California-Model Breach Publication Obligation More Likely in the EU

18 Oct 11:40

In a working document the EU are proposing a law which will force telecomms companies to notify regulators and users in case security breaches potentially compromising personal information occur. Similar legislation in California has led to a deluge of information about security breaches.

The proposal can be found buried inside a review of the EU Regulatory Framework for electronic communications networks and services from June 28th, with a consultation period running until October 27th.

In article 7.2, Notification of security breaches by network operators and Internet Service
Providers (ISPs), it says:

"A requirement to notify security breaches would create an incentive for providers to invest in security but without micro-managing their security policies. The proposed changes would require providers of electronic communications networks and services to:

notify the NRA of any breach of security that led to the loss of personal data and/or to
interruptions in the continuity of service supply. The regulator would have the possibility
to inform the public if they considered that it was in the public interest and
notify their customers of any breach of security leading to the loss, modification or
destruction of, or unauthorised access to, personal customer data."

This is an expansion of the existing directive, based on Article 4 of the e-Privacy Directive. The existing legislation does not require disclosure of breaches.

The consequences of the California legislation, which has subsequently be adopted by 33 states, have been considerable. News of stolen data, laptops going missing and other incidents potentially compromising consumer information, which would never have been disclosed prior to the legislation, has come to light. This has led to considerable debate and anger directed at those failing to adequately protect confidential information, which again has enforced security improvements.

Knowing the way the EU Commission works this should probably been seen as the thin edge of a large wedge leading to a law requiring general disclosure of serious security breeches, perhaps bringing the EU legislation more in line with the CA legislation, which is more comprehensive and far reaching than this proposal.

This is definitely a step in the right direction but it does not go far enough, e.g. it could easily be argued that proscribing the encryption of personal data on laptops would not be 'micro-managing security policies'. The legislation should include a clause like 'reasonable care must be taken to ensure that stored personal data is unreadable by third parties even in case they gain (unauthorised) access to the data'.

The same consultation document (link below) also contains a proposal to ensure 'net neutrality' in the EU and strengthens consumers' rights in a few other areas.

--Ed

Related links: (Open in a new window.)
europa.eu.int/information_society/policy/ecomm/doc/info_centre/public_consult/review/staffworkingdocument_final.pdf

Taken from Information Security Bulletin.