Business must report data breaches to public, EU says

EU vice president Viviane Reding has outlined plans to compel all businesses, including banks, to tell their customers if sensitive data has been lost in a security breach

Businesses in all sectors will have to tell customers when their data has been exposed in a security breach, EU justice and rights commissioner Viviane Reding has told a gathering of bankers in London.

Viviane Reding EU

EU commissioner Viviane Reding has said businesses will have to tell customers when their data has been exposed in a security breach. Photo credit: European Commission

On Monday, Reding said she will extend the breach notification obligations that already apply to telecoms and internet access companies. Such plans have been afoot for at least the last three years.

"I intend to introduce a mandatory requirement to notify data security breaches — the same as I did for telecoms and internet access when I was telecoms commissioner, but this time for all sectors, including banking and financial services," Reding said at the British Bankers' Association's Data Protection and Privacy Conference.

In support of the proposals, Reding noted recent data thefts that have hit people using PlayStation, Google and Facebook services, saying that such breaches hurt confidence in the internet and in online services.

"Only recently, we witnessed a massive security theft in online gaming services affecting millions of users around the world," Reding said. "This incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers' trust in the online economy."

The EU vice president acknowledged concerns within the banking sector "that a mandatory notification requirement would be an additional administrative burden". However, she said the proposed measures suited the situation and would reassure consumers as to whether companies were taking care of their data.

"It would also create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data," Reding added.

ICO response

The Information Commissioner's Office (ICO), which oversees data protection in the UK, broadly welcomed the move. However, it reiterated that the measure should apply to "serious" data breaches; in the past, it has warned against a "blanket system" that would see the ICO risk being swamped with notifications.

"Any new requirements must be proportionate, setting out clear criteria and thresholds for reporting a breach," the ICO said in a statement in response to Reding's speech.

Data breach notification requirements for the telecoms and internet provision sectors came through as part of the Telecoms Reform package, passed in 2009. According to Reding, who was responsible for much of the package's contents, the EU now needs a more coherent approach to data protection.

As the member states in the EU have their own approach to data loss, there are a variety of different approaches that companies and consumers have to grapple with in the event of a breach. The proposed reforms would introduce a "level playing field", which would benefit businesses, Reding said.

The reforms will "do away with all the notification obligations and requirements that are excessively bureaucratic, unnecessary and ineffective [and instead] focus on those requirements which really enhance legal certainty", Reding said.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.