Stern new data breach reporting requirement takes hold in EU
Data breaches are reported nearly every day and one noticeable trend is the occasional delay between when the breach is discovered and when authorities and affected people are notified.
That just changed in the 28 member-European Union (EU). As of Sunday, telecommunications and internet service providers in the EU have 24 hours from the moment of discovery to report a data breach to authorities.
There are no stringent rules like that in place in the United States, where alerting requirements are promulgated through a hodgepodge of state laws. Many don't enlist any deadline. They merely order breached organizations to notify victims or authorities within a reasonable timeframe. A few states require that notification happen no later than 45 days.
Organizations criticized for taking weeks or even months to notify victims often defend the delay by saying they needed ample time to investigate the scope of the breach and determine who may have been affected.
Todd Hinnen, a partner with Seattle law firm Perkins Coie's privacy and security practice, told SCMagazine.com on Monday that he supports a federal data breach notification law in the U.S., but added he is sympathetic to the idea of needing a bit of time for entities to investigate prior to reporting.
The problems with an expedited, 24-hour response, Hinnen said, are a lack of understanding of the threat, the creation of undue alarm and, ultimately, shoddy reporting. Instead, Hinnen suggests that authorities be notified as "soon as reasonably practical, but no later than 72 hours" and that affected customers should be alerted shortly after.
Of course each incident is different, Hinnen said, explaining that a breach involving an advanced persistent threat (APT) would probably take more time to report on than a data compromise involving a stolen laptop.
"I think it will happen," Hinnen said of the likelihood of a national data breach notification laws eventually passing in the U.S. "There is a great deal of focus on it and a great deal of desire to get it done. There just hasn't been the consensus on how to get it done."
Cameron Camp, a security researcher with security company ESET, told SCMagazine on Thursday that a federal notification bill has been been talked about within Congress for some years, but has never earned the momentum or widespread support needed for passage.
One thing most agree on is that a federal bill would alleviate pressure on breached entities with operations extending across the country. State-to-state breach laws are so varied that those organizations end up burdened with having to research their legal obligations in different locations, Hinnen said.
Imation Mobile Security completed a study on data breach notification laws in August 2012 and General Manager Barbara Nelson told SCMagazine.com on Friday that “a federal law would provide consistent measures for U.S. organizations, rather than a state-by-state mishmash.”
EU officials justified the strict new requirement by saying that customers need information as soon as possible so they can take action.
“Consumers need to know when their personal data has been compromised, so that they can take remedial action if needed, and businesses need simplicity," European Commission Vice President Neelie Kroes said in a June statement. "These new practical measures provide that level playing field.”
EU providers are given 24 hours to report a data breach, but if sufficient details are unavailable, an initial notification is required within 24 hours and a more thorough follow-up is required within 72 hours. Some details that must be included in the alert are name of the provider, summary of the incident, number of affected individuals, content of data impacted and measures taken to mitigate adverse effects.
If the breach involves personal data, the EU law mandates that affected individuals are alerted “without undue delay” from detection of the incident, according to the regulation.
Personal data breaches are defined as “breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the [European] Union.”[An earlier version of this story incorrectly stated that Perkins Coie is a New York law firm].