InfoSec 2010: Europe to mandate reporting of serious breaches

Public and private sector breaches have reached 962 since November 2007

Organisations could soon be forced to report all serious data breaches to the Information Commissioner's Office (ICO), as part of an upcoming review of a European Union directive on the reporting of data losses.

ICO deputy commissioner David Smith said today at Infosec 2010 that elements of the Privacy and Electronic Communications directive on breach notifications, which will soon force telcos and internet service providers (ISPs) to report data breaches, are likely to be extended.

"Within 18 months it is likely that ISPs and telecoms companies will have to abide by this rule, and before too long this same law will apply more generally, " he said.

"However, it would still only be for serious breaches of data, and firms would need to understand what represented a serious breach to ensure that the ICO, and individuals affected, were not bombarded with irrelevant notifications on all losses."

Smith also revealed the latest figures on data breaches reported to the ICO. Public and private sector breaches totalled 962 since November 2007, and the NHS emerged as the biggest culprit.

"The NHS accounts for around a third of all data breaches (113 as stolen data or hardware, and 82 as lost data or hardware) while the private sector is 271, central government 81 and local government 127," said Smith.

However, these are only voluntary figures and Smith said that there could be many more incidents in the private sector about which the ICO has not been informed.