Over in the U.K., John E. Dunn discusses some hefty fines that have been levied following data breaches, but comments:
The public gets to hear about the punishment but a lot is left behind a curtain of secrecy. This is wrong and possibly dangerous.
What the UK lacks is not punishments but a basic data breach notification law that puts a legal (rather than informal) onus upon organisations of any type to report breaches not just to the FSA but to the Office of the Information Commissioner. Many US states already have such laws in place which is why most of the stories of serious breaches come from over the Atlantic.
One possibility is that this will happen via some form of amendment to the 1995 EU Data protection Directive. The UK, then, is waiting for the EU to set a European precedent, which is a wise approach i the long term, but could leave the UK exposed for some years to come.
Read more in his War on Error blog on TechWorld.
There is a change in Breach Notification Law due next May (2011) but it only covers a “Personal data breach suffered by publicly available electronic communications service providers”. I was at a seminar which covered this taken by an eminent DP Legal expert and his considered opinion was that this was the first step towards mandatory notification laws. However, the ICO was reticent to undertake this due to the perceived increase in work load. If this is their reason for not encouraging this law change they surely it shows how serious they are about stopping the institutional malaise towards data security!