(Dieser Artikel ist auch in deutscher Sprache verfügbar)

UK consumer watchdog, the National Consumer Council (NCC), together with other consumer groups want the European Commission to force companies to publicly admit when they lose customer data. A data breach notification law would make companies keep data more securely.

"What we're asking for is when the kind of data has been lost that can pose a serious risk in terms of identity theft or taking over bank accounts or cleaning out bank accounts and so on, that the consumers are notified so that they can take appropriate measures" said senior policy advisor Anna Fielder adding that "It will be an incentive for businesses to put better security measures in place because obviously that can cause a lot of brand damage if you notify your customers too often that you've been negligent with their data."

In November 2007, the European Commission proposed breach notification laws and in January 2008, the House of Commons Justice Committee adopted the same path. Robert Hannigan's review in March 2008 recommended breach notification laws for public sector bodies, outlining plans for the overhaul of data security in all major government departments.

Although no legislation is yet in force in UK, in May 2008 the Information Commissioner (ICO) was given the capacity to fine organisations if their operational procedures caused a gross breach of data protection principles. This was introduced into the Criminal Justice and Immigration Bill but the offence was so widely drafted that it risked criminalising activities such as the passing of personal details to suppliers for business purposes. ICO has even said that such a breach notification law could be counterproductive because frequent news of breaches could desensitise people to the effect of very serious breaches. He said that in order to be acceptable, any data breach law would have to establish the level at which breaches are reported correctly.

Now, NCC believes ICO should have more powers: "The Commissioner should have increased powers, fining people for data breach negligence. At the moment the Commissioner has no such powers so there is no incentive very often for companies to put appropriate security measures in place."

The NCC and other European consumer watchdogs want the revisions of the proposed breach notification laws to be extended to all businesses that collect significant amounts of customers' personal data, including banks, credit card companies and traders.

In Fielder's opinion, the ICO itself could decide at what point a breach should be made public. "There obviously should be a proper evaluation and risk assessment of breaches. (...)There is no point panicking consumers every time, it is important to inform people when there is a risk. This can be done by notifying the ICO who can evaluate and make a risk assessment" she said.

The issue of public data loss has been a hot issue lately with the several incidents of personal data loss in UK& Ireland, such as HM Revenue & Customs' loss of 25 million people's details on two CDs, the loss of data on 84 000 prisoners by a Home Office contractor, the personal data of one million bank customers that was found on a server sold on eBay or the loss of the personal data of about 10 000 customers of the Bank of Ireland.

Later this month, The European Parliament will vote on the proposal made by the European Commission which has published a package of telecoms industry reform measures containing a proposal that electronic communications providers should be forced to disclose any data breaches. (subject covered in the first article of this EDRi-gram)

Consumer group asks EU for security breach law (3.09.2008) http://www.out-law.com//default.aspx?page=9400

Information Commissioner gets power to fine for privacy breaches (12.05.2008)
http://www.out-law.com/page-9110

Watchdog demands data breach confessions (1.09.2008)
http://software.silicon.com/security/0,39024655,39282263,00.htm

Watchdog aims to compel data-breach confessions (2.09.2008)
http://news.zdnet.co.uk/security/0,1000000189,39483398,00.htm

ICO: UK may get data-breach notification law (4.07.2008)
http://news.zdnet.co.uk/security/0,1000000189,39442182,00.htm

EDRI-gram: Important personal data lost by the Bank of Ireland (7.05.2008)
http://www.edri.org/edrigram/number6.9/personal-data-bank-ireland