EC mulling updated data security regime

The European Commission is considering laws that will force organisations that lose personal data to reveal the problem, with The Register noting that this marks something of a change-of-heart by the body. In a speech, Viviane Reding, European Commissioner for Information Society and Media, said: "in short, transparency and information will be the key new principles for dealing with breaches of data security".

The comments came as two more data security breaches came-to-light. User details were obtained from German social networking website Schuler VZ, while job hunters using the website of UK newspaper The Guardian also had their personal details put at risk. These cases are far from unique; indeed, it appears rare that a week passes without details of another problem someone in the world, with both the public and private sectors likely to be implicated.

The Register highlighted something of a paradox that could occur should such legislation make it onto the statute books. While the threat of publicity may lead to increased care being taken by those companies holding personal data, if every breach is revealed there is also the possibility the public will be "desensitised" to data loss, with serious problems not attracting the level of scrutiny they deserve.

According to Reding, "the Commission has committed itself to reviewing Europe's general rules on protecting personal information, in the light of rapid technological development. At the same time, we will have to find agreement with our partners in other parts of the world, as the information society is becoming more and more global".

For all the talk of data protection legislation, noted that the biggest danger of data loss comes not from the online world, but from the loss of physical media. According to a Freedom of Information Act request filed by Software AG, of 356 reported incidents, 127 were from stolen device such as laptops, 71 were from lost memory sticks and CDs, and 24 were cases of data lost via courier services. Only 33 were "technical/procedural failure", which includes "failure of web site security etc".

The 356 incidents between November 2008 and September 2009 contrast with 190 between October 2007 and November 2008, meaning that the number of incidents is on the up.
The details obtained by the FoI request are here.
Blogger Anonymous