Watchdog aims to compel data-breach confessions

Watchdog aims to compel data-breach confessions

Summary: The National Consumer Council is petitioning the EU to draft legal powers compelling businesses and banks to inform customers of the loss of their data

SHARE:
TOPICS: Security
2

The National Consumer Council watchdog is calling on lawmakers to force businesses to confess to data breaches.

The National Consumer Council (NCC) is petitioning the EU to draft legal powers to compel businesses and banks to inform customers when they lose their personal data.

The EU is currently debating proposals to overhaul the E-Privacy Directive to compel internet service providers (ISPs) to come clean about data breaches, in a move recently welcomed by deputy information commissioner David Smith.

The NCC, and its fellow European consumer watchdogs, want the proposed revisions to be extended so that all UK banks and businesses face a reporting requirement, claiming that, because many smaller breaches go unreported by UK businesses, consumers can't properly defend themselves against identity fraud.

Anna Fielder, senior policy adviser with the NCC, told sister site silicon.com: "Thousands of businesses are handling bank-account details, dates of birth and other personal details daily, and a lot of incidents could go unreported because they are not considered high-profile enough."

"All banks and businesses should be obliged to report losses to enable customers to take action and protect themselves," said Fielder.

Fielder added: "It would also provide the incentive needed for businesses to improve their data security and be less cavalier with customers' data."

According to Fielder, the UK is failing to keep up with the US, where about 40 states have a data-breach notification law in place.

She said: "We are hoping that we will get support for this in the EU, but we understand that it will be resisted by business."

The reckless loss of personal data became a civil offence earlier this year, and the NCC called for the Information Commissioner's Office to be given more powers to fine offending private and public-sector organisations.

The issue of public data loss shot into the public eye late last year with HM Revenue & Customs' loss of 25 million people's details on two CDs. The loss sparked a host of revelations about missing data in government and business. Most recently, a Home Office contractor lost the details of 84,000 prisoners, and the personal data of one million bank customers was found on a server sold on eBay.

Topic: Security

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • CMA

    Fine in theory, but we hope the NCC has thought it through. Any new legislation must be careful to define what constitutes a breach. For example:
    DGH-09210
  • what is a breach?

    Data breach notices have a scalability problem. As the number of notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach notices, many of which are insignificant. --Ben <a href="http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html">http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html</a>
    benjaminwright75205