Legal lessons from across the pond

Senate Bill 1386 came into force in July 2003. Its aim was to defend the citizens of California against the effects of identity theft. It placed a responsibility on any organisation holding a Californian's personal details to protect those details and, in the event of any security breach, to inform the individual that a breach had taken place.

At the time, the bill attracted criticism for its slightly Quixotic belief that it could protect Californians' rights anywhere in the US and across the rest of the world. After all, if a firm in Europe or the Indian sub-continent lost a tape holding Californians' details, how were they going to enforce the law?

But SB1386 has turned out to be remarkably effective, inside the US at least. So much so that other states, and the US federal government, are looking to adopt its general principles to cover the rest of the country.

Last month, the US House of Representatives introduced a bill that would require banks, retailers and credit bureaux to notify consumers when a security breach puts their personal data at risk.

The Consumer Notification and Financial Data Protection Act of 2005 is just one of several pieces of legislation that have been proposed this year in Congress after a series of widely publicised data breaches.

The litany of embarrassing data losses that have occurred this year in the US could lead you to think the whole industry has suddenly become very careless. But, of course, the reality is that these breaches have always gone on – they were just kept under wraps.

In Europe, we had the case of the Sumitomo Mitsui bank, but that only became public after long negotiations between the bank and the police, and was very carefully managed to minimise embarrassment and share-price damage.

But how would we fare if we brought in a similar bill to SB 1386 in the UK or across Europe? My guess is that it would generate, as it did in the US, a whole spate of revelations about poor practice, lax security, and lost files.

It would be very embarrassing but, like corporate governance compliance, it forces companies to face up to the security challenge and do something about it.

Most of the US companies that have been caught out have moved fast to improve, and EU firms would be forced to do the same.

IT security professionals should support the introduction of a Euro-SB1386. It may put more pressure on us all to perform well, but it would also help to boost security budgets.

Ron Condon is editor-in-chief of SC Magazine