"some business groups concerned about their ability to meaningfully report breaches within 24 hours"
Meaning some business groups are concerned about their ability to sober up their PR people in time to find someone else to blame.
Most of the data breach incidents analysed by the Information Commissioner's Office (ICO) in a three-month period earlier this year concerned errors in the way personal information was disclosed, the watchdog has said. The ICO said that it had looked at 335 data breach incidents between 1 April and 30 June 2013 and found that …
SB1386 seems to have worked in the states, with companies uping their security, to get out of writing to all their customers to say they screwed up.
It has been proposed in several corners that we should have the same, a point reinforced by the fact that the ICO does not actively investigate, even the stuff that has been directly reported to them by members of the public.
i.e
Joe Public>ICO. "organisation X is mishandling my personal data, as defined by these rules in DPA98"
"and I have attached the evidence that their doing it"
ICO>Org X. "are you complying with the data protection act?"
Org X>ICO "certainly"
ICO>Joe Public "Org X have not breached the DPA, case closed"