I've Been Mugged Blog

The Information Commissioner’s Office (ICO) recently updated its data breach disclosure regulations for ISPs and telecommunications providers in the United Kingdom. To make reporting requirements easier for businesses, the ICO suggests that companies submit a list of data breaches monthly.

However, companies would still need to report major breaches in detail and separately. The existing regulations require companies' breach disclosures to include:

"The nature of the breach; the consequences of the breach; and the measures taken or proposed to be taken by the provider to address the breach."

The existing regulations require companies to maintain a log of any breaches affecting consumers personal information, and to provide affected consumers or customers with a breach notification covering:

"The nature of the breach; contact details for your organisation where they can get more information; and ow they can mitigate any possible adverse impact of the breach."

Companies do not have to report data breaches where the data is protected by encryption. The ICO describes itself as:

"... the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."