According to silicon.com, the UK will have a "public breach disclosure" law by 2014, in keeping up with amendments to the EU's Data Protection Directive, which was originally passed in 1995. Although data encryption software isn't mentioned, seeing how the law seems to be modeled after the ones passed in the US, I wouldn't be surprised to see some kind of safe harbor amendment to the breach disclosure law as well. The proposed changes to the EU directive is scheduled to be published this coming November and, if it passes, will have to reflect in UK law by the end of 2014. (No doubt the same deadline applies to other EU member states as well.) The UK, of course, already has the ICO (the Information Commissioner's Office) which kind of polices data breaches in the island nation.
According to silicon.com, the UK will have a "public breach disclosure" law by 2014, in keeping up with amendments to the EU's Data Protection Directive, which was originally passed in 1995. Although data encryption software isn't mentioned, seeing how the law seems to be modeled after the ones passed in the US, I wouldn't be surprised to see some kind of safe harbor amendment to the breach disclosure law as well.
The proposed changes to the EU directive is scheduled to be published this coming November and, if it passes, will have to reflect in UK law by the end of 2014. (No doubt the same deadline applies to other EU member states as well.)
The UK, of course, already has the ICO (the Information Commissioner's Office) which kind of polices data breaches in the island nation.
The same article quotes a partner at Field Fisher Waterhouse who notes that the ICO's ability to fine up to £500,000 to any companies that suffer data breaches is "discouraging companies from owning up to data breaches." He notes that his firm deals with breach cases that the ICO is unaware of, since the companies involved don't want to reveal the breach because of the potential punishment. I find the excuse to be hogwash. As if they would ever go public with it. Even if the ICO didn't have the power to assess fines, such companies would never go public with their breaches anyway: there is no upside to going public with a breach, after all. At least, not to the company announcing the breach. Even if there were no fines, there'd be public relations fall out; lawsuits (which in America would be dismissed); etc. If it ain't the fines, it's gonna be some other reason for not going public. How disingenuous could they possibly be? Do these companies honestly think that the general public would believe a line such as, "oh, gee whiz. We'd really love to go public with a data breach, but the ICO's power to fines us is a real turn-off, so we're taking the law into our own hands and not reporting the breach"?
The same article quotes a partner at Field Fisher Waterhouse who notes that the ICO's ability to fine up to £500,000 to any companies that suffer data breaches is "discouraging companies from owning up to data breaches."
He notes that his firm deals with breach cases that the ICO is unaware of, since the companies involved don't want to reveal the breach because of the potential punishment.
I find the excuse to be hogwash. As if they would ever go public with it. Even if the ICO didn't have the power to assess fines, such companies would never go public with their breaches anyway: there is no upside to going public with a breach, after all. At least, not to the company announcing the breach.
Even if there were no fines, there'd be public relations fall out; lawsuits (which in America would be dismissed); etc. If it ain't the fines, it's gonna be some other reason for not going public. How disingenuous could they possibly be?
Do these companies honestly think that the general public would believe a line such as, "oh, gee whiz. We'd really love to go public with a data breach, but the ICO's power to fines us is a real turn-off, so we're taking the law into our own hands and not reporting the breach"?
Related Articles and Sites:http://www.silicon.com/management/public-sector/2010/07/16/uk-headed-for-data-breach-disclosure-law-within-four-years-39746105/