EU to force firms to disclose data leaks

The European Commission plans to force companies to confess if personal data about customers is stolen.

The proposals, which form the European Directive on Data Protection, would require companies to inform all customers and regulators of any security breach that exposes data such as credit card numbers, names and addresses.

Many types of potential breaches are covered, from attacks by hackers to thefts of notebook PCs owned by the company.

Consumer trust has been badly dented in the past few months after a spate of thefts from computers containing sensitive data. The most recent cases to hit the headlines include the theft of a PC from a Nottinghamshire hospital and the possible theft of customers’ credit and debit card details from UK retailer TK Maxx.

The theft from TK Maxx came to light only because the firm’s parent company is based in the US, where laws similar to that proposed by the Commission are already in force.

Information Commissioner Richard Thomas warned this month about the thriving black market in stolen information, which puts consumers at risk of fraud and ID theft. Under UK law, companies are not obliged to tell customers or the Information Commissioner about data loss due to theft or negligence.

Security experts welcomed the move. Daniel Mothersdale of anti-spyware company Webroot said: “It would put European citizens on a par with US residents, who have to be informed. It would help consumers become more alert to the problems and realise that they personally have to keep an eye on their personal information, such as bank accounts.”

However there are concerns that the proposed rules could do more harm than good. Philip Virgo of parliamentary lobby group Eurim said forced blanket reporting could cause unnecessary panic. “Sometimes when there is a data breach, it is apparent that no one is actually at risk,” said Mr Virgo.

He claimed most data thefts are insider jobs carried out by employees and that companies must improve internal security and staff vetting, hold as few personal details as possible about customers and scramble data that is held.

A recent survey of 285 companies by the security trade exhibition Infosecurity Europe found that a third of businesses do not report information security crimes and breaches.