ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Become a ZDNet.co.uk member

RSS

Security News

Lawyer urges debate over data-breach rules

Steve Ranger silicon.com

Published: 25 Jul 2007 08:54 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Current rules about when companies have to report customer data leaks are creating uncertainty for executives, and business leaders must join the debate on whether a change of law is needed, according to a top lawyer.

Earlier this month ZDNet.co.uk's sister site silicon.com launched its Full Disclosure campaign, calling for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

According to James Mullock, data-protection partner at law firm Osborne Clarke, at the moment the rules around when — and who — to notify after a data breach vary from industry to industry.

For example, a financial services company that suffers a leak of customer information is pretty much obliged to notify the Financial Services Authority, while a retailer that loses credit card details is likely to have to proactively notify its credit card company. Some companies follow the information commissioner's best practice tip to contractually oblige outsourcers to immediately notify the information commissioner of a security breach, while others do not.

Mullock told silicon.com: "We've got a situation where different obligations are put on some companies but not on others depending on the sector they are in, and that creates a lot of uncertainty."

He said there needs to be a wide-ranging debate and the business community needs to get involved.

Mullock said: "At the moment there is a multi-tier set of requirements and your average company director will find it extremely complex. They have so many influencing factors to think about, not least the fact that they potentially face personal liability under the Data Protection Act and the Fraud Act for the failures of their company. If we have a well-managed debate and change in the law it should actually help companies decide what to do in the event of a security breach."

For there to be a change in the law, the industry needs to think about when any such obligations to notify would apply, and how any change to the law would be drafted so it wouldn't become a bureaucratic nightmare, he added.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Kyocera

Did you find this article useful?


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

Company/Topic Alerts

Create a new alert from the list below:



Related Jobs

Security/Quality Analyst-00055189

Quality Act as the primary point of contact to ensure that Accenture provides the client with the Sarbanes Oxley support it requires to get sign-off. ...

Site Systems Integration Manager

In addition, well expect you to act as the primary interface on integration issues. Before applying, you are advised to read our data protection ...

RAD Developer - C#/VBA - Mid Level Developer - Desk Reporting 60,000+

You will act assist in communication of the strategy of the Credit IT group to their trading users and ensure that any issues are fed back to the ...