Regulators and governments are moving towards creating a requirement that anyone who suffers a security breach affecting personal data would have to report it. A number of American states already have such laws, the recent revision of the European Telecoms Framework Directive introduced a breach notification requirement for telecoms providers and the Commissioner has stated that this will be extended to all organisations in the forthcoming revision of the Data Protection Directive.
A number of benefits are claimed for mandatory reporting:
- Allowing lessons to be learned from security breaches, so others can improve their processes;
- Allowing those whose personal data is involved in a breach to protect themselves from the consequences;
- Naming and shaming organisations that fail to take proper care of personal data.
Taking each of those separately they look like admirable objectives. However I’m concerned by implications that making notification mandatory will deliver all of them. It seems to me that the incentives and reporting requirements are very different for each of the three purposes, making it unlikely that you can achieve all of them at once. Indeed I suspect it may be impossible to achieve more than one and that attempts to do so will inevitably fail. My thinking is set out in a draft paper, which I’d very much welcome comments on.