Anarchy in the UK?
Via Silicon Strategy, we learn that “Pressure grows for UK data loss disclosure:”
The UK is in desperate need of revisions to laws that govern the disclosure of information relating to data loss or theft, according to security experts.
Currently UK organisations that lose sensitive customer or employee data, or expose it to others, do not have to disclose details of the breach – even to those affected.
…
Martin Carmichael, CSO at McAfee, told silicon.com: “I think companies should be accountable. Accountability is a vital part of security and if a company has a data breach I think they should be prepared to talk about it.
My take: they monitor everything else in the UK, why not?
Photo: “Big Brother Congestion” by Jeroen020.
Security through obscurity. Ought to be a slogan for the Bush administration.
I don’t know what the Brit situation is … but I think there is a bit of american selective reporting bias here. The Data Protection Directive of the EU has serious teeth, including fines in the 25k level for each and every breach. It’s implemented on a country-by-country basis, so maybe the Brit situation is a bit different.
I just got back from one discussion last week where we were talking about this from a German perspective; an organisation had just shipped its DB from one country to another and noticed the liability went through the roof. Nobody gives two hoots about customer disclosure because it pales besides the impact of fines. Lose your 100k users database, face 100k * 25k fines: the fastest route to bankruptcy known to man.
Of course, there is a backdoor: be like SWIFT. Then, you are too big to fail, so you get to do what you damn well please with your customer data.