EU data breach disclosures to be enforced soon

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.computerweekly.com/news/2240203760/EU-data-breach-disclosures-to-be-enforced-soon

The new European Union regulation requiring mandatory personal data
breach disclosures by telecoms operators and internet service
providers (ISPs) comes into force on Sunday 25 August 2013.

The new regulation builds out the security breach provisions for
telecoms providers and ISPs introduced into EU law in 2009 through the
E-Privacy Directive 2009/136/EC.

> From 25 August, all EU telcos and ISPs will be required to notify
national authorities of any theft, loss or unauthorised access to
personal customer data, including emails, calling data and IP
addresses.

Details concerning any incident, including the timing and
circumstances of the breach, nature and content of the data involved,
and likely consequences of the breach, must be reported.

“Controversially, the regulation requires breach notification to
national regulators within 24 hours of detection, subject to a
"feasibility" request,” said Stewart Room, privacy and information
partner at law firm Field Fisher Waterhouse.

“In other words, this looks very similar to the approach that the
European Commission initially proposed within the draft Data
Protection Regulation 2012, which has been almost universally
condemned as unworkable, unhelpful and unnecessary. It is hard to
detect a substantive logic to this measure and, in more practical
terms, it is hard to see why such rapid disclosure is needed," he
said.

The new regulation also requires telcos and ISPs reporting breaches to
detail measures taken to address the breach within three days.

Regulation highlights importance of data security
This regulation comes into effect ahead of the broader Draft Data
Protection Regulation, which will require a similar response from all
businesses that handle personal data, not just telcos and ISPs.

Paul Ayers, vice-president for Europe at enterprise data security firm
Vormetric, said that while the revised E-Privacy Directive applies
only to telecoms and internet service providers, it sets the tone for
dealing with data breach incidents for all businesses.

“This should act as a warning shot to all organisations processing
personal data, as under the forthcoming regulation, they too will
shortly have to follow similar rules,” he said.

Multinational companies will have to be particularly mindful of the
fact that member states will enforce the terms of the regulation
differently, and they will have to meet the particular requirements in
all member states they have operations, said Ayers.

“The advent of this latest amendment serves an important reminder of
the need to take the security of data seriously,” he said.

According to Ayers, the string of data breaches hitting the headlines
suggests that it is not a case of if, but when a business will suffer
at the hands of hackers or insider threats.

“It is only by taking steps to implement policies and technology
solutions that are simple and powerful enough to adapt to regional
compliance variations – and by ensuring that data is sufficiently
obfuscated in the event of a breach – that organisations will be able
to shield themselves from the financial and reputational penalties at
stake,” he said.

Pitfalls of mandatory data breach notification
Information Commissioner Christopher Graham used his keynote speech at
Infosecurity Europe 2012 to sound a warning against the introduction
of mandatory data breach notification requirements for all companies.

He argued that if mandatory disclosure were introduced, as proposed in
new draft EU regulations currently under consideration, the
Information Commissioner’s Office (ICO) would be “buried” under a
deluge of breach notifications.

Graham said the ICO needs to be “selective to be effective”, and the
current system of voluntary breach disclosure works well because
companies know they are less likely to be punished if they are open
about breaches, rather than trying to cover them up.

“They know that they will be dealt with more severely if they attempt
to conceal a breach,” he said.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.