Posted by Teena Lee
It should not surprise anyone that the US is not the only country with data security issues. Yet the differing legal regimes in other jurisdictions sometimes provide an opportunity to examine what works and does not work in addressing security problems before similar laws are enacted here.
For example, despite having what are purported to be stricter laws with regard to data protection than the U.S., it would appear companies in the United Kingdom continue to suffer just as much at the hands of criminal hackers as those in the United States. See this recent article from BBC News. Some of the key differences between the UK's data protection laws and the United States counterpart is that all "data controllers", i.e., those who determine what is to happen to personal data in their possession or in the possession of "data processors" holding the information on behalf of the controllers, must register their data processing activities with a state data protection agency, and in some instances, prior consent is required before any data processing can begin. Very generally, while the UK requires a more centralized regime for regulation, the United States relies on a mix of legislation, regulation and self-regulation, and for this reason, the UK (as well as the European Union) has found that the US failed to meet its "adequacy" standard for data protection.
Yet much of the information we have on experiences under different regimes is anecdotal or spotty; it would be interesting to see an apples-to-apples comparison of data breach trends in various jurisdictions that have different protection regimes. Given the plethora of bills floating around Congress, surely someone has done such an analysis (and if not, why not?). If anyone knows of such a report, we would love to post a link here.