Shostack + Friends Blog Archive


Breach Laws & Norms in the UK & Ireland

Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis:

The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data. Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.

The other benefit I see from this proposed code is how as an industry we all can learn from the mistakes or misfortunes of those who suffer a breach. I believe we would not have as many encrypted laptops and other mobile devices that we do today were it not been for the widespread publicity of lost unencrypted devices in the past.

Meanwhile, in the UK, the “Information Commissioner’s Office will not compel companies to report data losses:”

“Under the Data Protection Act organisations have an obligation to ensure that personal information is held securely. We encourage organisations to advise us as soon as they are aware of a data breach which puts their customers at risk,” the ICO said.

“Changes to the law are ultimately a matter for the government. Should legislation be proposed to compel UK organisations to notify people when a data breach occurs, it must be properly considered before it is introduced in the UK. ”

2 comments on "Breach Laws & Norms in the UK & Ireland"

  • Richard says:

    So we’ll learn about how data was lost from Irish organisations who have bad security, but not how it was lost from organisations that had good security.

    So how will we learn how to make our good security better?

    • Brian Honan says:


      Any company that suffers a security breach that could expose sensitive personal data of data subjects will be obliged to report that breach. The proposal allows exceptions to this for companies that lose sensitive data lost but have appropriate protections inplace such as encryption etc.

      So by the way the proposal is constructed it is only companies with “bad” security that are obliged to report the loss.

      I would also contend that companies with “good” security can always learn something from breaches at companies with “bad” security. This could simply be trends in types of attacks or losses, a new way to protect the data or how effective certain type of responses are.

      I think as information security professionals we should always be trying to improve security, indeed we should all be “trying harder”.

Comments are closed.