Data breach notification is not the solution

The value of a US-style data breach notification law is questionable. Once notified of a breach, there is little that the data subject can do but remain alert to potential frauds. With the volume of incidents in recent times, most people would soon become tired of receiving notifications.

Clearly where sensitive personal information is lost, such as in the case of trainee doctors’ sexual orientation being erroneously posted on the Internet, there is a case for penalising the organisations concerned. Likewise, if fraud can be directly traced back to the loss or theft of data, then this should be prosecuted in accordance with existing laws.

Rather than creating a cumbersome and self-serving new regulator tasked with notifying individuals of breaches, we need to provide a ten-fold increase in funding for the existing Information Commissioner’s Office, which would give his team the necessary resources to investigate and enforce existing data protection laws. The US model succeeds because of a powerful and well-funded Federal Trade Commission, coupled with a litigious culture – not because of a well-meaning rule to force disclosure.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I completely 100% agree, it is all well and good being told that personal information has been lost, but what does that mean to the individual? Like you say, sitting there keeping an eye on your accounts etc, which is time consuming and not your fault.

Wouldn't be better for the organisation to know whether the data had been accessed and even better destroyed? There are products out there like our Backstopp solution which do this. Giving organisations the power to delete data should the device it resides on goes missing, then report back the deletion and whether the data had been accessed since it went missing. Surely this is a lot more helpful to the public?

The huge number of breaches (mainly in the US) makes it difficult for consumers to differentiate between them. The Breach Blog issues 1-3 reports a day.