ICO faces calls for mandatory data breach reporting

Legal experts are calling for uncapped data breach fines

Legal experts have called for the mandatory reporting of all data breaches to the Information Commissioner's Office (ICO), in order to bring more clarity to the amount of data being lost and improve efforts to prevent breaches.

Stewart Room, a partner covering privacy and information at legal firm Field Fisher Waterhouse, said at a roundtable event that mandatory reporting is necessary to stop companies attempting to "bury bad news".

"Many firms we deal with often decide not to report data breaches to the ICO as they are not obliged to report it under law, yet could suffer retrospective punishment despite admitting the loss," he said.

"As such they take a calculated risk that it will not be discovered, and rely on the fallback that, if they were discovered not to have disclosed the breach, they are not actually required to anyway under current law."

Room also said that the ICO's being able to fine organisations a maximum of £500,000 is "absurd", and that an uncapped fine would act as a far stronger deterrent.

However, while mandatory reporting will be introduced for internet service providers and telecoms companies in May 2011, most ISPs claim that this will not alter their current practices.

"For us, the move to mandatory will change very little as we already notify the ICO and our customers of all major losses," said Martin Hosking, head of data protection at Everything Everywhere, the company formed by the merger of Orange and T-Mobile.

"The issue will be to what level of importance the mandatory level is set. How many reports does the ICO need?"