Reding Forces Bankers To Own Up To Breaches
EU Commissioner Viviane Reding has confirmed that all businesses will be obliged to report data breaches
With data breaches now happening with depressing frequency, the European Union has warned that all businesses, including banks, will in future be forced to inform customers of any security breaches.
So said EU justice and rights commissioner Viviane Reding, speaking at the British Bankers’ Association (BBA) Data Protection and Privacy Conference in London this week.
Reding said that banks and businesses will be legally obliged under new data protection laws currently being drawn up by the European Commission to warn customers when their personal information is lost or stolen.
Mandatory Notifications
“I intend to introduce a mandatory requirement to notify data security breaches – the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services,” she was quoted as saying.
“I understand that some in the banking sector are concerned that a mandatory notification requirement would be an additional administrative burden,” she said. “However, I do believe that an obligation to notify incidents of serious data security breach is entirely proportionate and would enhance consumers’ confidence in data security and oversight mechanisms.”
But her warnings drew a cool response from banking groups.
A spokesman for the British Bankers’ Association told the Daily Telegraph that “the UK’s banks follow the highest standards of customer protection in their data management” and that it was “unlikely that such a step [the new laws] would affect the current practices of the UK’s banks”.
“If a customer’s personal data may have been breached, banks already undertake to inform the Information Commissioner’s Office, the Financial Services Authority and the customer, where appropriate,” the spokesman added.
ICO Support
As it stands in the UK, the European rules on data breaches currently only apply to telecom providers and Internet Service Providers (ISPs), who are required to immediately notify their users as well as appropriate regulators of data breaches involving personal information. It is thought that Reding’s proposals will simply be an extension of this obligation to other sectors and businesses.
Yet it seems that Reding’s proposals have been endorsed by the Information Commissioner’s Office (ICO).
“Banks and other financial service providers need to do more to fulfil their legal obligations to give customers access to the information they hold about them,” David Smith, Deputy Commissioner at the ICO said. He also said that the financial sector has been identified as one of the ICO’s priority areas referred to in its draft Information Rights Strategy.
“We’ve identified the financial sector as one of our priority areas referred to in our draft Information Rights Strategy as we want to make sure financial services providers are doing all they can to comply with data protection law,” he said.
And to be fair this is not the first time that Reding has warned about expanding data breach notification laws to other business sectors.
In May Reding called for an extension of European laws on data breaches to other industries following the damaging Sony PlayStation hack.
Threat Levels
The scale of the hacking problem is increasing with reports almost daily of fresh hacks and data breaches. And unfortunately banks are increasingly becoming a major target for cyber criminals.
Traditionally banks tended to have some of the tightest security systems in place, however it is extremely rare for them to admit publicly when a security breach occurs.
Yet there is little doubt that the scale of the problem is getting worse, as evidenced by the admission last week from Citigroup, when it admitted that hackers had stolen data from 360,000 of its American customers, much higher than its initial estimates.
Other previous financial-related hacks include the TJX hack in 2007 and Heartland Payment Systems in 2009.