A trade association representing hundreds of technology firms in the UK is pushing hard for lawmakers there to develop a breach notification law and rigorous data protection rules.
UK-based Intellect has formed a data breach notification working group and held a roundtable discussion recently with representatives from government agencies, law enforcement, attorneys and legislators. Intellect is also conducting a survey among its members of attitudes towards data breach notification and stepping up its lobbying effort to get legislators to develop tougher standards in the UK.
"In terms of issues it's something being seriously considered and there is a discussion about the impact of a law and how it should look," said Carrie Hartnell, a program manager for Intellect. "The discussion is also around who would be informed, what level of information would a customer be given and whether it would apply to the whole of the UK industry or specific areas."
UK lawmakers have been carefully examining the impact of breach notification laws in the United States to craft rules that would have limited impact on the economy. An explosion of lost and stolen laptops in recent years and the massive data breach at Framingham, Mass.-based TJX Cos. has placed a spotlight on the issue in Europe, Hartnell said.
TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate the company's network. In addition to running the TJMaxx, Marshalls, Winners, HomeGoods, AJWright, and HomeSense stores in the US, it also operates outlets in Canada and UK.
Recent studies suggest that the costs associated with high profile data breaches are skyrocketing. Data breaches cost companies an average of $182 per compromised record, according to a survey conducted by the Elk Rapids, Mich.-based Ponemon Institute. So far, TJX said the costs associated with its breach have exceeded $256 million and some experts say that after settling lawsuits, TJX's expenses will skyrocket.
Currently the UK has data protection and notification rules limited to financial services firms. Those firms have specific procedures to follow if they discover a breach with notification of officials depending on the type of information breached.
Intellect's Hartnell also said that the trade group's members are in agreement that a regulatory body would need to be created to enact tougher data protection standards. It's unclear whether a law would be limited to the UK or if legislators will look toward the European Union to toughen rules across all of Europe.
"We recognize that this shouldn't just be a UK issue anyway," Hartnell said.
Specific goals of the working group will be developed in November. For now, the group plans to work out a practical solution to the problem and discuss the impact and cost that data braches have on businesses and on the technology industry as a whole.