[ISN] Pressure grows for UK data loss disclosure

From: InfoSec News (alerts@private)
Date: Sun Mar 18 2007 - 21:33:03 PST

Previous message: InfoSec News: "[ISN] NIST Likely To Lift Windows Vista Ban If Microsoft's New OS Passes Muster"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://software.silicon.com/security/0,39024655,39166396,00.htm

By Will Sturgeon
16 March 2007

The UK is in desperate need of revisions to laws that govern the 
disclosure of information relating to data loss or theft, according to 
security experts.

Currently UK organisations that lose sensitive customer or employee 
data, or expose it to others, do not have to disclose details of the 
breach - even to those affected.

Now, in the wake of recent data losses, security experts have called on 
UK legislators to bring laws in line with US law SB 1386, which was 
introduced in California in 2003 and has spread to 34 states, requiring 
full disclosure.

Martin Carmichael, CSO at McAfee, told silicon.com: "I think companies 
should be accountable. Accountability is a vital part of security and if 
a company has a data breach I think they should be prepared to talk 
about it.

"I am surprised the UK doesn't have anything in place like SB 1386."

And that feeling was echoed by Phil Zimmerman, the founder and writer of 
PGP encryption, who described SB 1386 as "a fiendishly clever piece of 
legislation" because it not only makes companies more 'on the ball' for 
fear of having to admit breaches or losses but also empowers consumers 
to make more informed choices.

The effect of being 'outed', said Zimmerman, is a very powerful tool. "I 
think companies respond far more to the outing than they would to a 
fine," he said.

Zimmerman added: "In the UK you really should push your government to 
force disclosure."

Here in the UK there is no such requirement for companies to warn 
customers if their personal data has been put at risk. Last year this 
led to criticism of the way a potential security breach, which resulted 
in thousands of credit cards being cancelled, was handled.

As a spokeswoman for the Information Commissioner's Office told 
silicon.com last year: "There is nothing in the Data Protection Act that 
legally obliges companies to inform customers when these things occur."


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org

Previous message: InfoSec News: "[ISN] NIST Likely To Lift Windows Vista Ban If Microsoft's New OS Passes Muster"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Sun Mar 18 2007 - 21:40:00 PST