"Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions."
For those of us who are familiar with dealing with a difficult security breach, having to contact a regulator in that massively important, golden 24 hours would be an unnecessary and unwarranted distraction.
Even though companies such as Sony and RSA have recently been lambasted for not reporting breaches soon enough, many have suggested the rule is too strict and could result in poor reporting of incidents.
"It's not helpful to specify a strict time in the way they've done," Stewart Room, partner in Field Fisher Waterhouse's technology law group, told IT Pro. "The regime that we have for telcos and ISPs, of reporting without undue delay, would be the right regime.
"For those of us who are familiar with dealing with a difficult security breach, having to contact a regulator in that massively important, golden 24 hours would be an unnecessary and unwarranted distraction. What may happen, rather than focusing totally on remedial action, the unfortunate organisation that suffers a breach is going to be focusing more on regulatory action."
Containment, mitigation and recovery should be on companies' minds after a breach occurs, Room added.
Others have suggested the 24-hour rule will lead to inaccurate reporting of data breaches, leading either to over or understated reactions.
ICO boost?
The new EU rules could favour the UK's data protection watchdog, the Information Commissioner's Office (ICO), which has been asking for greater enforcement powers, even after it was given the ability to fine companies up to 500,000.
The EC wants to "further enhance the independence and powers of national data protection authorities (DPAs) to enable them to carry out investigations, take binding decisions and impose effective and dissuasive sanctions, and oblige Member States to provide them with sufficient resources to do so."
It would like to see DPAs allowed to fine companies as much as 1 million or up to two per cent of the global annual turnover of a company.
"I would have thought all the data protection regulators are going to be made up it's like Christmas for them," Room said.
"It's very clear who the winners are - data protection regulators, data protection lawyers, data protection consultants and data protection officers. What's less clear is how do data subjects, controllers and processors win."
