What a dick!
"If someone is searching for cancer treatments there is nothing that links that search to the health status of an individual. They could be running the search on behalf of a friend."
So, potentially sensitive information should be classified as "not really sensitive, because there's a small possibility it might not be". That's ass backwards.
"Thompson questioned whether there was any likelihood of harm from the release of such information"
Then I'll happily answer him, yes Mr Thompson , yes there is. Which is exactly why the law recognises such information as being sensitive.
"and even if you don't, cookies are placed on your machine to serve up ads by most websites"
Not on any of the machines that I administer, and I'm sure that's true of most reg readers. That argument is straight out of the Kent Ertugrul playbook. In fact you can see it in any Phorm press release you care to look at. Coincidence ?
"encrypted data ought not to be covered by breach disclosure laws so that firms who have protected sensitive data are not affected by the "expense and brand damage" such public notifications bring."
Bollocks. Firstly, the loss of such data still suggests poor data protection practices, and in fact in the UK, that alone puts you in breach of the DPA* . Secondly "encrypted data" covers a lot of ground, encrypted how ? To what standard ? If companies are sure their protection scheme is secure, then they should have no difficulty revealing what it is, If some company loses my data and then says, "well look, it was on a CD, but it was encrypted using IDEA with a 1024 bit key, which we keep in a safe" I'm going to say "oh, okay then, that's pretty safe". I'm more reassured by this, not less. I notice there's a trend now to say "it was encrypted, but we wont say how, for security reasons". Any fool knows that a cryptosystem which relies upon the secrecy of the algorithm is broken. There can be no advantage in not releasing this information, unless the system is shite or non existent, and would therefore result in embarrasment.
""Businesses have a responsibility to protect sensitive data. The public should not expect the government to protect them," he added."
That's a bit of a non sequitur isn't it ? I'm not all sure how the two relate. Certainly businesses have that responsibility, usually mandated by legislation, written by governments, whose job it is to prosecute businesses if, and when, they breach that legislation**.
If governments don't exist to protect the public, then just what the hell are they for, exactly*** ?
* Yeah, I know.