Naming and shaming

Since the introduction of California's Senate Bill 1386 two years ago, the US has seen a whole string of organisations being forced to admit they have lost or leaked the private details of individuals. The Bill's success in naming and shaming careless companies has spawned a rash of similar legislation across the country, and a Federal disclosure bill is now widely expected.

Visit www.privacyrights.org/ar/chrondatabreaches.htm (the Privacy Rights Clearing House) to see the full extent of the legislation. The US lobby group lists more than 130 security breaches that occurred just in the past year. It shows how the leak occurred, and how many records were put at risk. In less than a year, the total for all reported breaches topped 53 million personal records.

The figures do not prove security has got worse. On the contrary, security seems to be improving sharply in the US, as companies strive to meet Sarbanes-Oxley requirements on the one hand, and on the other, avoid public ignominy through a public disclosure.

The big question is whether Europe should follow suit. Many feel we don't need disclosure legislation because European data privacy laws already perform the same job.

"There is a key difference of cultures between the US and Europe," says Paul Simmonds, head of global security at ICI. "The US doesn't have the equivalent of the Data Protection Act. We legislate and oblige companies to follow, while the US relies on people suing companies that have disclosed information."

But not everyone agrees. Philippe Courtot, chairman of vulnerability management firm Qualys, says: "Some people say Europe has strong privacy laws, but there's no mandatory disclosure and no one has been prosecuted. If firms have a breach, they don't want to disclose it. But naming and shaming can be a very effective driver."

Disclosure might happen anyway, warns law firm Charles Russell. The company suggested last month that many companies leave themselves open to legal threats if they fail to secure employee's laptops against wireless hackers in public hotspots, and expose clients' or business partners' confidential data. Once the first case happens, disclosure laws may follow soon after.