EU telcos, ISPs, have 24 hours to notify of data breach

[Lee J <lee () riskbasedsecurity com>]

http://www.itnews.com.au/News/355140,eu-telcos-isps-have-24-hours-to-notify-of-data-breach.aspx

Telecommunications and internet service providers in the EU have as of this
week 24 hours from the moment of discovery to report a data breach to
authorities.

The new legislation, announced in June, requires telco providers to notify
EU authorities within a day of detection if any loss of data, unauthorised
access or theft had arisen from a breach.

The legislation came into effect this week.

Similar rules governing mandatory data breach
notification<http://www.itnews.com.au/News/348355,missed-deadline-for-data-breach-notification-law.aspx>
have
been put forward in Australia, but proposed legislation failed to be heard
on the last day of Senate sitting in June.

Organisations criticised for taking weeks or even months to notify victims
have often defended delays in revealing a breach, claiming they needed the
time to investigate breaches.

EU Commission vice president Neelie Kroes said the new strict laws were
required for affected customers to take action.

“Consumers need to know when their personal data has been compromised, so
that they can take remedial action if needed, and businesses need
simplicity," Kroes said.

"These new practical measures provide that level playing field.”

Telcos and ISPs in the European Union will need to provide an initial
notification within 24 hours and a more thorough follow-up within 72 hours.

The notification must include the provider, summary of the incident, number
of affected individuals, content of data impacted and measures taken to
mitigate adverse effects.

EU law mandated that affected individuals were alerted “without undue
delay” if breaches involved personal data.

Personal data breaches were defined as “breaches of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or otherwise
processed in connection with the provision of a publicly available
electronic communications service in the [European] Union".

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.