NESTA Crime Online - University of Brighton Repository
NESTA Crime Online - University of Brighton Repository
NESTA Crime Online - University of Brighton Repository
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
most important advances that the UK could make in promoting personal Internet<br />
security". 231<br />
In both Europe and the UK, there have been many proposals over the last five years for<br />
legislative change that would force firms to notify regulators and customers <strong>of</strong> all<br />
breaches <strong>of</strong> their data security. Many voices have come out in favour <strong>of</strong> enacting data<br />
security breach notification laws (UK NGOs 232 and The European Data Protection<br />
Supervisor – EDPS). 233 In the UK, there were encouraging signs when the Information<br />
Commissioner's Office (ICO) suggested that the revisions to the EU's ePrivacy Directive<br />
“could be the "catalyst" needed to get data-breach notification into UK law” in July<br />
2008. 234 However, by November, the UK government announced that it would not be<br />
implementing a data-breach notification law, similar to the existing one in the US. This<br />
stance could put the Government at odds with the European Union, which plans to force<br />
companies to own up to data breaches as part <strong>of</strong> its new ePrivacy Directive.<br />
By contrast, 44 US states 235 had enacted legislation by December 2008 which requires<br />
notification <strong>of</strong> any security breaches involving personal information from public and<br />
private organisations. Legislation on data breach notification was first passed in<br />
California in 2003. 236 In general, most state laws follow the basic tenets <strong>of</strong> California's<br />
original law: companies must immediately disclose a data breach to customers, usually<br />
in writing. Also in California, there is a private right <strong>of</strong> action, and there are very few<br />
exemptions. 237 Since the adoption <strong>of</strong> this legislation in a majority <strong>of</strong> US states, reports <strong>of</strong><br />
security breaches have rocketed and breaches from private companies are regularly<br />
reported. In the UK it has been argued that the US experience has not been a<br />
231 House <strong>of</strong> Lords, 2007, Personal Internet Security Report, p 57.<br />
232 For example silicon.com, who launched a Full Disclosure campaign in 2007.<br />
233 The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and<br />
promoting good data protection practices within the EU, both by monitoring the EU administration’s own data<br />
processing, as well as by commenting on pending legislation.<br />
234 Heath, N. (2008) “ICO:Data breach law moves closer”, www.silcon.com, 3/7/08.<br />
235 Plus the District <strong>of</strong> Columbia, Puerto Rico and the Virgin Islands.<br />
236 Data breach disclosure law, SB 1386.<br />
237 Law in some other states allow more exemptions or do not allow a private right <strong>of</strong> action. For instance,<br />
California allows exemptions for encrypted data that's lost and publicly available government data. In<br />
California there is no such thing as an immaterial breach, while other states do have a definition <strong>of</strong> immaterial<br />
breach.<br />
Page 84