EC plans to make all firms report security breaches

Viviane Reding plans to introduce mandatory breach notification for businesses in Europe, just as she did in the telecoms sector

The European Commission (EC) has said that it will force firms to make their security breaches public. This commitment follows a series of high-profile cyber-attacks on prominent businesses and government agencies.

Speaking at the British Bankers' Association (BBA) Data Protection and Privacy Conference in London, Viviane Reding, vice-president of the European Commission, said she intends to make notification of data-security breaches for all sectors mandatory – this would include banking and financial services.

At present, breach notification in Europe is only mandatory in the telecommunications sector – Reding introduced this when she was Telecommunications Commissioner.

"I understand that some in the banking sector are concerned that a mandatory requirement would be a burden. However, I believe that an obligation to notify the public of a serious data security breach is necessary and would enhance consumer confidence," she said.

"It would also create a stronger incentive for business to conduct serious risk assessments to protect personal data and establish appropriate security measures to protect the confidentiality, integrity and availability of personal data."

Peter Gooch, privacy expert at business advisory firm Deloitte, welcomed the move and said it was widely predicted. "Organisations with robust security controls will continue to identify and deal with data loss. Conversely, organisations with poor controls may not even know that a breach has occurred.

"This, rather ironically, means that organisations with poor controls may escape the watch of the regulators, while those with better controls come under more scrutiny," said Gooch. "That is not to say that having poor controls is an appropriate response – the regulators will continue to examine every breach on a case-by-case basis."