Europe Weighs New Data Breach Rules For Critical Companies

European businesses that provide critical infrastructure services, including banks, stock exchanges, telecommunications firms and utilities, may soon be required to disclose to authorities any data breach they suffer.

That proposal is contained in draft regulations currently being circulated by the European Union's executive committee. The committee plans to formally introduce the recommendation in February 2013, after receiving feedback from the European Parliament and the 27 different countries in Europe that comprise the EU.

An EU spokesman didn't immediately respond to a request to review a copy of the executive commission's draft proposal. But EU officials said the new regulation is needed to remove the stigma associated with data breaches, as well as to improve information sharing between providers of critical infrastructure services, who are being increasingly targeted by hackers.

"We want to change the culture around cybersecurity from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximize security," an unnamed EU official told Reuters, which first reported the news of the EU's draft proposal.

[ Learn more about U.S. critical infrastructure security. See Cyberattack Reports On U.S. Critical Infrastructure Jump Dramatically. ]

The draft report from the EU's executive committee suggests that critical infrastructure is too valuable to be left to voluntary -- if any -- reporting requirements. "Cybersecurity incidents are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, sanitation, electricity or mobile networks," the report said, according to news reports. Furthermore, the report suggested that businesses in Europe currently "lack effective incentives to provide reliable data on the existence or impact" of data breaches or information security incidents.

"Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported," according to the draft report.

Europe currently lacks a single data-breach notification law. Instead, not unlike in the United States, data-breach notification requirements in Europe are governed by a patchwork of country-level provisions. The different laws have differing thresholds for triggering notifications, and differ also as to whether individuals, regulators or both should receive notifications.

"For example, a legal obligation to notify regulators and affected individuals (under certain circumstances) of data breaches exists in Germany and Norway," according to a recent analysis of European data breach notification requirements published by attorneys Christopher Kuner and Anna Pateraki at Wilson Sonsini Goodrich & Rosati. "In contrast, some countries, such as Austria, have a legal requirement to notify individuals but not the regulator, whereas other countries have a voluntary regime based on codes and guidelines issued by regulators, such as Denmark, Ireland and the United Kingdom."

A draft data protection regulation currently being debated by the EU would also create a single data breach notification requirement for all of Europe. But EU watchers have said that debate over the proposed changes may take at least another year or two to be resolved.

Regardless of the timing, data security and breach notifications are clearly on the EU's agenda. "The European Commission's work on critical infrastructure shows the crucial importance of cybersecurity in today's world," said Brussels-based Pateraki, who specializes in privacy law, via email. "In parallel to the ongoing EU data protection reform, which will also enhance data security, the commission is planning to move forward with a proposal on critical information infrastructure protection (CIIP) probably in early 2013. It is expected that the commission's CIIP proposal will build on the existing proposal for a general data breach notification regime and might include a similar regime for security breach notification in critical sectors."

Note: Story updated to include Anna Pateraki's quote.