The National Consumer Council watchdog is calling on lawmakers to force businesses to confess to data breaches.
The National Consumer Council (NCC) is petitioning the EU to draft legal powers to compel businesses and banks to inform customers when they lose their personal data.
The EU is currently debating proposals to overhaul the E-Privacy Directive to compel internet service providers (ISPs) to come clean about data breaches, in a move recently welcomed by deputy information commissioner David Smith.
The NCC, and its fellow European consumer watchdogs, want the proposed revisions to be extended so that all UK banks and businesses face a reporting requirement, claiming that, because many smaller breaches go unreported by UK businesses, consumers can't properly defend themselves against identity fraud.
Anna Fielder, senior policy adviser with the NCC, told sister site silicon.com: "Thousands of businesses are handling bank-account details, dates of birth and other personal details daily, and a lot of incidents could go unreported because they are not considered high-profile enough."
"All banks and businesses should be obliged to report losses to enable customers to take action and protect themselves," said Fielder.
Fielder added: "It would also provide the incentive needed for businesses to improve their data security and be less cavalier with customers' data."
According to Fielder, the UK is failing to keep up with the US, where about 40 states have a data-breach notification law in place.
She said: "We are hoping that we will get support for this in the EU, but we understand that it will be resisted by business."
The reckless loss of personal data became a civil offence earlier this year, and the NCC called for the Information Commissioner's Office to be given more powers to fine offending private and public-sector organisations.
The issue of public data loss shot into the public eye late last year with HM Revenue & Customs' loss of 25 million people's details on two CDs. The loss sparked a host of revelations about missing data in government and business. Most recently, a Home Office contractor lost the details of 84,000 prisoners, and the personal data of one million bank customers was found on a server sold on eBay.
Talkback
Fine in theory, but we hope the NCC has thought it through. Any new legislation must be careful to define what constitutes a breach. For example:
• Is a data loss necessarily a data breach?;
• Does a data breach occur even where no harm has been caused?
• Is the loss of encrypted data always harmless? Or must the strength of the crypto algorithm be taken into account when making a judgement?
• If it can be shown that the data was lost in some remote part of the business chain (eg: by an ISP, by a data warehouse, a call centre, or outsourcer) and not by the data user, how will blame be apportioned?
Data breach notices have a scalability problem. As the number of notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach notices, many of which are insignificant. --Ben <a href="http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html">http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html</a>