The concept of voluntary breach disclosure is not workable if a company is then likely to face a fine.
Stewart Room, partner in the privacy and information law group at Field Fisher Waterhouse, claimed that his ‘clients see disincentive' in voluntary disclosure, as if you have a voluntary regime the majority of organisations will not report to it if there is a fee or penalty flowing from it.
Speaking at a roundtable co-hosted with Sophos last week, Room said: “Voluntary disclosure scheme falls down substantially if the regulator gives the impression to controllers that he will put their heads in a noose for that behaviour. I think that the regulator needs to make a very clear statement if it is going to propose a voluntary scheme that you get a benefit from that.
“It depends on what you want in terms of the breach disclosure. Some people want a deterrent, and my view is that I am not impressed with breach disclosure that is designed to protect the individual department. I don't think it works, I don't believe in breach disclosure as a deterrent effect, if you are trying to give rise to a deterrent through the use of negatives then there is punishment as well.
“I think that the point of disclosure is to understand the problem and come up with better solutions for dealing with that risk issue in the business. It certainly shouldn't be about a voluntary regime that can lead to punishment.”
James Ford, head of the Information Commissioner's Office (ICO) press office, said: “In terms of self-reporting breaches, the commissioner encourage organisations that experience a security breach to come to the ICO to talk to us about that so we can help that organisation improve for the future, to advise them on steps that they can take to make sure that another breach does not occur.
“I think that is the starting point, it would be helpful if they know that they can come to the ICO and get advice, support, guidance and audited if that is what is required to help them take these measures more seriously in the future.
“There will come a time, where some breaches will require further action, be they self reported or discovered. As the law stands, the commissioner has the power to take action against companies who experience security breaches, and the reason that he has those powers is to come back to deterrent. The commissioner is not in the business of waving his big stick for the sake of it, he is in the business of making sure that boardrooms understand the importance of the issues that we are talking about today.”