Europe working on legislation to notify victims of information breaches. A law forcing all organisations to publically declare data breaches is expected to be in place in the UK within four years. According to lawyers at law firm Field Fisher Waterhouse (FFW), legislation requiring organisations to notify the relevant authorities as well as individuals affected in the event of a serious security breach involving personal data will be introduced across Europe. Eduardo Ustaran, head of the privacy and information law group at FFW, said the law will be introduced under an amendment to the 1995 EU Data Protection Directive, which is currently being reviewed by the EU Commission. The amendment will be made by European data protection regulators who are helping to draw up proposed changes to the directive, Ustaran told silicon.com at a data protection event in London yesterday. "All of the European data protection regulators have made very strong calls for this mandatory breach notification," Ustaran said.
The proposed changes to the EU directive will be published by the EU Commission in November this year, and if approved, will have to be reflected in UK law by the end of 2014. Telcos and ISPs in Europe will have to publically declare serious security breaches including personal data even earlier under a separate EU directive, which will come into force in the UK in May next year. Stewart Room, partner in the privacy and information law group at FFW, said a mandatory law is needed as companies are currently covering up data breaches. "Most organisations in the private sector are not reporting breaches. If notification is discretionary, then a lot of people are going to be burying the bad news," he told the event organised by security company Sophos. "We feel that breach notification should happen and should be mandatory because then we can start learning about the problems that are out there."
Room said the Information Commissioner's Office (ICO) powers to fine companies up to £500,000 for serious breaches of the Data Protection Act, which the ICO gained in April this year, are also discouraging companies from owning up to data breaches. "We are dealing with many cases that the ICO does not know about because the companies see the disincentive of punishment. "Voluntary notification falls down substantially if the company feels that they will put their head in the noose through this behaviour." Room however supported the idea of an uncapped fine once a mandatory data breach notification law is in place.
The roundtable event coincided with the release of the ICO's annual report yesterday, which found there has been a 30 per cent increase in data protection complaints and requests for information over the past year. Source