The value of a US-style data breach notification law is questionable. Once notified of a breach, there is little that the data subject can do but remain alert to potential frauds. With the volume of incidents in recent times, most people would soon become tired of receiving notifications.
Clearly where sensitive personal information is lost, such as in the case of trainee doctors’ sexual orientation being erroneously posted on the Internet, there is a case for penalising the organisations concerned. Likewise, if fraud can be directly traced back to the loss or theft of data, then this should be prosecuted in accordance with existing laws.
Rather than creating a cumbersome and self-serving new regulator tasked with notifying individuals of breaches, we need to provide a ten-fold increase in funding for the existing Information Commissioner’s Office, which would give his team the necessary resources to investigate and enforce existing data protection laws. The US model succeeds because of a powerful and well-funded Federal Trade Commission, coupled with a litigious culture – not because of a well-meaning rule to force disclosure.