European telecoms operators want greater clarity on how to comply with data breach notification (DBN) requirements, says the EU's cyber security agency.
Although recognising that the DBN requirements have an important role for data protection and privacy, operators are seeking clarifications at both EU and local level on how to comply, according to the European Network and Information Security Agency (Enisa).
The DBN requirement for the electronic communications sector introduced in the review of the ePrivacy Directive (2002/58/EC) is vital to increase data security in Europe, but there are concerns by telecom operators and the data protection authorities (DPA), Enisa said in its latest report.
The main concerns include risk prioritisation, communication channels, resources, enforcement, reporting delays and content of notifications.
An Enisa survey found that the those in the telecoms sector believe the seriousness of a breach should determine the level of response and that breaches should be categorised according to risk levels to avoid 'notification fatigue'.
Operators want assurances that notification requirements will not harm their brands and DPAs indicated that sanctioning authority enables them to enforce regulations better.
Regulators want short deadlines for reporting breaches, but service providers told Enisa they want to focus their resources on solving the problem. Operators also want to make sure the notification content does not have a negative effect on customer relations, while regulators want all the necessary information.
Enisa said the agency would develop guidelines in 2011 for the technical implementation measures and the procedures for DBN. The agency will also analyse the possibility of extending the general obligation of DBN to other sectors, such as financial, healthcare and small businesses.
These issues will be discussed at a workshop in Brussels on 24 January, Enisa said.