious data breaches, including the loss of 25 million child-benefit claimant details by HM Revenue & Customs in November, have made the government more receptive to the possibility of a data-breach law.
"I think there's considerable appetite [for a data-breach law]," said Lord Broers. "I've never heard any disagreement from the people I speak to."
Lord Broers said arguments that people would become desensitised to repeated notifications were "ridiculous", but said types of data would need to be classified in law so there would be a threshold beyond which affected people would have to be notified.
"Data can be categorised to be regarded as 'serious'," said Lord Broers. "If data lost is already in the public domain, then there's no need for notification. It's just a matter of drawing up the legislation appropriately and carefully."
The Science and Technology Committee is also putting pressure on the government to make banks liable for losses incurred by electronic fraud. At present the Banking Code gives guidelines that banks should refund people affected by e-fraud. However, the committee said that, in practice, the burden of responsibility is currently on the victim to prove they were not negligent with their details or involved in the fraud. The committee said this burden of proof should be reversed, so that banks would have to prove the victims were negligent or fraudulent if they want to deny a refund.
"Why shouldn't banks be liable for e-fraud losses if they can't prove [the losses] are fraudulent?" asked Lord Broers.
The committee added that the government's emphasis on banks, rather than the police, investigating fraud was unsatisfactory.
"Ultimately, it's the police who should investigate these crimes," said Lord Broers. "It's not clear that these cases are investigated. A lot appear to not be investigated at the moment, which is only encouraging these crimes."
Talkback
In the States we debate the difference between a serious breach of security and a trivial one. It is irresponsible for law and legal practice to bury consumers with an excessive number of <a href="http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html">data breach notices</a>. --Ben <a href="http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html">http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html</a>