Breach Laws & Norms in the UK & Ireland
Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis:
The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data. Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.
The other benefit I see from this proposed code is how as an industry we all can learn from the mistakes or misfortunes of those who suffer a breach. I believe we would not have as many encrypted laptops and other mobile devices that we do today were it not been for the widespread publicity of lost unencrypted devices in the past.
Meanwhile, in the UK, the “Information Commissioner’s Office will not compel companies to report data losses:”
“Under the Data Protection Act organisations have an obligation to ensure that personal information is held securely. We encourage organisations to advise us as soon as they are aware of a data breach which puts their customers at risk,” the ICO said.
“Changes to the law are ultimately a matter for the government. Should legislation be proposed to compel UK organisations to notify people when a data breach occurs, it must be properly considered before it is introduced in the UK. ”