The audits are likely to be broader in scope than the data breaches that sparked them, according to the report.
Data breach notification legislation and regulation is increasing around the world – from Brazil, Uruguay and Mexico in Latin America, to Germany in Europe and Japan in the Asia-Pacific region. Regulators are increasingly using their enforcement functions to give force to breach notification violations, the report noted.
“In 2012, we expect to see a tighter relationship forming between breach notification regulations and enforcement actions. Many proposed and newly enacted breach notification regulations omit the requirement to notify the individual – initially or at all. Instead, the focus is on notifying the regulator. This gives the regulator the power to decide what next steps are needed (including a notification to the impacted individuals) and appropriate enforcement actions”, Ernst & Young wrote.
The report cited the proposed changes to the EU Data Protection Directive to expand the data breach notification requirement for member countries as an example of this trend. In January EU Justice Commissioner Viviane Reding proposed a comprehensive reform of the EU Data Protection Directive, including a requirement that all companies notify national authorities and customers within 24 hours of a breach of personal information.
“We have seen a draft proposal for an overhaul of the existing directive in the European Union”, said Sagi Leizerov, Americas leader of privacy advisory and assurance services at Ernst & Young.
Currently, each EU country has its own privacy regulations. “They vary in their degree of limitations and restrictions that they apply to specific aspects of personal information….This has created a patchwork of requirements”, Leizerov told Infosecurity.
“The change is creating a common regulation that would apply to all of the EU countries….This will create consistency. The attempt is to harmonize requirements so that companies and individuals would not be confused and have to chase minor changes here or there to figure out what compliance looks like”, he said.
Leizerov observed that it could take two years before the EU proposal becomes the “law of the land.”
The report noted that critics of proposed privacy changes are concerned that concentrating decision-making power with the regulator, as is the case with new breach notification requirements, would distort how organizations address privacy risk and compliance. “Some worry that it will give organizations incentive
to only address areas that lead to breaches, while ignoring other privacy-related considerations, such as limiting the collection of personally identifiable information and providing clear notices”, the report stressed.