In the past seven years a raft of legislation has emerged globally governing the public disclosure of serious IT security incidents. Appropriately, the defining act for this came from the seat of the IT industry. The State of California's 2003 bill (SB 1386) laid out a set of core philosophies that have since been widely adopted elsewhere:

• The need for transparency in the aftermath of a security breach
• The role played by privacy-enhancing technologies, such as encryption
• The imbalance of power and knowledge between regulator and regulated
• Mitigating the harm that might be caused to the individual by the breach.

Similar legislation has now been adopted by most US states, and in the European Union progress towards a comparable legal framework for electronic communications is now well advanced. At a national level, countries such as the UK, Spain and Italy already mandate the disclosure of serious breaches.

For the CIO operating on the international stage, the point has already been reached whereby provisions for disclosure should be written into their standard operating procedures. Standards for best practice, such as ISO 270001, and private-law requirements for data security, such as PCI DSS, also require this. And although at this juncture it would not be accurate to say that breach disclosure is a universal legal requirement, it is still possible to identify the core attributes of the requirements in different jurisdictions.

Disclosure laws apply to personal data rather than data about corporates. While different US states focus on the exposure of data that links a person's name with private information such as their social security number, the forthcoming EU rules are concerned with the wider scope of "personal data" - any information relating to an identified, or identifiable, living individual.

There are different definitions of a breach. In California "any breach of the security of the system" is disclosable, while in Indiana it is "a breach of the security of data". The EU will be concerned with "personal data breaches: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data".

The focus is typically on unprotected data. The obligation to disclose, as framed by the EU, does not apply where "technological protection measures" such as encryption are taken to "render the data unintelligible", unless the national regulators order otherwise. Many jurisdictions have a seriousness threshold, such as substantial economic loss, that must be crossed for the disclosure obligation to apply.

Laws differ on whether an official body, as well as the individual concerned, needs to be notified. Some US states don't require any official notification, while in the EU the trend is to disclosure to official bodies as a matter of course and to the individual in serious cases.

As those differences underscore, global CIOs need to work with a matrix of the specific requirements for disclosure in all the jurisdictions in which they operate. And even where there is still an absence of relevant laws, corporate governance regulations mean non-disclosure is rarely a viable option.

Stewart Room is a partner in the Privacy and Information Law Group at Field Fisher Waterhouse LLP. He is the author of Data Security Law and Practice (2009) and the founder of Breach Action, a comprehensive service for the handling of security breaches and data loss.