Watchdog demands data breach confessions

Watchdog the National Consumer Council (NCC) is calling on lawmakers to force businesses to confess to their data breaches.

The NCC is petitioning the European Union to draft legal powers to compel businesses and banks to inform customers when they lose their personal data.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

The EU is currently debating proposals to overhaul the ePrivacy Directive to compel ISPs to come clean about data breaches, recently welcomed by deputy information commissioner David Smith.

The NCC, and its fellow European consumer watchdogs, want the proposed revisions to be extended so that all UK banks and businesses face a reporting requirement, claiming that because many smaller breaches go unreported by UK businesses, consumers can't properly defend themselves against identity fraud.

Anna Fielder, senior policy advisor with the NCC, told silicon.com: "Thousands of businesses are handling bank account details, dates of birth and other personal details daily and a lot of incidents could go unreported because they are not considered high profile enough.

"All banks and businesses should be obliged to report losses to enable customers to take action and protect themselves."

Fielder added: "It would also provide the incentive needed for businesses to improve their data security and be less cavalier with customers' data."

According to Fielder, the UK is failing to keep up with the US, where about 40 States have a data breach notification law in place.

She said: "We are hoping that we will get support for this in the EU but we understand that it will be resisted by business."

The reckless loss of personal data became a civil offence earlier this year and the NCC called for the Information Commissioner's Office to be given more powers to fine offending private and public sector organisations.

The issue of public data loss shot into the public eye late last year with the HMRC's loss of 25 million people's details on two CDs, which sparked a host of revelations about missing data in government and business - most recently a Home Office contractor losing the details of 84,000 prisoners and personal data of one million bank customers being found on a server sold on eBay.