EU mulls proposal to mandate data breach advisories by firms

Speaking at a data protection and privacy conference organised by the British Bankers Association earlier this week, Viviane Reding, the EU Justice Commissioner and Vice-President of the European Commission, outlined plans to force companies to admit to their data breaches.

In her speech, she said she intends to introduce a mandatory requirement to notify data security breaches - "the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services."

Reding added that the current EU data protection rules date back to 1995, and, although they had served their purpose well, the data protection legislation needs to be updated.

Current legislation - which mainly applies to banks - she observed, varies widely between EU member countries, and that there is too much red tape involved.

This should, she explained, simplify the situation for businesses, but, in return, she expects businesses "to do their share to ensure safe and transparent digital products and services."

Reaction to Reding's speech has largely been positive, although Steve Brunswick, strategy manager with Thales e-Security, questions whether the EU needs to go further and impose data breach penalty fines at a level that makes it less costly to protect data properly than it is to suffer a breach.

The reasons for the update are clear, he says in latest security blog.

"The current legislation has been in place since 1995. While the underlying principles are still valid, an increasingly internet-based society, combined with a recent surge in data breaches, highlights the need for heightened information security legislation", he said.

"Secondly, the current diversity of legislation across Europe causes huge problems for citizens and businesses alike - especially for companies operating in several EU locations", he added.

According to Brunswick, although there is great variety of information security legislation across Europe, the UK is arguably one step ahead.

"Although the update to the legislation is undoubtedly a step forward, he said, is the `obligation to notify incidents of serious data security breach' enough?", he said, adding that it would be interesting to see if the introduction of financial penalties in the UK correlated with a drop in data breaches.

The big question, he went on to say, is that even if the new legislation is respected, will firms secure their information to an adequate level?

"Perhaps now, as a result of this updated EU legislation and the increasing success and blatant approach taken by hackers such as LulzSec, the message will get through that a data-centric approach to information security is what is needed", he said.

"At the very least the notification requirement will enable individuals to take appropriate actions to protect themselves when their data is compromised", he added.

What’s Hot on Infosecurity Magazine?