Proposed European Union data breach notification laws will require proactive network security, says security management...
The data breach notification laws have taken another step towards enactment with approval by rapporteurs of two European parliamentary committees.
In response to the reform of the EU’s data protection rules proposed by the EC a year ago, the rapporteurs agreed with the proposal that EU rules must apply if personal data of individuals in the EU is handled abroad by companies which are not established in the Union.
The rapporteurs also emphasised the need to have independent national data protection authorities which are well-equipped to better enforce the EU rules at home.
This means the new laws could require major tech firms like Google and Facebook to report any security breaches to local data protection authorities or risk fines.
“Legislation enforcing the disclosure of any IT security breaches is long overdue,” said Ross Brewer, vice-president and managing director for international markets, LogRhythm.
“Our recent research shows that 80% of the UK public implicitly do not trust organisations to keep their data safe – so this new law will hopefully serve to rebuild public confidence in cyber security,” said Ross Brewer.
Read more about EU data protection
- Proposed EU data protection bad for business, says CBI
- How to prepare for proposed EU data protection regulation
- Proposed EU data protection framework needs work, says ICO
- The implications for storage of EU data protection regulation
- Data Protection Masterclass: New EU Data Protection Regulation
- The new EU data protection regulation: Planning for compliance
- EC publishes proposed data protection reforms
- UK business fears impact of new EU data protection framework
- The proposed EU data protection regulation and its impact on cloud users
However, if the law is enacted, any organisations holding user data will need much deeper insight into the activity taking place across their networks, as they will be required to provide accurate details of any security breaches.
“It will therefore be necessary for organisations to improve the use of the data generated by their IT systems, in order for any abnormal activity to be more quickly and effectively identified,” said Brewer.
“Unfortunately, this information is often managed in an inefficient and disparate manner, which can lead to inaccurate breach details being reported,” he said.
According to Brewer, this "over-disclosure" has already become an issue in the US, where breach notification laws are in place, with organisations being unable to identify exactly what the security breach entailed due to a lack of visibility within their IT systems.
With cyber attacks becoming increasingly sophisticated and frequent, and with IT data volumes growing at unprecedented rates, Brewer believes data breaches have become inevitable.
For this reason, he said it is in every organisation’s best interest to baseline normal, day-to-day activity across all dimensions of IT infrastructures, in order to recognise true weaknesses and identify anomalies in real time.
“This will also allow for a deep forensic analysis of growing amounts of data. In doing so, organisations can proactively secure both data and infrastructure, while avoiding disclosing inaccurate information and unintentionally escalating the magnitude of a breach,” said Brewer.
Only a cyber security strategy focusing on the continuous monitoring of IT networks will provide the network visibility and intelligent insight to future-proof against increasingly stringent legislations on IT security, he said.