ICO gives qualified backing to security breach law

Companies may be forced to admit when customer data has been lost by or stolen from them, said the UK Information Commissioner's Office. Deputy Commissioner Phil Jones said there were significant practical concerns but the ICO backed the idea "in theory".

Some US states have laws forcing the disclosure of personal data security breaches, and experts last week called for a similar law in the UK as building society Nationwide was hit with a £980,000 fine for a data breach.

"We certainly see a good reason for it," Jones told OUT-LAW.COM. In order to be effective, though, any law would have to make sure that only major breaches required notification.

"In principle it is a good idea, but it may be a more complex issue," said Jones. "One of the problems is getting the threshold right. If every time there is a minor threatened risk of a breach someone has to report it then the danger is that people get fed up with it and stop paying any attention or doing anything about it. It's like crying wolf."

"Someone in the industry said to me that one of the reactions of the industry in the US is that some companies over-report, and I think you have to question what happens in that circumstance," said Jones. "Whether you are only reporting when a significant number of people are at risk or whether the risk they are at is significant, you have to set out criteria."

Currently the ICO, which is responsible for monitoring compliance with the Data Protection Act, cannot force an organisation to disclose a breach unless it can prove that it is the only way to treat data in a fair manner. Fairness in the handling of personal data is mandated by the Act.

As OUT-LAW revealed last week, financial regulator the Financial Services Authority (FSA) believes it has the right not only to order specific disclosures but to create a general rule of disclosures for the companies which it regulates.

Jones said that he believed it would be possible to set a threshold for disclosure, but that the ICO should not be tasked with creating and defining it. "I don't think we would be the right people to work it out; we aren't specialists in security," he said.

The ICO has two other concerns about a possible new law. One is that enough information should be gathered before notice is given so that consumers are told how to deal with the situation.

"If you do report something, are you really in a position to give people useful information?" said Jones. "If a customer finds out what's happened but has no information on how to mitigate it I'm not clear what has been achieved."

The ICO is also concerned that it be made clear to whom organisations should report a breach, whether to the affected customers directly or to a regulator. He said there would be a worry that if tiny breaches were regularly reported to a regulator it could create an impossible workload.

Nationwide was fined last week for having inadequate systems and protections for data that came to light after an employee had a laptop stolen from his home. Though the employee told the company about the incident straight away, it is reported that he did not inform Nationwide that customer data was on the machine until after a three week holiday.

Nationwide did eventually alert all its customers by letter that the breach had occurred, it said.

"The interesting element of these views from the ICO is that they're following Australia and Canada in exploring whether or not security breach legislation should be enacted," said Dr Chris Pounder, a privacy expert at Pinsent Masons, the law firm behind OUT-LAW. "In data protection policy terms the subject is well on the agenda."

Any law is likely to follow the international lead in only mandating encryption on data that is unencrypted and therefore at risk. Encrypted information does not usually trigger a breach notification.

Pounder has previously said that a security breach notification law would be a positive step. "In an environment where the government is warning about ID theft it seems sensible to alert data subjects to the fact that their identity has been exposed," he said.