Comment: EU Data Breach Notification Law is a Start, but Not Enough

Brunswick believes larger fines could mean better security
Brunswick believes larger fines could mean better security
Steve Brunswick, Thales e-Security
Steve Brunswick, Thales e-Security

A radical overhaul of EU data protection law was sketched out on 20 June by the vice president of the European Commission and EU Justice Commissioner, Viviane Reding. Companies operating within the EU will soon be required by law to publicly disclose data security breaches.

This is a welcome and long overdue announcement. The existing legislation dates from 1995 and is no longer suitable for what Reding terms our ‘internet society’. The emergence of the internet, social networking, smartphones, tablets and cloud computing means that we leave behind a digital footprint with every virtual move we make.

The risk profile of each individual who interacts in this digital world has increased exponentially as a result. Companies hold our sensitive personal data, which can be stolen and exploited by criminals. Protecting information is a much greater challenge than it was in 1995.

The diversity of legislation across the EU causes headaches for companies that straddle national boundaries. The administrative costs of doing business across countries with significantly different data protection laws combined with the accompanying legal uncertainty was a problem in need of rectification.

The flurry of recent high-profile hacks has no doubt acted as a catalyst for Reding’s announcement, just as it has spurred calls for data protection reform at a federal level in the US. The California state legislature was the first to pass a data breach notification law back in 2003; many other states soon followed suit. But, just as is the case with the EU, this has led to a mishmash of laws across the country that is detrimental to US businesses and consumers alike. The US is trying to tidy this up, with a Federal “SAFE Data Act” having recently been approved by a House subcommittee.

A common standard for data breach notification will simplify the rules for businesses in both jurisdictions and should improve customer confidence in the data security standards of their service providers.

However, does the ‘obligation to notify incidents of serious data security breach’ alone provide enough of an incentive for businesses to actually improve their security practices? The risk is that the constant stream of personal data breaches will render them no longer newsworthy and desensitize consumers to their significance.

It is naturally in the interest of consumers that companies employ best practices with their personal data. Yet it also needs to be in the interest of those companies themselves if we are to see data security standards beefed up to the levels they should be.

The UK has already taken steps to address this issue. From 6 April 2010 onwards, the UK Information Commissioner’s Office has had the power to fine all organizations up to £500,000 for data breaches. The size of the imposed fine is proportional to the seriousness of the breach, the organization’s financial resources and the sector it serves.

The UK financial sector is regulated with even harsher penalties. In 2009 the FSA fined three HSBC firms over £3m for lacking the requisite security systems and standards to prevent personal data losses.

Perhaps the imposition of fines across the EU and US that make it less costly for an organization to fully protect its customer data than suffer a data breach would be the best method of improving information security standards.

Regardless of whether the EU legislation drives companies to protect their data properly, hopefully the message is now being hammered home that a data-centric approach to information security is the most effective method of protection. The increasing number of successful cyber attacks has significantly raised awareness among both businesses and the public about how valuable customer data is to prying eyes. Perimeter firewalls are no longer sufficient. Sensitive data needs to be protected with strong encryption unless a company is willing to suffer like Sony, Google and many others have.


Steve Brunswick manages the global strategy and marketing for Thales Information Systems Security business and has more than 13 years of banking industry experience. Before joining Thales, he worked as a strategy consultant and previously served as director of marketing for De La Rue’s Cash Processing business.

What’s Hot on Infosecurity Magazine?