After some "Will they? Won't they?" speculation, the Ministry of Justice (MOJ) confirmed that the Government will not be introducing a mandatory data breach notification law for the private sector as part of its package of data protection law reforms outlined in the Queen's Speech for 2008/09.
Numerous press reports of data leaks over the past year may have fuelled public anxiety over integrity of the personal information held by public and private sector alike, especially if you believe that gangs of identity fraudsters are marauding the Internet and scouring dustbins in search of our personal details.
Against this background, there have been calls for the UK to introduce a mandatory breach notification law across all business sectors. This would put organisations under a legal duty to report any security breaches to a regulator and notify individuals whose personal data was affected. In the aftermath of the HMRC/Child Benefit case, Government departments (and, indirectly, their contractors) are already required to notify data breaches to the Information Commissioner (ICO). HMRC has also been a catalyst for confessions across the industry with the ICO recently disclosing 277 security breaches being reported to his office since November 2007. However the system is voluntary and, although plainly viewed by the ICO as 'good practice' under current general data protection rules, there is, at present, no express duty under UK law to publicly report a data security incident.
There are some sector exceptions. Firms regulated by the Financial Services Authority (FSA) are arguably obliged to notify data breaches as part of their general reporting duties to the FSA. A new e-Privacy Directive is also being debated in the EU Parliament and as currently drafted, ISPs and telecoms operators will be required to notify customers of data security breaches over their networks (probably by 2011).
The MOJ, following recommendations by Richard Thomas, the current Information Commissioner, concluded that a mandatory requirement for all private sector organisations would "contribute little to the security of personal data". This view is based on the United States' experience where notification laws are the norm. Although States like California require businesses to issue customers with breach notices where personal information is compromised, it seems that the sheer number of security incidents have given rise to individuals being flooded with no clear benefit to the recipient. In fact, many companies apparently see any such contact with the customer as an opportunity to send marketing material and breach notices are increasingly viewed as a form of junk mail.
Despite this, the notification issue is far from being dead in the water on this side of the pond. Lobbying is underway to extend the scope of e-Privacy Directive's notification requirements beyond communication providers to other organisations with an on-line presence (such as banks and credit card providers). If this happens, the UK will have to implement these requirements into national law.
What is not decided yet is how the law will operate in practice. Notification may often be peddled as 'a good thing', but there is devil in the detail. For example, should a notification requirement only be to a regulator (as the ICO prefers) or should the public be informed at the same time? The full gravity of a lost memory stick may not be instantly apparent and premature notification may in some cases be counter productive. Take the Nationwide case last year, where a laptop containing customer details had been stolen in the course of a burglary. The FSA and police apparently decided that Nationwide should not 'go public' immediately for fear that this would alert thieves to the potential value of their cache. Given the US experience, there are also grounds for introducing an element of materiality to avoid the most minor breaches triggering a notification. However, defining what is 'material' is a trickier issue.
With new enforcement powers coming on stream in the next few months, the ICO is increasingly determined to take action against any organisation that fails to implement management systems and processes, not only to minimise the risk of an incident, but also properly investigate and manage breaches when they happen. Ultimately breach notification may only be a sideshow when compared with the wider information management issue.