US Security Chief Calls EU 24-Hour Data Breach Notification Rule ‘Unworkable’

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.techweekeurope.co.uk/news/us-security-chief-calls-eu-24-hour-data-breach-notification-rule-absolutely-unworkable-56752

New data privacy regulations being considered by the European Union
will present serious complications for US companies doing business in
Europe, according to Bob Quinn, an AT&T security and data privacy
executive who took part in a panel at the George Washington University
School of Law in Washington, DC.

For example, the 24-hour window for data breach notifications that the
European Commission is including in its proposed changes to the
European Union data privacy laws is “absolutely unworkable”, AT&T’s
chief privacy officer Bob Quinn said. Quinn joined executives from
Facebook, eBay and MasterCard Worldwide during the National Cyber
Security Alliance (NCSA) Data Privacy Day event.

Too little time

The European Commission has revealed plans for new rules to update the
17-year-old data privacy laws to better protect Internet users. The
laws are intended to improve online defences that protect children
from online predators, simplify data protection laws across all the
European Union countries and reduce bureaucracy.

Quinn noted that once a breach is discovered, the organisation has to
stop it, limit the impact, understand what happened, identify the root
cause and figure out who was affected. All this in 24 hours is just
not feasible and would wind up requiring organisations to notify
everyone, and not just the ones who had been affected, Quinn said.

While over-notification can become an issue, it is far more important
to have educated consumers, said Erin Egan, Facebook’s chief privacy
officer for policy. Receiving a breach notification notice will make
users aware of a potential problem and give them time to act to
protect themselves, she said.

US enterprises also have to deal with a wide range complicated data
breach notification rules enforced by the nation’s 50 states.
MasterCard’s global privacy and data protection officer, JoAnn
Stonier, said a federal breach notification law would be a lot easier
than what businesses currently have to deal with, but cautioned that
Congress would have to make it workable. The entire process is a
“complicated stew”, she said.

Facebook supports the idea of a federal breach notification law and
would like to see Congress push that legislation through, according to
Egan. However, she did not think it would pass this year, but said she
was not the best judge of determining the likelihood of a bill’s
passage.

Three phase Facebook

Egan said Facebook defines privacy as having three parts –
transparency, control and accountability – and works hard to deliver
on all those areas. When she sat down with Facebook’s Chief Security
Officer Joe Sullivan shortly after being appointed chief privacy
officer in November, she was “blown away” by all the things Facebook
does behind the scenes to ensure user privacy and security, Egan said.

Facebook takes privacy of its users seriously and is focused on
improving how it communicates with users, she said. There is a big
misperception that Facebook is not “as thoughtful about privacy as we
are”, Egan said.

Facebook engineers are regularly innovating around privacy and
security to protect their users, according to Egan. An example is the
social authentication feature rolled out last year. Whenever there is
a hint that the user may not be who he or she claims to be, it is
important to ask for more information. Social authentication requires
users to identify photos of their Facebook “friends” that are mixed in
with other photos in order to verify their identity.

The person trying to break into a Facebook account may know the
password, but “they probably don’t know your friends”, Egan said.

Before any product is launched at Facebook, a cross-functional team
sits down and reviews its privacy and security implications, Egan
said. Decisions made to safeguard user privacy, such as how long to
keep the data, are implemented by security and back-end teams, she
said.

Shared responsibility

Privacy is a “shared responsibility” between users and the company,
according to Egan. The company needs to be upfront about what it will
do with the data it collects, but users also need to think about what
they want to do with the data.

The new profile page Timeline that Facebook is planning to roll out to
all users is a good example of how the company uses data. The
information is laid out and presented so that users have a record of
events and can create a scrapbook easily. But if people do not want
the information out there, they can easily decide to get rid of that
piece of data. The control remains in the user’s hands, she said.

Facebook has worked hard to simplify the privacy policies on its site
and explain to users how the data being collected is being used. The
site provides a download tool that allows users to see exactly what
Facebook has about them, Egan said. Inline controls also allow people
to adjust who can see their information on an item-by-item basis.

Finally, the company knows it is accountable to the users because if
it is not viewed as being trustworthy, users will not use the service,
Egan said. Accountability also extends to the government, and Egan
said Facebook is embracing its responsibilities as outlined under the
recent settlement with the Federal Trade Commission on how it should
handle user data and obtain consent.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/