Data breach rules 'creating uncertainty for execs'

Current rules about when companies have to report customer data leaks are creating uncertainty for executives, and business leaders must join the debate on whether a change of law is needed, according to a top lawyer.

Earlier this month silicon.com launched its Full Disclosure campaign, calling for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

According to James Mullock, data protection partner at law firm Osborne Clarke, at the moment the rules around when - and who - to notify after a data breach vary from industry to industry.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers, if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or by emailing us at editorial@silicon.com.

For example, a financial services company that suffers a leak of customer information is pretty much obliged to notify the Financial Services Authority, while a retailer that loses credit card details is likely to have to proactively notify its credit card company. Some companies follow the information commissioner's best practice tip to contractually oblige outsourcers to immediately notify the information commissioner of a security breach, while others do not.

Mullock told silicon.com: "We've got a situation where different obligations are put on some companies but not on others depending on the sector they are in, and that creates a lot of uncertainty."

He said there needs to be a wide-ranging debate and the business community needs to get involved.

Mullock said: "At the moment there is a multi-tier set of requirements and your average company director will find it extremely complex. They have so many influencing factors to think about not least the fact that they potentially face personal liability under the Data Protection Act and the Fraud Act for the failures of their company. If we have a well-managed debate and change in the law it should actually help companies decide what to do in the event of a security breach."

For there to be a change in the law the industry needs to think about when any such obligations to notify would apply, and how any change to the law would be drafted so it wouldn't become a bureaucratic nightmare, he added.

Let us know what you think of the Full Disclosure campaign. Make your voice heard by posting a Reader Comment below or emailing us at editorial@silicon.com.