BreachExchange mailing list archives
Enisa: Telecoms companies are wary of data breach law
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Wed, 19 Jan 2011 01:50:38 -0500
http://www.zdnet.co.uk/news/security/2011/01/14/enisa-telecoms-companies-are-wary-of-data-breach-law-40091437/ Telecoms providers and data-protection authorities are worried by the potential fallout of an upcoming European data-breach notification law, according to the European Network Information Security Agency. Enisa, the EU's information security policy adviser, outlined its concerns in a report on the effects of the ePrivacy Directive issued on Friday. The study is designed to provide guidance to telecommunication providers as they prepare for the law, which forces companies to inform customers about data breaches. "Gaining and maintaining the trust and buy-in of citizens that their data is secure and protected represents a potential risk to the future development and take-up of innovative technologies and higher value-added online services across Europe, and will be a key challenge for organisations," said the report. Under the ePrivacy Directive, from March telecoms companies must publicise data breaches. In addition, the banking, healthcare and small business sectors are being considered for inclusion in data-breach notification law by the European Commission. The study found that electronic communications companies are concerned about the damage that breach notification could do to their brands. They also wanted guidance on how to prioritise breaches according to severity and advice on categorising types of data. For their part, data-protection regulators are worried about having sufficient resources to cope with notification, a lack of sanctions, a lack of technical expertise, and how to raise data-protection awareness, according to Enisa. Public confidence The ePrivacy Directive gives businesses a legal impetus to guard against data breaches, in addition to the reputational impetus, according to the EU body. High-profile incidents of data loss and exposure have shaken public confidence in organisations' abilities to keep personal data safe, it said. "Every day there seems to be headlines that personal data has been leaked, that someone has found a laptop on a train," Enisa data-breach expert Sławomir Górniak told ZDNet UK. Organisations must gain public trust that personal data will not be divulged, otherwise they risk hindering the take-up of innovative technologies, according to Enisa. Measures such as encryption can mitigate the risk, said Górniak. "If you lose a laptop, and it's encrypted, and you have the keys, then this is not a data breach," he said. In the UK, the data-protection regulator is the Information Commissioner's Office (ICO). The regulator has the power to fine organisations for breaching data-protection laws, but did not fine Google over its Street View collection of personal data. In November, the ICO levied its first fines, against Hertfordshire County Council and employment services company A4e. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Enisa: Telecoms companies are wary of data breach law Jake Kouns (Jan 19)