To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://management.silicon.com/itdirector/0,39024673,39168345,00.htm

Steve Ranger's Notebook: Don't let sleeping data dogs lie
Full Disclosure: Why we have to act...

By Steve Ranger

Published: Tuesday 04 September 2007

Californian law obliges companies to come clean about data breaches. Steve Ranger says it's high time the UK considered following suit.

What if your credit card details, address, date of birth, bank account data - everything about you that an identity thief could possibly want - were stolen by hackers or accidentally leaked onto the internet by companies you thought you could trust?

If you think that sounds bad, it might just have happened to you already and if you live in the UK you would never find out about it. Until, that is, you discover someone has used your details in an identity fraud.

Apart from a few regulated sectors of industry, if a company or government agency loses your sensitive personal data, they don't have to warn you. As things stand, they don't have to tell anyone at all.

In California the picture is brighter and the state's approach is one we should consider emulating. There a law known as SB 1386 obliges state agencies or businesses to disclose data security breaches to residents if their unencrypted personal information may have been compromised.

Yet in the UK, there is no such law. At the moment, if a UK business has a security breach, there is inevitably enormous pressure to make sure no one finds out about it.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

And if a company were to come clean, it is likely to face fierce criticism, while a firm that stays silent will escape censure.

This is why silicon.com recently launched its Full Disclosure campaign. It's time for us to discuss whether such a law would work in the UK. And there is a head of steam building that says it would.

Opponents of such a law say it might impede police investigations - but the Californian law allows for notifications to be delayed if crime agencies think disclosure might hamper their attempts to catch the bad guys.

And according to Deirdre Mulligan, clinical professor of law at the UC Berkeley School of Law, being honest about data breaches benefits other organisations because they can learn lessons from each breach and avoid endlessly repeating the same costly mistakes.

A law would create a level playing field - all organisations that lose sensitive data would have to report it. Companies would be obliged to make security - and not the cover-up - a priority.

As Californian state senator Joe Simitian, one of the architects of the state's data breach notification law told me recently: "What you don't know can hurt you and ignorance is not bliss."

This is no time to let sleeping dogs lie. So let's get out there and bark.

silicon.com's Full Disclosure campaign is about giving the public confidence that when they entrust their personal information to an organisation it will act as a responsible guardian of that data. Reinforcing that trust will encourage more people to interact online, providing an important boost to the online economy. Sign the e-petition and make your voice heard by government.