Information security professionals association ISACA says reporting of data security breaches should be mandatory in quarterly and annual company reports.

Rolf von Roessing, ISACA international vice president, said of the security reporting call, “That way the issue can be given the precedence it requires, but also allowing the company to report the security breaches to all interested parties, namely the shareholders and employees, rather than simply catering to sensationalists and the media generally.”

He said, “Rather than risking the reputation of a company being pilloried - and perhaps sending its share price plummeting as a result of unfettered media reporting – the reporting process should be more measured, and require the `signing off’ of the report by management, in a similar process to Sarbanes-Oxley s302 disclosure reporting in the US."

According to von Roessing, whilst the public has a legitimate interest in learning about security breaches, it is important to look at the bigger picture, that of "the real public interest" in a company being seen to learn from its mistakes and allowing management to recover from a situation, rather than subjecting the company to a public witch hunt which benefits no-one in the longer term.

ISACA has published a Business Model for Information Security that can be adopted by data security regulatory authorities.