A proposed directive requiring the reporting of serious cyber-attacks to national authorities could add complexity to organizations operating online in the European Union, says IT security lawyer FranÃ§ois Gilbert.
The new measure would require banks, healthcare providers, social media companies, search engines and other e-commerce entities operating in Europe - even those based elsewhere - to report breaches to national authorities.
"This is a business that should have known better," U.K. Deputy Information Commissioner David Smith says. "There's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
With different nations establishing different privacy standards, organizations face adopting the most stringent regulations in order to be compliant everywhere they operate, says Marc Groman, a director of the International Association of Privacy Professionals.