
If an organisation has failed to keep data secure, it seems that the public wants to know about it. However, under English law not all organisations are obliged to report data security breaches when they happen.
Legislation currently in force only obliges providers of “public electronic communication services” (i.e. internet service providers (ISP) and telecommunications operators) to come clean should they suffer a data security breach. This reporting obligation is primarily to the Information Commissioner?s Office (ICO), rather than to the individuals whose data has been compromised. ISPs and telecommunications operators only have to directly notify an affected individual if the security breach is likely to ?adversely affect the personal data or privacy? of that individual and have the right to exercise their discretion as to whether such notification is necessary. Individuals also need not be notified if the ICO is satisfied that the compromised data was properly encrypted. The vast majority of organisations are therefore under no legal obligation to disclose data security breaches. That means if a retailer or bank, for example, loses its customer data they are under no obligation to declare the fact. In the circumstances it is conceivable that some organisations would happily keep quiet should the worst happen in an attempt to prevent the reputational damage and loss of customer goodwill which inevitably accompanies publication of a data security breach. However, despite the current lack of a blanket legal obligation to report data security breaches, keeping quiet is not without risk. Organisations need to be mindful that the ICO has the power to issue monetary penalties of up to ?500,000 for serious breaches of the data protection legislation, regardless of company sector, and has historically reserved its largest fines for organisations which have suffered data security breaches. Read more articles filed under law:- Unaccounted intangible assets leave UK companies vulnerable to takeovers
- Gordon Ramsay’s row with father-in-law highlights dangers of family business
- Nearly all FTSE 100 members failing to secure cookies
Share this story