The clamour for specific security-breach legislation in the UK following the breach at Her Majesty's Revenue & Customs and more recent announcements by major corporations needs to be given more thought. Already, most multinationals struggle to deal with the legislation surrounding security breaches when the victims of the breach are from more than one country.
The legislation in the US varies from state to state with more than 30 different regimes in place. In Europe there is little uniformity even across the EU and there is law dealing in some way with breaches in about 34 countries including Germany, which also legislates on a local, not national, basis. A worldwide breach already involves a multinational looking at about 70 different pieces of law to do a thorough response - what we need is more uniformity and less law.
Specific data-breach legislation is still rare in Europe with specific law in place in Norway and other jurisdictions such as Finland and Guernsey looking at it publicly. The starting point in most countries in Europe is, however, the requirements imposed by data protection legislation, for example in the UK the requirement that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Similar requirements exist across most of Europe and there has already been enforcement action, for example in Spain where last year the data protection authority's fine of £867,874 was upheld after the leaking of Big Brother contestant details on the internet.
One of the great myths of data protection law in Europe is it is uniform and that it starts and ends with the main European Community Directive, the Data Protection Directive (95/46/EC). Many countries in Europe had data protection law before this directive came along. In the UK for example data protection legislation pre-dates the directive by a full 10 years. In fact, since the directive, many countries in Europe have implemented more data protection legislation reflecting their local concerns. Those "new" European countries that were part of the Soviet bloc, for example, have their own concerns about excessive use of personal data, which influence how they legislate.
Most businesses recognise the need for their systems to be secure. What they need is a clear statement of their obligations and the ability to deal with regulators when a breach occurs in an open manner. Those who campaign for specific security-breach legislation often point to the US as an example, yet in the US most intelligent observers see the need for federal legislation to even out the differences in local legislation that make it such a difficult task to report a breach to victims. We would be wise to look across the Atlantic and put regulatory effort into encouraging businesses to secure their systems rather than introducing more diverse and complex rules telling us how to close the stable door once the horse has bolted.
By Jonathan Armstrong, from international law firm Eversheds
This was first published in May 2008