At present, only the telecommunications sector has had to report security breaches (in Europe). The banking and financial services are the reluctant ones with regards to the new conditions.
“I understand that some in the banking sector are concerned that a mandatory requirement would be a burden. However, I believe that an obligation to notify the public of a serious data security breach is necessary and would enhance consumer confidence,” Reding said.
Reding also believes it would act as an incentive for businesses to ‘conduct serious risk assessments,’ ensuring that personal data was protected by appropriate security.
The move appears to have been expected and, as Pete Gooch, privacy expert at business firm Deloitte, pointed out the organizations that already have excellent security controls will continue to spot breaches, whilst firms with poorer controls may be unaware of a problem occurring.
“This, rather ironically, means that organisations with poor controls may escape the watch of the regulators, while those with better controls come under more scrutiny,” said Gooch. “That is not to say that having poor controls is an appropriate response – the regulators will continue to examine every breach on a case-by-case basis.”
How will this extra scrutiny really affect businesses? And do the firms lacking in data-security need to be pulled into line?