Shostack + Friends Blog Archive


British House of Lords gets it

From a report published August 10 by the House of Lords select committee on science and technology:

5.55.  We further believe that a data security
breach notification law would be among the most important advances
that the United Kingdom could make in promoting personal Internet
security. We recommend that the Government, without waiting for
action at European Commission level, accept the principle of such
a law, and begin consultation on its scope as a matter of urgency.

5.56.  We recommend that a data security breach
notification law should incorporate the following key elements:

  • Workable definitions of data
    security breaches, covering both a threshold for the sensitivity
    of the data lost, and criteria for the accessibility of that data;

  • A mandatory and uniform central reporting

  • Clear rules on form and content of notification
    letters, which must state clearly the nature of the breach and
    provide advice on the steps that individuals should take to deal
    with it.

One of the members of this committee, Lord Toby Harris, delivered a keynote at the most recent FIRST conference. His presentation (PDF) foreshadowed this report somewhat, and put me in a great mood. I am eager to read this report and the supporting evidence.
Tip of the hat to Light Blue Touchpaper, who have much more on this report (the scope of which is broader than just data breaches)