By Will Sturgeon
16 March 2007
The UK is in desperate need of revisions to laws that govern the
disclosure of information relating to data loss or theft, according to
Currently UK organisations that lose sensitive customer or employee
data, or expose it to others, do not have to disclose details of the
breach - even to those affected.
Now, in the wake of recent data losses, security experts have called on
UK legislators to bring laws in line with US law SB 1386, which was
introduced in California in 2003 and has spread to 34 states, requiring
Martin Carmichael, CSO at McAfee, told silicon.com: "I think companies
should be accountable. Accountability is a vital part of security and if
a company has a data breach I think they should be prepared to talk
"I am surprised the UK doesn't have anything in place like SB 1386."
And that feeling was echoed by Phil Zimmerman, the founder and writer of
PGP encryption, who described SB 1386 as "a fiendishly clever piece of
legislation" because it not only makes companies more 'on the ball' for
fear of having to admit breaches or losses but also empowers consumers
to make more informed choices.
The effect of being 'outed', said Zimmerman, is a very powerful tool. "I
think companies respond far more to the outing than they would to a
fine," he said.
Zimmerman added: "In the UK you really should push your government to
Here in the UK there is no such requirement for companies to warn
customers if their personal data has been put at risk. Last year this
led to criticism of the way a potential security breach, which resulted
in thousands of credit cards being cancelled, was handled.
As a spokeswoman for the Information Commissioner's Office told
silicon.com last year: "There is nothing in the Data Protection Act that
legally obliges companies to inform customers when these things occur."
Visit the InfoSec News Security Bookstore