Friday 27 January 2012

Taking a butchers at our breaches

Yesterday afternoon, a select group of the usual suspects gathered together to share war stories about their experiences on dealing with data breaches.

The speakers included an official from the ICO, a couple of lawyers, and a pair of data protection officers, all of whom had different perspectives to share. And a useful sharing session it actually was, especially when it became pretty clear that everyone was keen on developing a reasonably settled view on precisely the same issues. We’re just not there, yet.

The usual elephants were in the room. Who would be the first to admit that they didn't actually know what a data breach actually was, as the definition (in the ePrivacy Directive and the proposed General Data Protection Regulation) was so vague? Who would be the first to point out that some reporting threshold was required, to avoid overburdening the regulator with trivia. And who would be the first to question the need for the regulator to receive breach reports, if it wasn't at all clear what they were doing with the information that was being supplied?

No one in the room suggested that data breach management was not an important issue. And everyone agreed that responsible data controllers would be striving every sinew to resolve the trivial, as well as the more serious, data breaches. This is because they cared about their customers and certainly wanted to engage, to the greatest extent possible, with their customers. News of an extremely recent UK data breach revealed how quickly the data controller was seen to act when allegations emerged in the blogosphere. Customers - and complainants - certainly have a voice, thanks to the internet. Many seem to be able to quickly detect irregular types of activity on their online accounts and, using their powers of social networking, get the data controller to respond responsibly.

So, turning to minor breaches, what role does the regulator play here? It is a valid, and important, question.

Later, over a data protection dinner most generously hosted by Bird & Bird, a few of the guests asked themselves whether there were any lessons to be learnt from the breach notification rules that were prevalent in the USA. Had these rules led to a measurable change in the behaviour of American data controllers? Were there now fewer breaches than before? Were citizens more confident that data controllers were more vigilant than before?

Well, we asked ourselves these questions, but answers were there few. I left the dinner confused. Not inebriated, but just still not clear what the point of the breach notification process to the regulator actually was.

Tonight, I’m off to dine, gossip and dance the night away at an event organised by the Data Protection Officers’ Supper Club. I’ll raise the same questions that were raised last night, and I’ll report back if any significant insights emerge.

Image credit: