Data breach law: IT managers say 'No'
Two surveys came out today, both concerning perceptions about a possible UK data breach notification law. Such a law would require companies suffering a data breach to notify all affected parties, especially the general public whose details have been compromised. The interesting thing about the surveys is that they have diametrically opposite results.
One of the surveys, commissioned by security company Clearswift, asked IT managers whether the UK should enact data breach legislation. Overwhelmingly, IT managers said 'No' -- 87 percent of them don’t believe the general public should be informed if a data breach happens. Over half (61 percent) also didn’t think the police should be informed.
The stated reasons were cash, or rather, lack of it, and damage to reputation. When asked about the possible impact of data breach notification legislation, almost half (49 percent) of UK respondents thought their total annual IT spend would increase by at least five percent, and 26 percent of IT managers expected the increase to be at least ten per cent.
Interesting. However, I'm not so sure how far to trust the survey results. The survey polled 398 UK IT managers -- that's fair enough, it's a representative sample. Slightly strange that 60 percent of them didn't know about the proposed UK data breach notification law -- but ok, although we in the tech press have been banging on about it for a while, maybe Clearswift (which did the survey) picked IT managers who don't follow the subject too closely.
However, what was truly bizarre about the survey results was that 51 percent of IT managers were in favour of a data breach notification law. How on earth can you have a law which informs all parties involved in a data loss (51 percent of IT managers in favour), and yet doesn't inform the general public (87 percent of IT managers against informing Joe Public)? The whole point of a data breach notification law is that it's a consumer protection mechanism, designed to incentivise companies to take better care of people's personal details. Weird.
Of the UK organisations polled by Clearswift, 15 per cent had suffered a data loss in the last 12-18 months, and of those, 58 per cent had experienced more than one. The majority of businesses that had lost data had done it more than once. Surely that's a clear argument for a data breach notification law to incentivise businesses to take better care of data?
Meanwhile, another survey, undertaken by Ipsos Mori on behalf of security company Symantec, found that the general public most definitely do want to be informed if an organisation compromises their personal details. 96 percent of the general public would want to be notified if a public or private sector organisation lost personal details about them, the survey found.