Firms obliged to make security breaches public

What some term a ‘burden’, Viviane Reding, vice-president of the European Commission, defines as ‘necessary’.

Following the various high-profile cyber attacks, The European Commission (EC) has made it clear that firms have to make any security breaches public.

Reding spoke at the British Bankers’ Association (BBA) Data Protection and Privacy Conference, making it clear that the notification of data-security breaches was to be mandatory for all sectors.

At present, only the telecommunications sector has had to report security breaches (in Europe). The banking and financial services are the reluctant ones with regards to the new conditions.

“I understand that some in the banking sector are concerned that a mandatory requirement would be a burden. However, I believe that an obligation to notify the public of a serious data security breach is necessary and would enhance consumer confidence," Reding said.

Reding also believes it would act as an incentive for businesses to ‘conduct serious risk assessments,’ ensuring that personal data was protected by appropriate security.
The move appears to have been expected and, as Pete Gooch, privacy expert at business firm Deloitte, pointed out the organizations that already have excellent security controls will continue to spot breaches, whilst firms with poorer controls may be unaware of a problem occurring.

“This, rather ironically, means that organisations with poor controls may escape the watch of the regulators, while those with better controls come under more scrutiny," said Gooch. "That is not to say that having poor controls is an appropriate response – the regulators will continue to examine every breach on a case-by-case basis."

How will this extra scrutiny really affect businesses? And do the firms lacking in data-security need to be pulled into line?