Mandatory data breach reporting rules finally agreed by EUrocrats

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.theregister.co.uk/2015/12/09/eu_network_information_security_directive_finalised/

After five hours of negotiations on 7 December, members of the European
Parliament and Council finally settled on the wording of the EU's Network
and Information Security (NIS) Directive.

The directive was first proposed in 2013 as a means of forwarding the
European Union's cybersecurity strategy. As it is a directive, rather than
a regulation, member states will have to meet its demands by passing their
own domestic laws.

The Network and Information Security Directive targets critical national
infrastructure – or operators in energy, transport, health, and banking –
and requires them to report cyber security breaches almost as soon as they
are discovered or else risk regulatory fines and other sanctions from
national authorities who will be given powers to enforce the rules.

Though the NIS directive's final text has not yet been released, The
Register understands it may make its way into the public domain by 18
December – and an EU press release
<http://www.europarl.europa.eu/news/en/news-room/content/20151207IPR06449/html/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity>
has offered details regarding the "first ever EU rules on cybersecurity".

While ostensibly focused on those using computer networks to manage
critical national infrastructures across the EU, the directive will affect
digital services such as the cloud, search engines and marketplaces. "Micro
and small" services will be exempt from the directive, however.

Phil Lee, partner in the Privacy, Security and Information group at
European law firm Fieldfisher, commented: "This is an entirely new
obligation for businesses that are within the Directive's ambit. We are
highly likely to see companies having a serious look at their preparedness
for preventing, managing and responding to a cybersecurity breach, and this
will necessitate system-wide security reviews and the creation of cyber
breach management policies, incident response teams and awareness-raising
programs. This is of course the reaction the EU is looking for.”

The directive appears to cover cloud-based business but how this will work
in practice remains more than a little unclear, according to the privacy
law expert.

Luke Scanlon, technology lawyer at Pinsent Masons said: "Until now, most
businesses have been under no obligation to report incidents of this type,
so this legislation will likely expose in more concrete terms the sheer
scale of the cyber security issue of which we are all aware."

The new law will introduce mandatory data breach notifications for a range
of critical infrastructure companies and is the first EU-wide cybersecurity
ruling. Critical infrastructure providing firms will be obliged to ensure
that the digital infrastructure used to deliver essential services, such as
traffic control or electricity grid management, is robust enough to
withstand attacks by hackers.

"However, outside of certain identified sectors, it's also reported that
the agreement reached will extend the scope of the Directive to cloud-based
businesses, and it's unclear quite what is meant by this. The reality is
that the vast majority of businesses have a cloud-based element to their
services these days,” Fieldfisher's Lee explained.

The US already has state-level data breach reporting requirements in most
states and a federal level cybersecurity strategy, so it could be argued
that the EU is playing catch-up on data privacy and security regulation.
"This is one step in ongoing changes to wider ongoing regulatory reform
around digital platform regulation and data privacy rules,” he concluded.

“An EU-wide initiative has been a long time coming,” said Ross Brewer, vice
president and managing director for international markets at security tools
firm LogRhythm. “The Network and Information Security Directive will
further enforce what is now so important; the ability to identify threats
as quickly as possible.

“From Vtech to JD Wetherspoons, to the disaster that was TalkTalk, you can
pick up any newspaper and see that organisations are still failing when it
comes to cyber defences. Perhaps hitting them with eye-watering financial
penalties and stricter regulations will help change that,” he added.

Member states will also be required to establish Computer Security Incident
Response Teams (CSIRTs), who will be responsible for handling cybersecurity
incidents and risks.

Nigel Hawthorn, Skyhigh Networks’ European spokesperson, said the ruling is
goof news for consumers because it will boost confidence that firms will
have to take measures to protect their information, boosting data privacy
in the process.

“For too long businesses have tried to tip-toe their way out of notifying
customers about data breaches, worried about the damage it can have on
reputation and sales,” Hawthorn commented. “Banks especially have been
guilty of trying to keep ‘mum’ whenever they can. While this directive is
aimed at critical infrastructure companies, it will still provide customers
with greater confidence and, more importantly, raises their expectations of
privacy.”

Chris Wysopal, CTO and CISO at secure coding firm Veracode, added: “Any
legislation needs to be prescriptive to create a baseline for what’s
considered reasonable security, otherwise it will be difficult to drive
change. One way to do this would be taking the Network and Information
Security Directive one step further and crafting some form of liability to
enforce reasonable efforts are being taken to secure systems.”

At national legislatures' discretion, member states will additionally be
required to adopt a national NIS strategy establishing cybersecurity
objectives, policy, and regulatory measures. As with the Information
Commissioner's Office in the UK, which is the national authority for
implementing and enforcing the EU data protection regulation, the
cybersecurity regulation will likely be enforced by a commissioner in
Blighty – though whether that will be an existing commissioner, or whether
a new commissioner's office will be established, is unclear. ®

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!