To combat a rise in online crime, the European Commission is considering requiring companies that store data on the internet — such as Microsoft, Apple, Google and IBM — to report the loss or theft of personal information in the European Union or risk sanctions.
The proposal, which is being drafted by Neelie Kroes, the European commissioner for the digital agenda, seeks to impose, for the first time, universal reporting requirements on companies that run large databases, those used for internet searches, social networks, e-commerce or cloud services.
The proposed directive would supplant a patchwork of national laws in Europe that have made reporting mandatory in Germany and Spain but voluntary in Britain and Italy.
Kroes' plan has generated debate because it would extend the obligation to report data breaches beyond traditional compilers of customer databases — phone, transport and utility companies.
The technology industry supports the idea of a more systematic approach to the flagging of security breaches but says the proposal needs to be more specific to ensure that notifications are required only when necessary and useful to consumers.
"Harmonisation of the notification requirements for security breaches is important and should be addressed," said Thomas Boue, the government affairs director in Brussels for the Business Software Alliance, whose members include Microsoft, IBM, Apple, Oracle and Intel. "More precise guidelines in the directive on the trigger and threshold procedures would make the system more workable."
In Britain alone, businesses and governments reported 821 computer attacks in 2011, 15 per cent of which resulted in the theft of data on individuals, according to the country's Information Commissioner's Office. The attacks represented a more than tenfold increase over the 79 incidents reported in 2007.
According to a copy seen by the International Herald Tribune, the new requirements would be applied to, among others, the "enablers of internet services, e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores."
Liam Benham, a vice president in charge of governmental programs at IBM Europe, whose cloud-based computing services could be affected by any new reporting mandates, said the requirements should be limited to the operators of critical infrastructure, such as power grids, financial networks and transportation systems.
The New York Times