Privacy breach companies 'must be named'

Companies that suffer security breaches in which customer data is put at risk should be publicly named, according to silicon.com readers.

Last week silicon.com revealed that a potential security breach at a UK-based online retailer is being investigated and has led to thousands of MasterCard and Visa holders having their credit cards cancelled.

And now silicon.com readers - many of them card holders who have been affected - are calling for the retailer's name to be made public.

A reader - among those to have their card replaced - said: "As one of those 4,000 affected, I believe that if there is no doubt as to where the data originated then we should be made aware of that fact."

Another anonymous reader added: "It is not acceptable for the name of the retailer to be kept secret. The public have a right to know."

A marketing director called Iain pointed out that US companies have different rules to follow: "If this happened in [the] US, the retailer would be exposed and hit with hefty PR and financial costs. Not much point in having Data Protection laws if they only generate a slap on the wrist."

Stuart Horner, a managing director from Sheffield, said "I fully agree that the retailer should be named - if only to protect future users of their site. I will be reviewing my use of internet retailers in the future."

In the UK companies are not required to go public with data breaches, in contrast to California - and soon possibly the whole of the US - where legislation requires them to do so.

A spokesman for the Information Commissioner's Office (ICO) said there is nothing in the Data Protection Act to require a company to inform either its customers or the ICO if a data breach has occurred but added: "If a company has a breach then it would help us if they let us know... In terms of us taking action, if we receive a complaint we will investigate in the normal way."