Why UK must pass data leak law now

Passing a data security breach law is one of the most important advances the UK could make to improve internet security, according to an influential House of Lords committee.

And the government should begin consultation on the scope of such a law "as a matter of urgency", according to the House of Lords Science and Technology Committee.

The message is in line with silicon.com's Full Disclosure campaign which has been calling for a rethink of law in this area to improve the reporting of data breaches so that companies have to reveal it when they lose sensitive data.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

The Science and Technology committee said in its Personal Internet Security report that the data security breach notification law should include the following: workable definitions of data security breaches, covering both a threshold for the sensitivity of the data lost and criteria for the accessibility of that data; a mandatory and uniform central reporting system; and clear rules on form and content of notification letters, which must state the nature of the breach and provide advice on the steps that individuals should take to deal with it.

The report explained: "A key issue is the fact that businesses are not currently required to report or publicise security breaches." It then warned: "The absence of a duty of disclosure reduces the likelihood that customers will identify, complain of and provide proof of fraud; it also, since such complaints are in turn the most likely means of prompting disclosure, leads to a vicious circle of under-reporting."

It said the situation in the US - many parts of which do have a disclosure law - stands in marked contrast to that in the UK: "Both the prospect of tough penalties, and, more importantly, the prospects of public embarrassment and loss of share value, provide strong incentives to companies to prioritise data security at the highest level."

The report added: "Whereas in the past companies would often conceal attacks on their systems so as not to damage their reputation, now, since individuals had to be informed anyway, they were far more willing to report such events to law enforcement."

But the lords said the position of the UK government towards such legislation was lukewarm and said: "We believe that the UK is now ideally placed to learn from the successes and failures of the many state laws in force in the United States and get this detail right, establishing a workable and effective legislative framework."

It also said EU laws currently proposed in Brussels will have little impact in raising the incentives for business to take the necessary steps to protect personal internet security, and called for stronger enforcement powers for the Information Commissioner's Office.

If you want to find out more about silicon.com's campaign read the original Full Disclosure manifesto or find out what a leading lawyer thinks about the current state of data disclosure legislation.

silicon.com's Full Disclosure campaign is about giving the public confidence that when they entrust their personal information to an organisation, it will act as a responsible guardian of that data. Reinforcing that trust will encourage more people to interact online, providing an important boost to the online economy. Sign the e-petition and make your voice heard by government.