Reports suggest that the EU could soon force businesses across the continent to publicly report when an incident involving data loss or a system security breach occurs.
The Information Commissioner’s Office (ICO) would have the power to demand information about serious compromises to data stored by businesses and organisations if a new EU directive governing data protection comes into force.
Telecommunications firms and broadband providers are already set to be subject to similar rules which ensure that data breaches are reported, and this may be rolled out across all businesses, according to the ICO’s David Smith.
Mr Smith was speaking to an audience at the Infosec 2010 event. He said that the EU’s Privacy and Electronic Communications directive is going to come into force before 2012, after which time all businesses could face the same level of scrutiny.
The rules would only apply in the event of ‘serious’ data breaches, and Mr Smith recognised that this would require a broad level of understanding in order for businesses to identify precisely what is meant by this. He accepted that the ICO could be the recipient of thousands of minor breach reports which could hamper its operation and he recognises that proper training will need to be given.
The ICO said that in the three years leading up to 2010 there were a total of 962 serious data breaches reported. These figures cover both public and private organisations. The NHS was the most frequent entrant onto the list.
The combined total of the NHS incidents means that it accounts for 33 per cent of the total figure. This factors in 113 reports of data or hardware being stolen, and a further 224 reports of losses from within the organisation.
Mr Smith pointed out that these figures represent only the reports that businesses and organisations in the UK were willing to make voluntarily. This could mean that the actual numbers are considerably higher, particularly in the private sector where businesses are seen to be answerable only to their shareholders and not the public at large.
