Advertisement
 
To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------
Data breach laws need more debate: Lawyer

By Steve Ranger, silicon.com
July 25, 2007
URL: http://www.zdnet.com.au/news/security/soa/Data-breach-laws-need-more-debate-Lawyer/0,130061744,339280470,00.htm


Businesses need to get involved in the debate over whether organisations should be forced to reveal data breaches that have put personal information at risk, according to a top UK lawyer.

Earlier this month ZDNet Australia's sister site silicon.com launched its Full Disclosure campaign, calling for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

According to James Mullock, data protection partner at law firm Osborne Clarke, at the moment the rules around when -- and who -- to notify after a data breach vary from industry to industry.

Mullock told silicon.com: "We've got a situation where different obligations are put on some companies but not on others depending on the sector they are in, and that creates a lot of uncertainty."

He said there needs to be a wide-ranging debate and the business community needs to get involved.

Mullock said: "At the moment there is a multi-tier set of requirements and your average company director will find it extremely complex. They have so many influencing factors to think about not least the fact that they potentially face personal liability under the Data Protection Act and the Fraud Act for the failures of their company. If we have a well-managed debate and change in the law it should actually help companies decide what to do in the event of a security breach."

For there to be a change in the law the industry needs to think about when any such obligations to notify would apply, and how any change to the law would be drafted so it wouldn't become a bureaucratic nightmare, he added.

Meanwhile in Australia, there is currently, no law which makes it mandatory for businesses to reveal breaches of data. However, there is a submission before the Australian Law Reform Commission (ALRC) to make amendments to the Privacy Act which would force organisations to reveal security breaches that led to the exposure of personal data.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.