Pressure grows for UK data loss disclosure

The UK is in desperate need of revisions to laws that govern the disclosure of information relating to data loss or theft, according to security experts.

Currently UK organisations that lose sensitive customer or employee data, or expose it to others, do not have to disclose details of the breach - even to those affected.

Now, in the wake of recent data losses, security experts have called on UK legislators to bring laws in line with US law SB 1386, which was introduced in California in 2003 and has spread to 34 states, requiring full disclosure.

Martin Carmichael, CSO at McAfee, told silicon.com: "I think companies should be accountable. Accountability is a vital part of security and if a company has a data breach I think they should be prepared to talk about it.

"I am surprised the UK doesn't have anything in place like SB 1386."

And that feeling was echoed by Phil Zimmerman, the founder and writer of PGP encryption, who described SB 1386 as "a fiendishly clever piece of legislation" because it not only makes companies more 'on the ball' for fear of having to admit breaches or losses but also empowers consumers to make more informed choices.

The effect of being 'outed', said Zimmerman, is a very powerful tool. "I think companies respond far more to the outing than they would to a fine," he said.

Zimmerman added: "In the UK you really should push your government to force disclosure."

Here in the UK there is no such requirement for companies to warn customers if their personal data has been put at risk. Last year this led to criticism of the way a potential security breach, which resulted in thousands of credit cards being cancelled, was handled.

As a spokeswoman for the Information Commissioner's Office told silicon.com last year: "There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur."