Unfortunately, some organizations have been caught behind the eight-ball without appropriate security measures in place to track that information effectively on an ongoing basis. As a result, they’re at risk for enforcement penalties if they’re not able to put tracking and notification policies in place. Some have protested that the onus is too much to bear from a technological perspective, if they're expected to carry out a full forensic investigation within the first 24 hours.
“The barrage of data breaches that we are seeing points to an urgent need for organizations to up the ante on data protection,” said Ross Brewer, vice president and managing director for international markets at LogRhythm, in an emailed comment. “When these regulations were first discussed following the EC’s draft proposals in 2012, many people considered the suggested penalties and timeframes too severe. Perhaps those organizations should have seen this as a warning, and used the last 12 months to really get their ducks – or cyber defences – in a row. Unfortunately, it seems that this did not happen.”
In many cases, network data is processed in an inefficient way, which can lead to inaccurate breach details being reported under the pressure of the 24-hour window. This ‘over-disclosure’ can lead to companies overstating the severity of the incident due to lack of proper visibility.
“As with any ongoing crisis, there comes a time when less talk and more action is needed – and it may be the case that this impending regulation will be the final call to action for those organizations still lagging behind with lax security policies,” Brewer said. “Given the well-documented sophistication and readiness of today’s cybercriminals, organizations can no longer sit idly and assume that they are immune to attack. As the risk of reputational damage and customer churn clearly aren’t persuasive enough, maybe the threat of severe, perhaps debilitating, financial penalties will do the trick.”
He added, “while the new regulations are fairly limited at the moment, it is only a matter of time before a universal set of rules is not just proposed, but enforced.”
The EU parliament is meanwhile deadlocked over 2012’s proposed Data Protection Directive, which also specified that data breach notification must occur within 24 hours of detection. The Guardian reported that the vote on amendments to the law has been postponed for the third successive time. The vote is now scheduled to take place in October, with amended legislation hoped for before the European elections in May 2014.
"Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation, and some detailed exploration of the key elements of such an approach under the Irish presidency,” Bridget Treacy, partner and head of the UK privacy and cybersecurity practice at Hunton & Williams, told the paper.