BYOD Passwords Hacking Cloud Compliance Reviews Privacy

Current Filter: Security>>>>>>

PREVIOUS

   Current Article ID:2779

NEXT



Data Breaches - Time To Come Clean

Editorial Type: Comment     Date: 09-2013    Views: 2213   






The day that telecoms operators and internet service providers (ISPs) across Europe must have dreaded has finally arrived

From now on, they are legally obliged to disclose personal data breaches, unless certain exceptions apply. The EU brought the rule into effect on 25 August this year as part of an extension to the 2009 E-Privacy Directive. It means that all such companies in Europe will have to notify national authorities, if any theft, loss or unauthorised access of their customers' personal information occurs.

How far do the new regulations go and what do they cover? In essence, they include emails, calling data and IP addresses - and the notification must contain specific details, including the timing of the breach, the data involved and whether or not anyone will be negatively affected by it. Also, businesses will need to outline exactly what is being done to address the problem.

Are there any exceptions to the rule? Well, yes. If the telecoms providers can demonstrate to regulators that the "technological protection measures" in force mean the breached data is "unintelligible to any person who is not authorised to access it", they will at least be able to avoid the next step, which is notifying individual customers that the breach has occurred.

The European Commission has published a list of the measures it considers as suitable for making personal data unintelligible, but it means that encryption and online hosting from third parties are bound to become increasingly important in the future, as firms seek to protect the data within their ownership and control.

Not surprisingly, many organisations have been actively campaigning against the proposed data breach provisions, arguing that they are damaging to businesses, overly bureaucratic and will put an unnecessary extra burden on them when it comes to complying with the directive. Most of all, they have pointed out that the voluntary code of disclosure already in existence was perfectly adequate.

However, the EU has seen it as imperative to bring all of its member states into line and under one roof on this issue. And what now applies to telecoms operators and ISPs may soon be extended to embrace other sectors, if the scheme is seen to be working well and achieving its goals of ensuring transparency where breaches have indeed occurred. As Paul Ayers, VP EMEA at enterprise data security firm Vormetric, points out: "… this should act as a warning shot to all organisations processing personal data, as, under the forthcoming regulation, they, too, will shortly have to follow similar rules."

Wishing the new regulations away, or simply ignoring them, won't work. In any event, with the reputational harm that can be caused by a single data breach now widely recognised and acknowledged, the EU ruling should serve to motivate all organisations to implement even more robust data breach handling procedures in future, so as to ensure they do not fall foul of those laws.

Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk

Like this article? Click here to get the Newsletter and Magazine Free!

Email The Editor!         OR         Forward ArticleGo Top


PREVIOUS

                    


NEXT