Europe Weighs New Data Breach Rules For Critical Companies - InformationWeek
IoT
IoT
Government // Cybersecurity
News
12/18/2012
10:52 AM
50%
50%
RELATED EVENTS
4 Keys to Improving Security Threat Detection
Dec 15, 2016
In this webinar, Ixia will show how to combine the four keys to improving security threat detectio ...Read More>>

Europe Weighs New Data Breach Rules For Critical Companies

Mobile networks, banks, energy companies and other critical infrastructure providers could be required to report all breaches to EU authorities.

European businesses that provide critical infrastructure services, including banks, stock exchanges, telecommunications firms and utilities, may soon be required to disclose to authorities any data breach they suffer.

That proposal is contained in draft regulations currently being circulated by the European Union's executive committee. The committee plans to formally introduce the recommendation in February 2013, after receiving feedback from the European Parliament and the 27 different countries in Europe that comprise the EU.

An EU spokesman didn't immediately respond to a request to review a copy of the executive commission's draft proposal. But EU officials said the new regulation is needed to remove the stigma associated with data breaches, as well as to improve information sharing between providers of critical infrastructure services, who are being increasingly targeted by hackers.

"We want to change the culture around cybersecurity from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximize security," an unnamed EU official told Reuters, which first reported the news of the EU's draft proposal.

[ Learn more about U.S. critical infrastructure security. See Cyberattack Reports On U.S. Critical Infrastructure Jump Dramatically. ]

The draft report from the EU's executive committee suggests that critical infrastructure is too valuable to be left to voluntary -- if any -- reporting requirements. "Cybersecurity incidents are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, sanitation, electricity or mobile networks," the report said, according to news reports. Furthermore, the report suggested that businesses in Europe currently "lack effective incentives to provide reliable data on the existence or impact" of data breaches or information security incidents.

"Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported," according to the draft report.

Europe currently lacks a single data-breach notification law. Instead, not unlike in the United States, data-breach notification requirements in Europe are governed by a patchwork of country-level provisions. The different laws have differing thresholds for triggering notifications, and differ also as to whether individuals, regulators or both should receive notifications.

"For example, a legal obligation to notify regulators and affected individuals (under certain circumstances) of data breaches exists in Germany and Norway," according to a recent analysis of European data breach notification requirements published by attorneys Christopher Kuner and Anna Pateraki at Wilson Sonsini Goodrich & Rosati. "In contrast, some countries, such as Austria, have a legal requirement to notify individuals but not the regulator, whereas other countries have a voluntary regime based on codes and guidelines issued by regulators, such as Denmark, Ireland and the United Kingdom."

A draft data protection regulation currently being debated by the EU would also create a single data breach notification requirement for all of Europe. But EU watchers have said that debate over the proposed changes may take at least another year or two to be resolved.

Regardless of the timing, data security and breach notifications are clearly on the EU's agenda. "The European Commission's work on critical infrastructure shows the crucial importance of cybersecurity in today's world," said Brussels-based Pateraki, who specializes in privacy law, via email. "In parallel to the ongoing EU data protection reform, which will also enhance data security, the commission is planning to move forward with a proposal on critical information infrastructure protection (CIIP) probably in early 2013. It is expected that the commission's CIIP proposal will build on the existing proposal for a general data breach notification regime and might include a similar regime for security breach notification in critical sectors."

Note: Story updated to include Anna Pateraki's quote.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Apprentice
12/19/2012 | 2:39:52 PM
re: Europe Weighs New Data Breach Rules For Critical Companies
I'm a little surprised this kind of regulation wasn't already in place.

Nathan Golia
Insurance & Technology
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll