EU data breach disclosures to be enforced soon

The new European Union regulation requiring mandatory personal data breach disclosures by telcos and ISPs comes into force on 25 August 2013

The new European Union regulation requiring mandatory personal data breach disclosures by telecoms operators and internet service providers (ISPs) comes into force on Sunday 25 August 2013.

The new regulation builds out the security breach provisions for telecoms providers and ISPs introduced into EU law in 2009 through the E-Privacy Directive 2009/136/EC.

From 25 August, all EU telcos and ISPs will be required to notify national authorities of any theft, loss or unauthorised access to personal customer data, including emails, calling data and IP addresses.

Details concerning any incident, including the timing and circumstances of the breach, nature and content of the data involved, and likely consequences of the breach, must be reported.

“Controversially, the regulation requires breach notification to national regulators within 24 hours of detection, subject to a "feasibility" request,” said Stewart Room, privacy and information partner at law firm Field Fisher Waterhouse.

“In other words, this looks very similar to the approach that the European Commission initially proposed within the draft Data Protection Regulation 2012, which has been almost universally condemned as unworkable, unhelpful and unnecessary. It is hard to detect a substantive logic to this measure and, in more practical terms, it is hard to see why such rapid disclosure is needed," he said.

The new regulation also requires telcos and ISPs reporting breaches to detail measures taken to address the breach within three days.

Regulation highlights importance of data security 

This regulation comes into effect ahead of the broader Draft Data Protection Regulation, which will require a similar response from all businesses that handle personal data, not just telcos and ISPs.

Paul Ayers, vice-president for Europe at enterprise data security firm Vormetric, said that while the revised E-Privacy Directive applies only to telecoms and internet service providers, it sets the tone for dealing with data breach incidents for all businesses. 

“This should act as a warning shot to all organisations processing personal data, as under the forthcoming regulation, they too will shortly have to follow similar rules,” he said. 

Multinational companies will have to be particularly mindful of the fact that member states will enforce the terms of the regulation differently, and they will have to meet the particular requirements in all member states they have operations, said Ayers.

“The advent of this latest amendment serves an important reminder of the need to take the security of data seriously,” he said.

According to Ayers, the string of data breaches hitting the headlines suggests that it is not a case of if, but when a business will suffer at the hands of hackers or insider threats. 

“It is only by taking steps to implement policies and technology solutions that are simple and powerful enough to adapt to regional compliance variations – and by ensuring that data is sufficiently obfuscated in the event of a breach – that organisations will be able to shield themselves from the financial and reputational penalties at stake,” he said.

Pitfalls of mandatory data breach notification

Information Commissioner Christopher Graham used his keynote speech at Infosecurity Europe 2012 to sound a warning against the introduction of mandatory data breach notification requirements for all companies.

He argued that if mandatory disclosure were introduced, as proposed in new draft EU regulations currently under consideration, the Information Commissioner’s Office (ICO) would be “buried” under a deluge of breach notifications.

Graham said the ICO needs to be “selective to be effective”, and the current system of voluntary breach disclosure works well because companies know they are less likely to be punished if they are open about breaches, rather than trying to cover them up.

“They know that they will be dealt with more severely if they attempt to conceal a breach,” he said.

Read more on Privacy and data protection