Shostack + Friends Blog Archive


The UK Driver's License Applicants Breach and Laws

Dark Reading reported that “Data on 3M UK Drivers ‘Lost in Iowa’.”

“In May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa,” Kelly said. “The hard disk drive contained the records of just over three million candidates for the driving theory test.”

The records contained the driver’s name, postal address, phone number, the test fee paid, the test center, a code indicating how the test was paid for, and an email address, Kelly said.

I think this is an interesting disclosure, because most of the laws we see are of the form “if you disclose information about our citizens” rather than “if you disclose in our state.” Sometimes, like with Choicepoint, this serves to get notice out. Other times, perhaps this being one of them, it acts as a loophole.

As Canada, the UK, and other places look to write new laws or regulations, it would be good for them to consider if they’d like to have laws which cover more breaches. It strikes me as a tremendously good idea.

2 comments on "The UK Driver's License Applicants Breach and Laws"

  • Chris says:

    Most state breach laws require that if you hold data for someone else, then your obligation is to notify them. So, if I am Acme Accountants, and you’re Adam Inc., whose retirement plan I administer, when I lose my laptop with your employees’ names and account numbers, I need to tell you. Whether you need to tell anyone depends on the state(s) in which your employees live and (perhaps) the state in which your business is located.
    Of course, IANAL, Iowa doesn’t even have a breach notification law, and neither does the UK. :^)

  • Iang says:

    The EU Data Protection Act/Directive covers each individual who is a natural person, as far as I can tell. (Legal persons (companies, etc) are not included.) It doesn’t matter who or where you are.
    As pure speculation, I’d say that any EU breach law would assume the same, so as to align with the DPA.

Comments are closed.