The Ministry of Justice has said it will not be introducing laws to make the notification of security breaches mandatory.

 

In response to the Data Sharing Review report, it said the Government is ‘committed to developing an approach that tackles the problems encountered in the US and is more suitable for the needs of robust data protection in the UK'.

 

The proposals will also enable the Information Commissioner to require any person, where a warrant is being served, to provide information required to determine compliance with the Data Protection Act 1998.

 

Chris Mayers, chief security architect at Citrix, said: “All organisations handling sensitive data need to realise there is nothing more important than their responsibility to keep that data secure. If a breach does occur, the victims must be notified as failure to disclose the news can increase the window of opportunity for fraudsters who obtain personal data.

“Those that deal recklessly with sensitive information should suffer the consequences - but we need laws to enforce this.”

 

He claimed that in the US, a series of laws introduced in California in 2003 have proven successful as companies not only fear the public backlash upon being named and shamed, but also face the very real threat of criminal prosecution if they fail to disclose a breach.
 

Mayers said: “That fear has forced many US companies to check and double-check all the processes they have in place when handling sensitive information. Sadly, a similar level of diligence is severely lacking in the UK and with all legislation around the topic on hold, we're likely to see data breaches continuing to hit the headlines throughout 2009.”