Out-Law / Your Daily Need-To-Know

Consumer group asks EU for security breach law

Out-Law News | 03 Sep 2008 | 3:29 pm | 2 min. read

The National Consumer Council (NCC) has called on the European Commission to force companies who lose customer data to admit the error publicly. It believes a data breach notification law would force companies to keep data more securely.

The NCC told OUT-LAW that it is joining forces with other consumer groups across Europe to lobby the EU to introduce the controversial measure.

Most US states have data breach notification laws but their effectiveness has been questioned. Even the UK's privacy regulator the Information Commissioner's Office (ICO) has said that such a law could be counterproductive because frequent news of breaches could desensitise people to the effect of very serious breaches.

The NCC's senior policy advisor Anna Fielder said, though, that forcing companies to notify the public about breaches would make them treat data more carefully.

"What we're asking for is when the kind of data has been lost that can pose a serious risk in terms of identity theft or taking over bank accounts or cleaning out bank accounts and so on, that the consumers are notified so that they can take appropriate measures," said Fielder.

"It will be an incentive for businesses to put better security measures in place because obviously that can cause a lot of brand damage if you notify your customers too often that you've been negligent with their data," she said.

The NCC is also calling for an increase in the powers of the ICO.

"The Commissioner should have increased powers, fining people for data breach negligence," said Fielder. "At the moment the Commissioner has no such powers so there is no incentive very often for companies to put appropriate security measures in place."

In May, the Information Commissioner was given statutory powers to fine organisations if their operational procedures cause a gross breach of data protection principles, though the legislation is not yet in force.

The European Commission has published a package of telecoms industry reform measures which contains a proposal that internet service providers (ISPs) be forced to disclose any data breaches. The European Parliament will vote on the proposal later this month.

The NCC and its European counterparts have asked the European Parliament to extend that to all businesses that collect significant amounts of customers' personal data. Fielder said that that would include banks, credit card companies and traders.

Data breach notification laws are not welcomed by all privacy activists. Some argue that the publicising of a large number of breaches would desensitise the public to how serious each breach is.

The ICO has said that to be acceptable, any data breach law would have to set the level at which breaches are reported correctly.

"In principle it is a good idea, but it may be a more complex issue," ICO deputy commissioner Phil Jones told OUT-LAW.COM last year. "One of the problems is getting the threshold right. If every time there is a minor threatened risk of a breach someone has to report it then the danger is that people get fed up with it and stop paying any attention or doing anything about it. It's like crying wolf."

"Someone in the industry said to me that one of the reactions of the industry in the US is that some companies over-report, and I think you have to question what happens in that circumstance," said Jones. "Whether you are only reporting when a significant number of people are at risk or whether the risk they are at is significant, you have to set out criteria."

Fielder said that the ICO itself could be the ones to decide at what point a breach should be made public.

"There obviously should be a proper evaluation and risk assessment [of breaches]," she said. "There is no point panicking consumers every time, it is important to inform people when there is a risk. This can be done by notifying the ICO who can evaluate and make a risk assessment."