A radical overhaul of EU data protection law was sketched out on 20 June by the vice president of the European Commission and EU Justice Commissioner, Viviane Reding. Companies operating within the EU will soon be required by law to publicly disclose data security breaches.
This is a welcome and long overdue announcement. The existing legislation dates from 1995 and is no longer suitable for what Reding terms our ‘internet society’. The emergence of the internet, social networking, smartphones, tablets and cloud computing means that we leave behind a digital footprint with every virtual move we make.
The risk profile of each individual who interacts in this digital world has increased exponentially as a result. Companies hold our sensitive personal data, which can be stolen and exploited by criminals. Protecting information is a much greater challenge than it was in 1995.
The diversity of legislation across the EU causes headaches for companies that straddle national boundaries. The administrative costs of doing business across countries with significantly different data protection laws combined with the accompanying legal uncertainty was a problem in need of rectification.
The flurry of recent high-profile hacks has no doubt acted as a catalyst for Reding’s announcement, just as it has spurred calls for data protection reform at a federal level in the US. The California state legislature was the first to pass a data breach notification law back in 2003; many other states soon followed suit. But, just as is the case with the EU, this has led to a mishmash of laws across the country that is detrimental to US businesses and consumers alike. The US is trying to tidy this up, with a Federal “SAFE Data Act” having recently been approved by a House subcommittee.
A common standard for data breach notification will simplify the rules for businesses in both jurisdictions and should improve customer confidence in the data security standards of their service providers.
However, does the ‘obligation to notify incidents of serious data security breach’ alone provide enough of an incentive for businesses to actually improve their security practices? The risk is that the constant stream of personal data breaches will render them no longer newsworthy and desensitize consumers to their significance.
It is naturally in the interest of consumers that companies employ best practices with their personal data. Yet it also needs to be in the interest of those companies themselves if we are to see data security standards beefed up to the levels they should be.
The UK has already taken steps to address this issue. From 6 April 2010 onwards, the UK Information Commissioner’s Office has had the power to fine all organizations up to £500,000 for data breaches. The size of the imposed fine is proportional to the seriousness of the breach, the organization’s financial resources and the sector it serves.
The UK financial sector is regulated with even harsher penalties. In 2009 the FSA fined three HSBC firms over £3m for lacking the requisite security systems and standards to prevent personal data losses.
Perhaps the imposition of fines across the EU and US that make it less costly for an organization to fully protect its customer data than suffer a data breach would be the best method of improving information security standards.
Regardless of whether the EU legislation drives companies to protect their data properly, hopefully the message is now being hammered home that a data-centric approach to information security is the most effective method of protection. The increasing number of successful cyber attacks has significantly raised awareness among both businesses and the public about how valuable customer data is to prying eyes. Perimeter firewalls are no longer sufficient. Sensitive data needs to be protected with strong encryption unless a company is willing to suffer like Sony, Google and many others have.
Steve Brunswick manages the global strategy and marketing for Thales Information Systems Security business and has more than 13 years of banking industry experience. Before joining Thales, he worked as a strategy consultant and previously served as director of marketing for De La Rue’s Cash Processing business.
31 August 2011
Mandatory Breach Notifications will result in organisations taking responsibility for their data. The ICO’s powers to issue heavy fines can still be a real threat to organisations that fail to comply with Data Protection laws and general data security best practice, in addition to the proposed EU Mandatory Breach Notification.
Organisations will inevitably accept that a Mandatory Breach Notification requirement is ultimately good for the industry, however the devil is in the detail and in determining at what point does it become mandatory to notify the authorities and those affected.
Viviane Reding will need to identify a process where a lost or stolen piece of data protected with government grade full disk encryption is recognised as merely the loss of a piece of hardware, not an unintended disclosure of information. Any new European legislation should clearly acknowledge this difference.
Legislation in the US may be problematic, but where it has succeeded is where it requires any breach of security to be brought to an authority’s attention, but this does not apply to data that has been securely encrypted. In advance of when Reding succeeds in bringing in such a requirement, organisations would be well-advised to ensure that information on laptops, mobile devices, PCs and storage devices is suitably protected and robustly encrypted.
Garry L McCracken, CISSP
Vice President Technology Partnerships
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.