Does the UK need a breach notice law?
Chris Pounder has an article on the subject:
In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals are protected because they have simple and free access to the Information Commissioner, who has powers to investigate any complaint and fine. Compensation for aggrieved individuals could arise from any significant security lapse.
In other words, all the features of a security breach notification law are now found in existing data protection legislation. (“Why we don’t need a security breach notification law in the UK.”)
It’s an interesting analysis that breaches are already covered, and I think he’s probably right. However, he’s not certainly right. Attorneys are paid (in part) to argue, and I think most decent attorneys could construct an argument that the law is unclear.
I think there are two strong reasons to support a breach disclosure law: clarity and learning.
The argument for clarity is just that: the law may not be clear, and it will save U.K. organizations money to have a simple, clear law on the subject. (It can’t cost more for notifications, because that cost, according to Pounder, is already present. Similarly, there’s no increase in liability, that cost is already present.) But with a clear law, attorneys can’t charge as much for analysis.
The second reason for a law is to charge a public agency with collecting and sharing information about what happened and why.
As organizations go through this pain, we should learn from it. Not learning from it entails going through it again and again.
There’s a third reason, which is that even in the case of clear law, which exists in the US, only 3 of 21 retailers breached had told their customers. (Based on a Gartner survey, n=50.)
[Gartner analyst Avivah] Litan didn’t know whether the retailers had broken state laws by not informing their customers of the breaches, but she said it was a possibility. Some of the breaches may have happened before applicable state laws were in effect. (“Most Retailer Breaches Are Not Disclosed, Gartner Says.”)
Update: A friend in the UK pointed out privately that I could have been clearer about the evolution of common law, and how decisions establish law. The UK has not yet had many official rulings, and so both the law and practice are evolving rapidly. Their courts and regulators may look to other countries for guidance, and find that prompt notification is essential, both under many US laws and under evolving Canadian jurisprudence. For example, the “[British Columbia Office of Information Privacy Commissioner] says 41 days too long for breach notification.”
My reading of the directive found no breach reporting requirement. I’ve read a couple of Acts, but found no such. I’ve not read the British one though. I agree that courts and risks will probably drive companies to do it, but a law clarifying it might be a good thing. Devils and details, though…..