Companies will be required to disclose security breaches within 24 hours of their occurrence under European Union proposals being made this week to strengthen data protection rules.
New rules are needed to protect consumers and reduce bureaucracy, EU Justice Commissioner Viviane Reding said in a speech at a conference today in Munich.
"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay," Bloomberg quoted Reding as saying at the DLD conference. "European data protection rules will become a trademark people recognize and trust worldwide."
Individuals would be granted new rights under the proposal, including a "right to be forgotten" that would allow them to request their information be erased, according to a draft obtained by Reuters. In addition, a "right to data portability" would allow individuals to easily transfer their personal information between companies. Member states would be allowed to fine companies up to 1 percent of their global revenues for violating EU rules, Reuters reported.
The new data-protection rules, which are expected to be announced Wednesday, are still subject to the legislative process and may still be revised during the next two years.
The rules are designed to address the concerns of consumers snared in security breaches suffered last year by Sony and Citigroup. One of the chief complaints from PlayStation Network customers was how long Sony took to inform them of the breach. Sony waited more than a week to inform its 77 million customers that their personal information had been illegally accessed in April 2011.
About 3,400 Citigroup credit card customers suffered a loss of $2.7 million during a May 10 hacking, but the company waited nearly a month to disclose the security breach on June 8.