Need for sensible response to data breaches - May 2008May 2008
For direct marketers whose life blood is data, all the recent column inches about privacy breaches make uncomfortable reading. Prevailing commercial sense – long before data protection legislation – means that companies have always been concerned about the security of the personal data they hold, but almost anybody in the business can cite incidents where data has been “lost in space”.
So, the next time this happens, should we go running to the Information Commissioner to confess all? Worse still, do we really need to tell our customers that we have failed in our duty of care over their information?
Despite commentators demanding stringent data breach notification along the lines of some US States, the Information Commissioner is keen to stress that we need to be proportionate in our response to data losses. And he should know having received over 100 breach notifications since the infamous HMRC debacle (commonly referred to as “datagate”) Richard Thomas has recently become something of a father confessor.
Of course if the loss is significant and the data sensitive, the company should not hesitate to notify, starting with the ICO and moving rapidly on to the customers affected.
Formal advice from the ICO counsels a stepped approach to any breach starting with containment and recovery and a swift assessment of the ongoing risk posed by the data loss. Only then should the data controller consider notification. Individuals need to be told of the breach if they are in real danger of suffering harm or if it would give them the opportunity to take remedial action (like changing passwords). However, the ICO also makes it clear that there may be real dangers of ‘over notifying’ and asserts that not every incident will warrant notification.
Informing people about a breach is not an end in itself and – for now at least – there is law expressly requiring notification.
Other recent items: