EU proposes US-style data breach laws

gallery

The new rules would compel companies operating in Europe to notify regulators and customers of any security breach of data held by that company.

In the US, where laws have been in place a few years, there have been many news reports following such notifications. One of the biggest of these breaches occurred when 40 million credit card account details held by payment card processing company CardSystems were accessed by hackers last year. The company had to then contact all affected card holders over the breach.

Experts believed it was time for Europe to follow the US lead.

Andrew Storms, director of information technology at security firm nCircle said that with the topic becoming the number one concern among government, businesses and consumers alike it was perhaps time to adopt the US government's practice of security report cards.

"Isn't it about time such systems were adopted in the UK and expanded to include not just government departments but also publicly-listed organisations?" said Storms.

"In a market-driven economy organisations will do almost anything to improve their competitive position - why not include security as part of their business plan? We know that brands are competing for trust and confidence, so logically security must be part of the picture too," he added.

He said that lapses in digital security can impact consumer confidence to such an extent that it can lead to long-term brand damage. "So although a pass mark on a report card may not be a panacea it would certainly be a foot on the right path," added Storms.

Other experts believe that EU proposal won't go far enough. "It only covers ISPs and network operators: to make a difference, it really needs to be applicable to all businesses who hold consumer data," said Steve Matthews, security adviser at security consultants Context Information Security.

Matthews said that under the provisions of the Data Protection Act 1998, organisations in the UK already have an obligation to report data security breaches where the data is held under the act.

"Currently the true extent of organisations suffering security breaches is unknown. Out of fear of bad publicity, businesses are unlikely to disclose the total number or nature of the security breaches they have suffered," he said. "Although obliging organisations to notify clients and regulatory bodies may help provide a more comprehensive profile of security breaches across Europe, it is questionable if the proposal will actually provide the impetus for businesses to improve security,"

Matthews said in addition to notifying clients and the authorities, businesses should be obliged to outline the measures they propose taking to prevent the reoccurrence of the security breach they reported." They should also outline timescales for remediation of the security vulnerabilities that caused the breach, regardless of whether these are of a technical nature or are personnel related," he added.

Email to a friend

Print this page