Business must report data breaches to public, EU says

Business must report data breaches to public, EU says

Summary: EU vice president Viviane Reding has outlined plans to compel all businesses, including banks, to tell their customers if sensitive data has been lost in a security breach

TOPICS: Security

Businesses in all sectors will have to tell customers when their data has been exposed in a security breach, EU justice and rights commissioner Viviane Reding has told a gathering of bankers in London.

Viviane Reding EU

EU commissioner Viviane Reding has said businesses will have to tell customers when their data has been exposed in a security breach. Photo credit: European Commission

On Monday, Reding said she will extend the breach notification obligations that already apply to telecoms and internet access companies. Such plans have been afoot for at least the last three years.

"I intend to introduce a mandatory requirement to notify data security breaches — the same as I did for telecoms and internet access when I was telecoms commissioner, but this time for all sectors, including banking and financial services," Reding said at the British Bankers' Association's Data Protection and Privacy Conference.

In support of the proposals, Reding noted recent data thefts that have hit people using PlayStation, Google and Facebook services, saying that such breaches hurt confidence in the internet and in online services.

"Only recently, we witnessed a massive security theft in online gaming services affecting millions of users around the world," Reding said. "This incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers' trust in the online economy."

The EU vice president acknowledged concerns within the banking sector "that a mandatory notification requirement would be an additional administrative burden". However, she said the proposed measures suited the situation and would reassure consumers as to whether companies were taking care of their data.

"It would also create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data," Reding added.

ICO response

The Information Commissioner's Office (ICO), which oversees data protection in the UK, broadly welcomed the move. However, it reiterated that the measure should apply to "serious" data breaches; in the past, it has warned against a "blanket system" that would see the ICO risk being swamped with notifications.

Read this

Kroes: EU can drive the cloud

In a speech at Davos, the European Union's digital agenda commissioner has argued that the EU is ideally placed to drive the adoption of the cloud

Read more+

"Any new requirements must be proportionate, setting out clear criteria and thresholds for reporting a breach," the ICO said in a statement in response to Reding's speech.

Data breach notification requirements for the telecoms and internet provision sectors came through as part of the Telecoms Reform package, passed in 2009. According to Reding, who was responsible for much of the package's contents, the EU now needs a more coherent approach to data protection.

As the member states in the EU have their own approach to data loss, there are a variety of different approaches that companies and consumers have to grapple with in the event of a breach. The proposed reforms would introduce a "level playing field", which would benefit businesses, Reding said.

The reforms will "do away with all the notification obligations and requirements that are excessively bureaucratic, unnecessary and ineffective [and instead] focus on those requirements which really enhance legal certainty", Reding said.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • British Bankers' Association here. It should be noted that the speech was from an EU perspective. The UK's banks follow the highest standards of customer protection in their data management. If a customer's personal data may have been breached, banks already undertake to inform the Information Commissioner's Office, the Financial Services Authority and the customer, where appropriate. We understand Commissioner Reding proposes to make similar practices mandatory across the EU. But it is unlikely that such a step would affect the current practices of the UK's banks, except to make mandatory these existing voluntary practices.
  • @BritishBankers
    Maybe you could look into the lax security practices of Cahoot, part of Santander. Their log-in to their system is 'iffy' to say the least. Often you get a red 'error' circle, saying the system is unavailable, then press the back button on your browser, and your details appear.
    Also, when being telephoned by Cahoot, they ask you to give ALL THREE of your memorable words/dates in FULL over the phone (though not your login-password, but plenty probaby give that by mistake too); Memorable Address or Place, Mothers Maiden Name, Memorable Year - to prove your identity. So much for security, and protecting passwords.
    British Bankers Association need to pull their finger out, and hold this bank to account.
    Cahoot are also breaching the own terms and conditions regarding Credit Card Statement Dates - Cahoot/Santander are an absolute disgrace of bank, their cavalier approach to t&c needs sorting out.