Mandatory disclosure on the way?
Following yesterday’s revelation by Ruairi Quinn TD that lost the best gaming laptops this year, The Irish Times reports today that Minister for Justice Dermot Ahern is considering introducing a mandatory reporting system when data or data-storage devices go missing.
That’s welcome, and long overdue. Bruce Schneier wrote about it back in 2006. California has for some time had a mandatory disclosure law, and it’s forced companies to take notice of the cost of losing data – especially in terms of their reputation:
Disclosure laws force companies to make these security breaches public. This is a good idea for three reasons. One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information — or to refrain from collecting it in the first place.
Think of it as public shaming. Companies will spend money to avoid the PR costs of this shaming, and security will improve. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.
So, let’s hope Dermot Ahern is serious about this. We’ve got far stronger data protection laws than the US in most areas – they need to be extended to mandatory disclosure. This is exactly what I was trying to get done when I first wrote those Parliamentary Questions in January, so it’s good to see it come to some level of fruition.
Digital Rights Ireland have more on this.