InfoWatch and the world’s — first-ever annual study on the problems of internal IT security in Europe. The findings are based on surveys InfoWatch conducted with a range of middle- and upper-tier IT management professions from 410 companies across Europe. The EU1 — unlike the US — has had no directives requiring the mandatory notification of victims in cases of data breach, and companies have been slow at times to initiate notification procedures. It is natural that company management would fear the major costs — both financial and in terms of lost reputation — which accompany a data leak. And rather than initiate costly procedures against themselves, some have opted to hope that the problem will just go away, especially in the typical case of a lost or stolen laptop. Such a policy of avoidance can result in hefty losses for those whose data is held on the computer and who become victims of identity theft as a result. Many companies have, of course, been proactive in dealing with such leaks, notifying those affected, setting up advice hotlines, providing bank account monitoring and bringing in the law-enforcement agencies. But while, to date, admissions of data leakage across the EU have relied on companies choosing to make that information public — a decision which has depended on how the company perceives its best interests in the circumstances — that may soon change. While InfoWatch welcomes the growing appreciation among IT managers of the importance of viable preventative solutions to internal information security, InfoWatch looks forward to being able to share with their partners and clients the clearer picture of data leakage across Europe that the proposed EU directive will stimulate.