The proposal will force the declaration of data losses to Ireland's Data Protection Commissioner in all cases in which more than 100 people's data have been compromised, according to a draft Code of Practice published by the Commissioner.
Organisations can avoid reporting an incident if data is encrypted and protected by a strong password, or if there was a strong password and a remote memory-wipe feature on a lost device and that feature was activated immediately.
Data protection officials are split on whether data security breach notifications should be introduced. Many US states have them on their statute books but the UK's Information Commissioner's Office (ICO) has never fully supported them, arguing that they can mask the seriousness of some incidents by making lesser incidents seem common and without serious consequences.