Around three out of four IT security professionals think companies should be legally obliged to inform customers and regulators of data security breaches, a survey reveals.
Of those that are in favour of introducing this law, nearly half (49%) said that businesses should be forced to disclose a security breach immediately, rather than delaying the announcement. This is the result of a survey of IT security professionals conducted by database security company Secerno at Europe's annual information security conference, Infosec 2007.
The European Commission is expected to pass the European Directive on Data Protection this year, which would require companies to inform all customers and regulators of any data security breaches. However, it could take years for the UK or other Eureopan countries to adopt this directive into law.
Paul Davie, founder of Secerno, commented that the UK public does not know the full scale of data security breaches, as there is no legal obligation to reveal them. "There is a clear demand from security professionals and consumers that the Government and the EU should follow the US’s lead and impose a legal framework that forces companies to disclose breaches. A situation that mirrors the infamous TJX breach may already have happened in Europe, but companies operating in this region are not legally obliged to notify their customers – which only erodes public confidence."
"Any of us could have been affected; we often don’t find out until it’s too late," he added.
Davie cited figures from US-based Privacy Rights Clearing House, which suggest 100m records have been exposed during just two years of monitoring such events.
Davie called on enterprises to act now and implement security measures and technology before the EU mandates their use. He urged businesses to manage security from the board level, rather than "make the mistake of believing data security to be just an IT issue, when it’s evidently more important than that."
In a separate study, 82% of consumers said they expect to be notified immediately if their personal details have been taken in a security breach. More than half (53 percent) said they would stop using the affected organisation’s service upon hearing of the incident, according to the research by Ipsos MORI.