Share

Related Stories

  • EU data protection laws cannot be used to 'censor' Google
    In the Opinion of the European Court of Justice Advocate General Niilo Jääskinen, search engine providers -- in this case, specifically Google -- cannot be held liable under current EU data protection rules for personal data held on the web pages they process.
  • EU Announces New Data Breach Rules for Telecoms
    The European Commission has announced new rules for the European telecommunications industry on the disclosure to consumers of lost personal information in case of a data breach – unless it is encrypted.
  • Comment: A Cultural Spat? Data Protection and Privacy Issues between the EU and US
    As the EU Commission edges closer to adopting revisions to its Data Protection Directive, US companies will be looking more closely at their IT practices in consumer data retention says Andy Green of Varonis.
  • EC’s proposed General Data Protection Regulation is struggling
    The GDPR was designed to bring tough new standardized data protection regulations across Europe; but intensive lobbying, and thousands of proposed amendments has left it struggling for survival.
  • Companies slow in reacting to breach notifications
    Most corporate security incidents are uncovered by a third party, like a security firm, that picks up on evidence of nefarious activity being carried out by infected machines. However, many of the victim organizations don’t have processes in place to react quickly when they’re notified of an incident. And some are simply not discharging their corporate duty, argues one security firm.

Top 5 Stories

News

EU Businesses prep for Regulations Requiring 24-Hour Data Breach Notification

22 August 2013

New European Union regulations requiring mandatory data breach disclosures will come into force on August 25, 2013, requiring telecom operators and ISPs to notify national authorities within 24 hours of detection if there has been any theft, loss or unauthorized access to customer data – including emails, calling data and IP addresses.

Unfortunately, some organizations have been caught behind the eight-ball without appropriate security measures in place to track that information effectively on an ongoing basis. As a result, they’re at risk for enforcement penalties if they’re not able to put tracking and notification policies in place. Some have protested that the onus is too much to bear from a technological perspective, if they're expected to carry out a full forensic investigation within the first 24 hours.

“The barrage of data breaches that we are seeing points to an urgent need for organizations to up the ante on data protection,” said Ross Brewer, vice president and managing director for international markets at LogRhythm, in an emailed comment. “When these regulations were first discussed following the EC’s draft proposals in 2012, many people considered the suggested penalties and timeframes too severe. Perhaps those organizations should have seen this as a warning, and used the last 12 months to really get their ducks – or cyber defences – in a row. Unfortunately, it seems that this did not happen.”

In many cases, network data is processed in an inefficient way, which can lead to inaccurate breach details being reported under the pressure of the 24-hour window. This ‘over-disclosure’ can lead to companies overstating the severity of the incident due to lack of proper visibility.

“As with any ongoing crisis, there comes a time when less talk and more action is needed – and it may be the case that this impending regulation will be the final call to action for those organizations still lagging behind with lax security policies,” Brewer said. “Given the well-documented sophistication and readiness of today’s cybercriminals, organizations can no longer sit idly and assume that they are immune to attack. As the risk of reputational damage and customer churn clearly aren’t persuasive enough, maybe the threat of severe, perhaps debilitating, financial penalties will do the trick.”

He added, “while the new regulations are fairly limited at the moment, it is only a matter of time before a universal set of rules is not just proposed, but enforced.”

The EU parliament is meanwhile deadlocked over 2012’s proposed Data Protection Directive, which also specified that data breach notification must occur within 24 hours of detection. The Guardian reported that the vote on amendments to the law has been postponed for the third successive time. The vote is now scheduled to take place in October, with amended legislation hoped for before the European elections in May 2014.

"Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation, and some detailed exploration of the key elements of such an approach under the Irish presidency,” Bridget Treacy, partner and head of the UK privacy and cybersecurity practice at Hunton & Williams, told the paper.

This article is featured in:
Compliance and Policy  •  Data Loss  •  Industry News  •  IT Forensics  •  Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×