Infosecurity 2012: ICO opposes mandatory data breach notification

Information Commissioner Christopher Graham calls mandatory breach disclosure for all companies unnecessary, saying voluntary disclosure is working.

LONDON -- Information Commissioner Christopher Graham used his keynote speech at Infosecurity Europe 2012 to sound a warning against the introduction of mandatory data breach notification requirements for all companies.

We want to get the level of fines right, but companies need to know the ICO is not a toothless watchdog.

Christopher Graham,
Information Commissioner

Graham argued that if mandatory disclosure were introduced, as proposed in new draft EU regulations currently under consideration, the Information Commissioner’s Office (ICO) would be “buried” under a deluge of breach notifications.

“We would become the box-tickers of Wilmslow [the ICO’s headquarters near Manchester],” Graham said.

Graham said the ICO needs to be “selective to be effective.” He said the current system of voluntary breach disclosure works well because companies know they are less likely to be punished if they are open about breaches, rather than trying to cover them up.

“They know that they will be dealt with more severely if they attempt to conceal a breach,” Graham said.

The ICO audited 40 companies last year and 27 in the previous year. Graham said these audits were consensual – that is, with the prior agreement of the organisations concerned. The audits were triggered by an event, such as a breach, and, according to Graham, were intended help the organisations improve their security procedures.

The ICO currently has the right to carry out compulsory, unannounced audits on central government departments where it believes security weaknesses exist. Graham said he intended to argue for that right to be extended to parts of the National Health Service (NHS) and also to local government. The ICO does not have the right to audit other organisations without their consent.

Graham emphasised the educational role the ICO is taking, saying it is aimed at raising awareness of security issues and the need to protect personal data. He illustrated this by describing recent research the ICO had conducted to find out about data that organisations and consumers leave behind when they dispose of equipment.

ICO researchers bought second-hand equipment including 200 hard drives, 20 memory sticks and 10 mobile phones, and inspected the contents of these devices. While the phones and memory sticks contained little of interest, he said only 47% of the disks had been wiped or were otherwise unreadable. The remainder held data, including some personal data.

More highlights from Infosecurity 2012

Get more news and important research from the Infosecurity 2012 conference, including coverage of security threats and data breaches.

In total, the researchers found 34,000 files containing personal or corporate data, “ample for carrying out a compromise against the people and organisations involved,” Graham said. He noted the ICO had followed up with four organisations to discuss their data handling.

Many people still wrongly believe that data is actually deleted when they hit the delete key, Graham said. The ICO has published a simple guide to deleting data to help organisations properly delete their hard disks before disposing of them.

While emphasising the ICO’s role in spreading good practice and awareness, Graham said the ICO’s ability to hand out fines of up to £500,000 for serious breaches has been effective. So far, the ICO has issued what it calls Civil Monetary Penalties to 14 organisations, the majority of which have been local authorities. The penalties have ranged in value from £1,000 to £140,000 in the case of Midlothian Council.

Graham stated the penalties were applied only when the organisations involved had shown a reckless disregard for data protection. “We want to get the level of fines right," he said, "but companies need to know the ICO is not a toothless watchdog.”

Read more on Data breach incident management and recovery