Government // Cybersecurity
News
12/18/2012
10:52 AM
Connect Directly
RSS
E-Mail
50%
50%

Europe Weighs New Data Breach Rules For Critical Companies

Mobile networks, banks, energy companies and other critical infrastructure providers could be required to report all breaches to EU authorities.

European businesses that provide critical infrastructure services, including banks, stock exchanges, telecommunications firms and utilities, may soon be required to disclose to authorities any data breach they suffer.

That proposal is contained in draft regulations currently being circulated by the European Union's executive committee. The committee plans to formally introduce the recommendation in February 2013, after receiving feedback from the European Parliament and the 27 different countries in Europe that comprise the EU.

An EU spokesman didn't immediately respond to a request to review a copy of the executive commission's draft proposal. But EU officials said the new regulation is needed to remove the stigma associated with data breaches, as well as to improve information sharing between providers of critical infrastructure services, who are being increasingly targeted by hackers.

"We want to change the culture around cybersecurity from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximize security," an unnamed EU official told Reuters, which first reported the news of the EU's draft proposal.

[ Learn more about U.S. critical infrastructure security. See Cyberattack Reports On U.S. Critical Infrastructure Jump Dramatically. ]

The draft report from the EU's executive committee suggests that critical infrastructure is too valuable to be left to voluntary -- if any -- reporting requirements. "Cybersecurity incidents are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, sanitation, electricity or mobile networks," the report said, according to news reports. Furthermore, the report suggested that businesses in Europe currently "lack effective incentives to provide reliable data on the existence or impact" of data breaches or information security incidents.

"Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported," according to the draft report.

Europe currently lacks a single data-breach notification law. Instead, not unlike in the United States, data-breach notification requirements in Europe are governed by a patchwork of country-level provisions. The different laws have differing thresholds for triggering notifications, and differ also as to whether individuals, regulators or both should receive notifications.

"For example, a legal obligation to notify regulators and affected individuals (under certain circumstances) of data breaches exists in Germany and Norway," according to a recent analysis of European data breach notification requirements published by attorneys Christopher Kuner and Anna Pateraki at Wilson Sonsini Goodrich & Rosati. "In contrast, some countries, such as Austria, have a legal requirement to notify individuals but not the regulator, whereas other countries have a voluntary regime based on codes and guidelines issued by regulators, such as Denmark, Ireland and the United Kingdom."

A draft data protection regulation currently being debated by the EU would also create a single data breach notification requirement for all of Europe. But EU watchers have said that debate over the proposed changes may take at least another year or two to be resolved.

Regardless of the timing, data security and breach notifications are clearly on the EU's agenda. "The European Commission's work on critical infrastructure shows the crucial importance of cybersecurity in today's world," said Brussels-based Pateraki, who specializes in privacy law, via email. "In parallel to the ongoing EU data protection reform, which will also enhance data security, the commission is planning to move forward with a proposal on critical information infrastructure protection (CIIP) probably in early 2013. It is expected that the commission's CIIP proposal will build on the existing proposal for a general data breach notification regime and might include a similar regime for security breach notification in critical sectors."

Note: Story updated to include Anna Pateraki's quote.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Apprentice
12/19/2012 | 2:39:52 PM
re: Europe Weighs New Data Breach Rules For Critical Companies
I'm a little surprised this kind of regulation wasn't already in place.

Nathan Golia
Insurance & Technology
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.