Mandatory Breach Disclosure Within Four Years
By Cloud Direct • 19 Jul 2010
A law forcing all organisations to publicly declare data breaches is to be in place in the UK within four years. It is an indication that Europe is ready to go over the head of internal governments on the issue of data protection.
According to law firm Field Fisher Waterhouse (FFW), the new legislation will require organisations to notify the relevant authorities as well as individuals affected in the event of a serious security breach involving personal data. The new law is expected to be rolled out and applicable to all members of the EU.
The law will be introduced under an amendment to the 1995 EU Data Protection Directive, which is currently being reviewed by the EU Commission.
Speaking at a data protection event in London last week, Eduardo Ustaran, head of privacy and information at FFW, said the amendment will be made by European data protection regulators who are helping to draw up proposed changes to the directive.
"All of the European data protection regulators have made very strong calls for this mandatory breach notification," Ustaran said. The proposed changes will be published by the EU Commission in November this year, and if approved, will have to be reflected in UK law by the end of 2014.
Stewart Room, partner in the privacy and information law group at FFW, said a mandatory law is needed because companies currently have no incentive to report data breaches. The new £500,000 fining system brought in by the Information Commissioners Office in April this year has not worked because, at present, there is no necessary to report data breaches and if you do you will get fined and receive bad press.
"We are dealing with many cases that the ICO does not know about because the companies see the disincentive of punishment.
"Voluntary notification falls down substantially if the company feels that they will put their head in the noose through this behaviour."
"Most organisations in the private sector are not reporting breaches. If notification is discretionary, then a lot of people are going to be burying the bad news," he told the event organised by security company Sophos.
"We feel that breach notification should happen and should be mandatory because then we can start learning about the problems that are out there."
Share this post