Europe Weighs New Data Breach Rules For Critical Companies

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.informationweek.com/security/cybercrime/europe-weighs-new-data-breach-rules-for/240144604

European businesses that provide critical infrastructure services,
including banks, stock exchanges, telecommunications firms and
utilities, may soon be required to disclose to authorities any data
breach they suffer.

That proposal is contained in draft regulations currently being
circulated by the European Union's executive committee. The committee
plans to formally introduce the recommendation in February 2013, after
receiving feedback from the European Parliament and the 27 different
countries in Europe that comprise the EU.

An EU spokesman didn't immediately respond to a request to review a
copy of the executive commission's draft proposal. But EU officials
said the new regulation is needed to remove the stigma associated with
data breaches, as well as to improve information sharing between
providers of critical infrastructure services, who are being
increasingly targeted by hackers.

"We want to change the culture around cybersecurity from one where
people are sometimes afraid or ashamed to admit a problem, to one
where authorities and network owners are better able to work together
to maximize security," an unnamed EU official told Reuters, which
first reported the news of the EU's draft proposal.

The draft report from the EU's executive committee suggests that
critical infrastructure is too valuable to be left to voluntary -- if
any -- reporting requirements. "Cybersecurity incidents are increasing
at an alarming pace and could disrupt the supply of essential services
we take for granted such as water, sanitation, electricity or mobile
networks," the report said, according to news reports. Furthermore,
the report suggested that businesses in Europe currently "lack
effective incentives to provide reliable data on the existence or
impact" of data breaches or information security incidents.

"Minimum security requirements should also apply to public
administrations and operators of critical information infrastructure
to promote a culture of risk management and ensure that the most
serious incidents are reported," according to the draft report.

Europe currently lacks a single data-breach notification law. Instead,
not unlike in the United States, data-breach notification requirements
in Europe are governed by a patchwork of country-level provisions. The
different laws have differing thresholds for triggering notifications,
and differ also as to whether individuals, regulators or both should
receive notifications.

"For example, a legal obligation to notify regulators and affected
individuals (under certain circumstances) of data breaches exists in
Germany and Norway," according to a recent analysis of European data
breach notification requirements published by attorneys Christopher
Kuner and Anna Pateraki at Wilson Sonsini Goodrich & Rosati. "In
contrast, some countries, such as Austria, have a legal requirement to
notify individuals but not the regulator, whereas other countries have
a voluntary regime based on codes and guidelines issued by regulators,
such as Denmark, Ireland and the United Kingdom."

A draft data protection regulation currently being debated by the EU
would also create a single data breach notification requirement for
all of Europe. But EU watchers have said that debate over the proposed
changes may take at least another year or two to be resolved.

Regardless of the timing, data security and breach notifications are
clearly on the EU's agenda. "The European Commission's work on
critical infrastructure shows the crucial importance of cybersecurity
in today's world," said Brussels-based Pateraki, who specializes in
privacy law, via email. "In parallel to the ongoing EU data protection
reform, which will also enhance data security, the commission is
planning to move forward with a proposal on critical information
infrastructure protection (CIIP) probably in early 2013. It is
expected that the commission's CIIP proposal will build on the
existing proposal for a general data breach notification regime and
might include a similar regime for security breach notification in
critical sectors."

Note: Story updated to include Anna Pateraki's quote.

Whether it's for monetary gain, revenge or embarrassment, hackers want
your organization's data, and they will stop at almost nothing to get
it. In the How Attackers Find And Exploit Database Vulnerabilities
report, we look at the vulnerabilities attackers target, how they get
in and what they do once they get there. More importantly, we
recommend how to close those holes and establish a layered security
approach that includes products, processes and constant vigilance.
(Free registration required.)
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.