EU Data-Privacy Rules to Make Breach Disclosures Mandatory Within 24 Hours

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.bloomberg.com/news/2012-01-22/eu-s-reding-says-users-to-be-told-of-data-hacks-within-24-hours.html

A European Union proposal to simplify and toughen the region’s
data-protection rules will require companies to disclose data breaches
within 24 hours of their occurrences, Justice Commissioner Viviane
Reding said.

The EU will this week outline an overhaul of its 17-year- old
data-protection policies addressing online advertising and
social-networking sites.

The bill, which includes stricter sanctions and will equip national
data-protection authorities with powers to levy administrative
sanctions and fines, will “become a trademark people recognize and
trust worldwide,” Reding said at a conference in Munich yesterday.

Sony Corp. (6758) was criticized last year by U.S. lawmakers for
taking six days to warn customers about a cyber attack that exposed
more than 100 million customer accounts, the second- largest online
data breach in U.S. history. Industry groups with members including
Microsoft Corp. (MSFT) and Google Inc. (GOOG) have warned the EU
against setting overly strict data-privacy rules, saying that may
stifle innovation.
“What exactly do companies need to do within those 24 hours, and what
happens for example with cookies?” said Kay Oberbeck, Mountain View,
California-based Google’s head of communication for Germany, Austria
and Switzerland, referring to Internet files that are saved on a
user’s computer to enable website operators to display personalized
content.

‘Legally Justified’

The legislations will require companies to obtain “specific and
explicit” consent from Internet users to store information, and delete
data unless there is a “legitimate and legally justified interest” to
keep them on their servers, Reding said at the annual Digital Life
Design conference.
Google, Facebook Inc., Yahoo! Inc. (YHOO) are among Web companies that
collect user information and get paid by clients who can use the data
to better target advertisements for their products or services. Having
to get approval for individual data retention and an obligation to
purge files may reduce those companies’ revenue.

“Companies that suffer a data leak must inform the data protection
authorities and the individuals concerned, and they must do so without
undue delay,” Reding. She cited a survey showing 72 percent of
Europeans are concerned about how companies use their data.
The draft rules aim to establish common legislation for the 27-member
European Union, as well as national points of contact that can make
decisions that will be valid for the region. Uniform legislation will
save businesses 2.3 billion euros ($3 billion) a year by, for example,
reducing paperwork, Reding said.

Building Trust

The European Commission, the EU’s executive agency, is backed in its
reform efforts by countries including Germany and France, which are
aiming at giving local companies a boost against U.S.-based Web
pioneers.

Stefan Gross-Selbeck, chief executive officer of Xing AG (01BC), a
German professional-network operator that competes with Mountain View,
California-based LinkedIn Corp., said a common market would make it
easier for it to attract a Europe-wide customer base.

“In the longer-term there’s actually no fundamental conflict between
companies and regulators,” Gross-Selbeck said at the conference. “You
need the trust of your customers to build a successful and stable
business, and so all companies have an interest to build that trust.”

U.S. Measure

Data breaches at Tokyo-based Sony and Citigroup Inc. have also
sharpened scrutiny by the U.S. government on how businesses protect
consumer information and notify the public about cyber attacks. A U.S.
senate panel in September approved a measure that would set a national
standard for notifying consumers about data breaches, replacing varied
reporting requirements in 47 states. It also would make concealing a
data breach a crime.

Reding didn’t specify what sanctions European regulators may impose on
companies failing to comply with the requirements.
In the U.S., Internet companies are also fighting anti- piracy bills
supported by the movie and music industries. Senate and House leaders
last week shelved the proposed legislation after a global online
protest by Google and Wikipedia eroded congressional support.

“Politicians are so slow, they are miles behind,” Andrew Keene, author
of “The Cult of the Amateur: How Today’s Internet Is Killing Our
Culture,” said at the conference, adding that companies such as
Facebook will find ways to get ahead of the rules.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/