Momentum Builds for British Data Leak Law

A House of Lords committee urges the government to draft a data breach notification law to improve Internet security

by Steve Ranger

Passing a data security breach law is one of the most important advances the UK could make to improve internet security, according to an influential House of Lords committee.

And the government should begin consultation on the scope of such a law "as a matter of urgency", according to the House of Lords Science and Technology Committee.

The message is in line with silicon.com's Full Disclosure campaign which has been calling for a rethink of law in this area to improve the reporting of data breaches so that companies have to reveal it when they lose sensitive data.

The Science and Technology committee said in its Personal Internet Security report that the data security breach notification law should include the following: workable definitions of data security breaches, covering both a threshold for the sensitivity of the data lost and criteria for the accessibility of that data; a mandatory and uniform central reporting system; and clear rules on form and content of notification letters, which must state the nature of the breach and provide advice on the steps that individuals should take to deal with it.

The report explained: "A key issue is the fact that businesses are not currently required to report or publicise security breaches." It then warned: "The absence of a duty of disclosure reduces the likelihood that customers will identify, complain of and provide proof of fraud; it also, since such complaints are in turn the most likely means of prompting disclosure, leads to a vicious circle of under-reporting."

It said the situation in the US - many parts of which do have a disclosure law - stands in marked contrast to that in the UK: "Both the prospect of tough penalties, and, more importantly, the prospects of public embarrassment and loss of share value, provide strong incentives to companies to prioritise data security at the highest level."

The report added: "Whereas in the past companies would often conceal attacks on their systems so as not to damage their reputation, now, since individuals had to be informed anyway, they were far more willing to report such events to law enforcement."

But the lords said the position of the UK government towards such legislation was lukewarm and said: "We believe that the UK is now ideally placed to learn from the successes and failures of the many state laws in force in the United States and get this detail right, establishing a workable and effective legislative framework."

It also said EU laws currently proposed in Brussels will have little impact in raising the incentives for business to take the necessary steps to protect personal internet security, and called for stronger enforcement powers for the Information Commissioner's Office.

If you want to find out more about silicon.com's campaign read the original Full Disclosure manifesto or find out what a leading lawyer thinks about the current state of data disclosure legislation.

Provided by silicon.com—Driving Business Through Technology