Sunday 11 January 2009

Why UK Data Breach Disclosure Laws are Necessary

Just before Christmas, a UK national press reporter asked for my views on public disclosure of data breaches by UK companies. The reporter was writing a piece highlighting UK companies and organisations which appear not to have a policy of publicly discolouring their data breaches, and were even dead set against any moves for new UK laws forcing public disclosure.

I think the reporter was expecting a "the public has the RIGHT to know" type response; however I see a more overall fundamental benefit for having laws in place to ensure all UK companies and organisations fully disclosure data breaches to the UK general public...

“Public disclosure of data breaches plays an important role in driving security improvement across industries. Public scrutiny and criticism often acts as a wake up call to companies running unnecessary risks, especially those operating in the same industry as the breached organisation. There is nothing like seeing a competitor made to run over hot coals due to a data breach, to invoke a Board level reaction within similar type companies, which leads to self assessment (could this happen to us?) and quick instigation of security improvements. If you found out your next door neighbours house was burgled, isn’t one of your first reactions to assess your own home’s security?
The public are entitled to be fully informed about data breaches, not just those individuals affected. As consumers, we want to make a fully informed decision when buying products and services, and knowingly or not, security and trust comes into play with our decision process. This is especially the case with companies which take and hold our money and personal details. Such informed consumer choice, provides competitive pressurises, ensuring companies meet their security obligations, responsibility and entrustment demanded by their customers.

Keeping data breaches secret is a dangerous approach, as this approach prevents public discussion and the raising of security awareness. As a result other companies are not benefiting and learning the lessons, and so are not driving security improvement and can continue to run unnecessary risks with their customer’s information.”

No comments: