To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39158601,00.htm

Privacy breach companies 'must be named'
The public has a right to know, say silicon.com readers

By Steve Ranger

Published: Tuesday 02 May 2006

Companies that suffer security breaches in which customer data is put at risk should be publicly named, according to silicon.com readers.

Last week silicon.com revealed that a potential security breach at a UK-based online retailer is being investigated and has led to thousands of MasterCard and Visa holders having their credit cards cancelled.

And now silicon.com readers - many of them card holders who have been affected - are calling for the retailer's name to be made public.

A reader - among those to have their card replaced - said: "As one of those 4,000 affected, I believe that if there is no doubt as to where the data originated then we should be made aware of that fact."

Another anonymous reader added: "It is not acceptable for the name of the retailer to be kept secret. The public have a right to know."

A marketing director called Iain pointed out that US companies have different rules to follow: "If this happened in [the] US, the retailer would be exposed and hit with hefty PR and financial costs. Not much point in having Data Protection laws if they only generate a slap on the wrist."

Stuart Horner, a managing director from Sheffield, said "I fully agree that the retailer should be named - if only to protect future users of their site. I will be reviewing my use of internet retailers in the future."

In the UK companies are not required to go public with data breaches, in contrast to California - and soon possibly the whole of the US - where legislation requires them to do so.

A spokesman for the Information Commissioner's Office (ICO) said there is nothing in the Data Protection Act to require a company to inform either its customers or the ICO if a data breach has occurred but added: "If a company has a breach then it would help us if they let us know... In terms of us taking action, if we receive a complaint we will investigate in the normal way."