- News & Events
August 22, 2013
The European Union is mandating that Internet Service Providers (ISPs) and telco operators be required to report personal data breaches. In the event of a theft, loss or unauthorized access to personal customer data including emails, calling data and IP addresses, ISPs and telcos have to notify national authorities within twenty-four hours. This report must include the timing and circumstances of the breach, the nature and content of the data, and likely consequences. In addition, the new regulation requires telcos and ISPs to detail measures taken to address the breach within three days.
Stewart Room, privacy and information partner at law firm Field Fisher Waterhouse, observes, “Controversially, the regulation requires breach notification to national regulators within 24 hours of detection, subject to a ‘feasibility” request.’ In other words, this looks very similar to the approach that the European Commission initially proposed within the draft Data Protection Regulation 2012, which has been almost universally condemned as unworkable, unhelpful and unnecessary. It is hard to detect a substantive logic to this measure and, in more practical terms, it is hard to see why such rapid disclosure is needed.” (It seems somewhat unfortunate Mr. Room sees fit to pull his punches when discussing the new regulations. He should say what’s on his mind.)
According to a piece by Warwick Ashford on computerweekly.com, the mandate for telcos and ISPs to report breaches is a precursor of a broader regulation requiring all EU businesses handle personal data breaches in the same manner.
Paul Ayers, vice-president for Europe at Vormetric, a data security company, observed that the new rules “should act as a warning shot to all organizations processing personal data, as under the forthcoming regulation, they too will shortly have to follow similar rules.” And he goes on to observe that multinational companies will have to bear in mind that different EU member states will enforce the terms of the regulation differently. Therefore, multinationals will have to meet the particular requirements in all member states in which they do business.
Ayers added, “It is only by taking steps to implement policies and technology solutions that are simple and powerful enough to adapt to regional compliance variations – and by ensuring that data is sufficiently obfuscated in the event of a breach – that organizations will be able to shield themselves from the financial and reputational penalties at stake.”
Information Commissioner Christopher Graham, speaking at Infosecurity Europe 2012, argued against mandatory disclosure as it’s being adopted, noting that the Information Commissioner’s Office (ICO) would be “buried” under a deluge of breach notifications. He said the ICO needs to be “selective to be effective,” and the current system of voluntary breach disclosure works well because they “know that they will be dealt with more severely if they attempt to conceal a breach.” (You can’t argue with that logic. Oh, wait, you can. Why would voluntary compliance be more compelling than mandatory compliance? In any event, this seems a moot point at this point.)
ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.
Posted by Dan Rampe
Tags: Account Takeover, Account Takeover Fraud, Bank Fraud, Botnets, CNP fraud, Cookieless Device Identification, Cookies, Credit Card Fraud, Cyber attacks, Data Breach, Device Detection, Device Fingerprint, Device Fingerprinting, Device ID, Device Identification, Fraud Prevention, Hacking, Identity Spoofing, Identity theft, Malware, Malware Protection, Man-in-the-Browser Detection, MitB, Mobile fraud, Online Fraud, Phishing, PII, ThreatMetrix, ThreatMetrix Cybercrime Index, ThreatMetrix Global Trust Intelligence Network, TrustDefender Cybercrime Protection Platform, Web Fraud