Data breach notification is not the solution

| More

The value of a US-style data breach notification law is questionable. Once notified of a breach, there is little that the data subject can do but remain alert to potential frauds. With the volume of incidents in recent times, most people would soon become tired of receiving notifications.

Clearly where sensitive personal information is lost, such as in the case of trainee doctors’ sexual orientation being erroneously posted on the Internet, there is a case for penalising the organisations concerned. Likewise, if fraud can be directly traced back to the loss or theft of data, then this should be prosecuted in accordance with existing laws.

Rather than creating a cumbersome and self-serving new regulator tasked with notifying individuals of breaches, we need to provide a ten-fold increase in funding for the existing Information Commissioner’s Office, which would give his team the necessary resources to investigate and enforce existing data protection laws. The US model succeeds because of a powerful and well-funded Federal Trade Commission, coupled with a litigious culture – not because of a well-meaning rule to force disclosure.


  • I completely 100% agree, it is all well and good being told that personal information has been lost, but what does that mean to the individual? Like you say, sitting there keeping an eye on your accounts etc, which is time consuming and not your fault.

    Wouldn't be better for the organisation to know whether the data had been accessed and even better destroyed? There are products out there like our Backstopp solution which do this. Giving organisations the power to delete data should the device it resides on goes missing, then report back the deletion and whether the data had been accessed since it went missing. Surely this is a lot more helpful to the public?

  • The huge number of breaches (mainly in the US) makes it difficult for consumers to differentiate between them. The Breach Blog issues 1-3 reports a day.

  • Leave a comment


    The views expressed in this blog are my own, and do not necessarily reflect those of any client or other organisation.

    Subscribe to blog feed



    Toby on Twitter

      Recent Comments

      Erik C Gruet on Identity assurance and th... : I think the solution lies in sharing data across m...
      Toby Stevens on Identity assurance and th... : Peter, I can't speak for GDS, but I agree that the...
      peter wells on Identity assurance and th... : (Declaration of interest: I've been working on #di...


      -- Advertisement --