Businesses in all sectors will have to tell customers when their data has been exposed in a security breach, EU justice and rights commissioner Viviane Reding has told a gathering of bankers in London.
EU commissioner Viviane Reding has said businesses will have to tell customers when their data has been exposed in a security breach. Photo credit: European Commission
On Monday, Reding said she will extend the breach notification obligations that already apply to telecoms and internet access companies. Such plans have been afoot for at least the last three years.
"I intend to introduce a mandatory requirement to notify data security breaches — the same as I did for telecoms and internet access when I was telecoms commissioner, but this time for all sectors, including banking and financial services," Reding said at the British Bankers' Association's Data Protection and Privacy Conference.
In support of the proposals, Reding noted recent data thefts that have hit people using PlayStation, Google and Facebook services, saying that such breaches hurt confidence in the internet and in online services.
"Only recently, we witnessed a massive security theft in online gaming services affecting millions of users around the world," Reding said. "This incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers' trust in the online economy."
The EU vice president acknowledged concerns within the banking sector "that a mandatory notification requirement would be an additional administrative burden". However, she said the proposed measures suited the situation and would reassure consumers as to whether companies were taking care of their data.
"It would also create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data," Reding added.
ICO response
The Information Commissioner's Office (ICO), which oversees data protection in the UK, broadly welcomed the move. However, it reiterated that the measure should apply to "serious" data breaches; in the past, it has warned against a "blanket system" that would see the ICO risk being swamped with notifications.
Read this
Kroes: EU can drive the cloud
In a speech at Davos, the European Union's digital agenda commissioner has argued that the EU is ideally placed to drive the adoption of the cloud
"Any new requirements must be proportionate, setting out clear criteria and thresholds for reporting a breach," the ICO said in a statement in response to Reding's speech.
Data breach notification requirements for the telecoms and internet provision sectors came through as part of the Telecoms Reform package, passed in 2009. According to Reding, who was responsible for much of the package's contents, the EU now needs a more coherent approach to data protection.
As the member states in the EU have their own approach to data loss, there are a variety of different approaches that companies and consumers have to grapple with in the event of a breach. The proposed reforms would introduce a "level playing field", which would benefit businesses, Reding said.
The reforms will "do away with all the notification obligations and requirements that are excessively bureaucratic, unnecessary and ineffective [and instead] focus on those requirements which really enhance legal certainty", Reding said.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Talkback
This post has been removed by a moderator.
This post has been removed by a moderator.
British Bankers' Association here. It should be noted that the speech was from an EU perspective. The UK's banks follow the highest standards of customer protection in their data management. If a customer's personal data may have been breached, banks already undertake to inform the Information Commissioner's Office, the Financial Services Authority and the customer, where appropriate. We understand Commissioner Reding proposes to make similar practices mandatory across the EU. But it is unlikely that such a step would affect the current practices of the UK's banks, except to make mandatory these existing voluntary practices.
This post has been removed by a moderator.
@BritishBankers
Maybe you could look into the lax security practices of Cahoot, part of Santander. Their log-in to their system is 'iffy' to say the least. Often you get a red 'error' circle, saying the system is unavailable, then press the back button on your browser, and your details appear.
Also, when being telephoned by Cahoot, they ask you to give ALL THREE of your memorable words/dates in FULL over the phone (though not your login-password, but plenty probaby give that by mistake too); Memorable Address or Place, Mothers Maiden Name, Memorable Year - to prove your identity. So much for security, and protecting passwords.
British Bankers Association need to pull their finger out, and hold this bank to account.
Cahoot are also breaching the own terms and conditions regarding Credit Card Statement Dates - Cahoot/Santander are an absolute disgrace of bank, their cavalier approach to t&c needs sorting out.
This post has been removed by a moderator.