The Vice-President of the European Commission and EU Justice Commissioner, Vivien Reding, has this week outlined updates to EU legislation for the protection of personal data, following a public consultation throughout 2010.
As of autumn this year all sectors across the EU will be subject to a ‘mandatory requirement to notify data security breaches’. This legislation has been in effect in the telecoms and ISP sectors for a number of years (since Reding introduced it in her role as Telecoms Commissioner), but clearly this is quite an expansion.
The reasons for the update are clear. The current legislation has been in place since 1995. While the underlying principles are still valid, an increasingly internet-based society, combined with a recent surge in data breaches, highlights the need for heightened information security legislation. Secondly, the current diversity of legislation across Europe causes huge problems for citizens and businesses alike – especially for companies operating in several EU locations.
Although there is great variety of information security legislation across Europe, the UK is arguably one step ahead. As of April 6th 2010, the UK Information Commissioner’s Office can fine all organisations up to £500,000 for data breaches and as I’ve previously discussed, financial organisations face steep penalties for data breach from the FSA. As such, a spokesperson from the British Bankers' Association commented that this mandatory disclosure is unlikely to have much of an effect on UK banks.
“If a customer's personal data may have been breached, banks already undertake to inform the Information Commissioner's Office, the Financial Services Authority and the customer, where appropriate,” the spokesperson said.
Although the update to the legislation is undoubtedly a step forward, is the ‘obligation to notify incidents of serious data security breach’ enough? Should data breach penalty fines be imposed at a level that makes it clearly less costly to protect data properly than it is to suffer a breach? It would be interesting to see if the introduction of financial penalties in the UK correlated with a drop in data breaches.
Even if the new legislation is respected, will firms secure their information to an adequate level? Perhaps now, as a result of this updated EU legislation and the increasing success and blatant approach taken by hackers such as LulzSec, the message will get through that a data-centric approach to information security is what is needed. At the very least the notification requirement will enable individuals to take appropriate actions to protect themselves when their data is compromised.