Data breach notification law coming, says watchdog

All organisations will soon be compelled to notify customers and regulators of data breaches, the UK privacy watchdog has said.

A representative of the Information Commissioner's Office (ICO) said on Tuesday that a European Commission review of data laws will require data-breach notification from a wide range of businesses.

"Breach notification is on the [European Commission's] agenda," deputy commissioner David Smith told ZDNet UK at the Infosecurity Europe 2010 conference. "It's coming for telecommunications companies, and there's no logical reason to confine it to them."

The EU's Telecoms Reform Package was agreed upon by the European Parliament and the Council of Ministers in 2009. Under the reforms, telecommunications will have to inform national regulators of serious data breaches. Judging the seriousness of a data breach will involve the scale and the sensitivity of data that has been compromised.

The UK will have data breach notification laws for telcos within 18 months, said Smith, who added that he expected this breach notification requirement to be expanded beyond the telco sector.

Smith said that breach notification was a "double-edged sword" for regulators, in that while it encouraged companies to tighten data protection procedures, the ICO risked being swamped with notifications.

"We don't want to hear about everything," said Smith. "Proportionate, yes, but no to a blanket system."

Security experts at the conference broadly welcomed the institution of a data breach law.

Marcus Alldrick, Lloyd's of London's senior IT manager for information protection and continuity, said such a law would encourage organisations to take a multi-layered approach to security in order to protect their reputations.

"This reiterates the need for a risk-based defence-in-depth approach that not only secures information, but protects the company and its reputation," said Alldrick. "But it has to be proportionate, otherwise the body they report to will get flooded."

The ICO has the power to fine organisations up to £500,000 for serious transgressions of data law. Alldrick said there was a danger that organisations would flout the law if the body to which organisations reported data breaches — which, in the case of the UK, is the ICO — was also in charge of enforcing punitive measures.

"The body organisations report [breaches] to cannot act as judge and jury," said Alldrick. "All reporting must be [seen to be] treated in a fair and reasonable manner, as we're looking to encourage responsibility."

Andy Buss, service director for access and infrastructure for analyst firm Freeform Dynamics, said data breach notification was needed as there was little point in giving the ICO powers to fine without compelling organisations to report data breaches.

"Notification promotes efficient publication of breaches, which encourages data protection," said Buss. "Brand is one of the things companies worry most about. Fines and notification are two sides of the same coin."

However, John Colley, managing director of security organisation ISC2, described data breach notification as "a mixed blessing".

"As an individual, I'd like to know [if] my data has been compromised, but publicising the data loss may encourage a black market for that data," said Colley.