A survey has found that 87 per cent of organisations feel that disclosure should be forced when sensitive data about the public is exposed.
At a roundtable hosted by Field Fisher Waterhouse and Sophos, who conducted the survey, it was suggested that people should be forced to disclose losses rather than keeping quiet. Kasey Chappelle, global privacy counsel at Vodafone, asked the roundtable who they thought the breach should be disclosed to?
She said: “Are we talking about disclosure to a regulator or disclosure to the effect of consumers. I have gotten five disclosures (of a data breach) and the first time I flurried, I went to the different credit bureaus, I put checking on my account and I got really anxious about it, and the second time I got one I was a little less concerned and after that I did not care any more.”
Stewart Room, partner in the privacy and information law group at Field Fisher Waterhouse, said: “I think the real answer is what is a policy objective that you would try to achieve with breach disclosure? Is it about understanding the nature of the problem, so through transparency we can then analyse where things are going wrong and then we have better evidence to bring conclusions?
“Another strand to breach disclosure is the deterrent effect, so breaches hit the headlines and then there is a deterrent effect to organisations as they see their competitors held up. Then there is a third piece, where there is a consumer protection policy objective here? Should Joe Public be aware of problems so they can mitigate loss? So the answer to that is what kind of state do you want? Is it more paternalistic where you say you don't need to tell the individual, or is it a state that has more discretions over that allows the individuals to be complacent if they want to be?”
Chappelle said that she thought there should be some sort of requirement, and she said there should be a consideration of what the disclosure looks like and who it is to.
James Lyne, senior technologist at Sophos, said: “I think there is a lot to be said for the transparency piece, on identifying where it is going wrong. Security is by no means a simple matter, in process, people and technology terms, we have this ambition to be at the leading charge of the new business economy, and to be the data safe haven we need to be that aggressive with our mistakes.
“There is a huge opportunity for the government and Information Commissioner's Office to take a lead in this task.”
In terms of protection of the individual, Lyne said that it was ‘a horrible middle ground' and claimed that he hated the idea of dealing with a data breach and having been a victim of identity theft, hated not being told. “In the middle is the answer and we have to be clear on the objectives,” he said.
Room said that following a change to the Data Protection Act by the European Commission – applicable to electronic communications - there was no doubt that mandatory breach disclosure would come in.
Sophos VP of UK and Ireland Ciaran Rafferty said that the survey's findings revealed that while almost 40 per cent of businesses were confident they complied with the legislation, more than half were unsure or concerned about whether they were compliant.
He said: “Sophos would urge all businesses with concerns about the current UK legislation to offer their views to the MoJ. Only with feedback from UK businesses can the MoJ properly assess whether the legislation needs further amendments.”